CompTIA Linux+ XK0-005 (XK0-005) — Questions 151225

510 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Multi-Selectmedium

Which THREE are best practices for securing a Linux server? (Choose exactly three.)

Select 3 answers
A.Use a host-based firewall
B.Keep software up to date
C.Enable root SSH login with password
D.Disable unnecessary services
E.Set default umask to 0777
AnswersA, B, D

Controls network access to the server.

Why this answer

A host-based firewall (e.g., iptables, nftables, or firewalld) controls incoming and outgoing traffic at the server level, enforcing least-privilege network access. By default, it can block all traffic except explicitly allowed services (e.g., SSH on port 22, HTTPS on port 443), reducing the attack surface. This is a fundamental security control to prevent unauthorized network connections.

Exam trap

CompTIA often tests the misconception that a permissive umask (like 0777) is secure because it 'blocks everything,' but in reality, umask subtracts permissions, so 0777 actually removes all permissions, which is not a best practice and can cause operational issues; the trap is confusing umask subtraction with direct permission setting.

152
MCQeasy

The sysadmin receives the error shown in the exhibit. What is the most likely fix?

A.Add a readiness probe to the container.
B.Change the image tag to :latest.
C.Remove the requests section.
D.Add limits to the resources section.
AnswerD

The error explicitly requires limits to be specified.

Why this answer

The error indicates the container was killed due to an Out Of Memory (OOM) condition. Adding limits to the resources section constrains the container's memory usage, preventing it from exceeding the node's capacity and being terminated by the kernel OOM killer.

Exam trap

The trap here is that candidates confuse resource requests (which guarantee minimum resources) with limits (which cap usage), and mistakenly think removing requests or adding probes will fix an OOM error, when only a memory limit prevents the container from exhausting node memory.

How to eliminate wrong answers

Option A is wrong because a readiness probe checks if a container is ready to serve traffic, not memory limits; it does not prevent OOM kills. Option B is wrong because changing the image tag to :latest does not affect resource constraints and may introduce untested versions, but does not fix memory exhaustion. Option C is wrong because removing the requests section removes the minimum resource guarantee but does not cap memory usage; without limits, the container can still consume all available memory and be OOM-killed.

153
MCQeasy

An administrator wants to use Ansible to ensure that the `httpd` package is installed on all managed nodes. Which Ansible module should be used?

A.copy
B.command
C.yum
D.service
AnswerC

The yum module installs, removes, or upgrades packages using the yum package manager.

Why this answer

The `yum` module is the correct choice because it is a dedicated Ansible module for managing packages on Red Hat-based systems using the YUM package manager. It ensures the `httpd` package is installed by setting the `state: present` parameter, and it handles idempotency by checking the package status before making changes.

Exam trap

The trap here is that candidates may confuse the `service` module (which manages service state) with package installation, or mistakenly think the `command` module is acceptable for package management despite its lack of idempotency and error handling.

How to eliminate wrong answers

Option A is wrong because the `copy` module is used to copy files from the local machine to remote nodes, not to install packages. Option B is wrong because the `command` module runs arbitrary commands but lacks idempotency and package-specific features, making it error-prone for package management. Option D is wrong because the `service` module manages the state of services (e.g., started, stopped), not the installation of packages.

154
MCQhard

A container started with the above Compose configuration fails to set the system time (clock_settime syscall). Which additional capability is required?

A.SYS_NICE
B.SYS_TIME
C.SYS_RESOURCE
D.SYS_CLOCK
AnswerB

Required for changing the system clock.

Why this answer

The `clock_settime` syscall requires the `SYS_TIME` capability to modify the system clock. In Docker Compose, capabilities are added via the `cap_add` directive, and without `SYS_TIME`, the container lacks the privilege to change the system time, resulting in a failure.

Exam trap

CompTIA often tests the distinction between `SYS_TIME` and the non-existent `SYS_CLOCK` to trap candidates who assume a capability name must match the syscall name exactly.

How to eliminate wrong answers

Option A is wrong because `SYS_NICE` allows changing process priority and scheduling, not system time. Option C is wrong because `SYS_RESOURCE` controls resource limits (e.g., ulimit overrides), not clock operations. Option D is wrong because `SYS_CLOCK` is not a valid Linux capability; the correct capability for clock operations is `SYS_TIME`.

155
MCQeasy

A Linux administrator needs to automate daily database backups and ensure the job runs even if the system is rebooted. Which approach should be used?

A.Schedule the backup using the at command.
B.Add a cron job in /etc/crontab.
C.Create a systemd timer unit that triggers a service.
D.Use anacron to run the job daily.
AnswerC

Timers can catch up after reboot.

Why this answer

A systemd timer unit is the correct approach because it can be configured to trigger a service unit (e.g., a backup script) on a daily schedule, and systemd ensures that timers persist across reboots and will catch up on missed runs if the system was down. This provides reliable, dependency-aware scheduling integrated with the init system, unlike cron which may miss jobs during downtime.

Exam trap

The trap here is that candidates often default to cron (option B) for recurring tasks, but the requirement 'even if the system is rebooted' specifically tests knowledge of systemd timers' persistent and catch-up capabilities, which cron lacks.

How to eliminate wrong answers

Option A is wrong because the `at` command schedules a one-time job, not a recurring daily task, and does not automatically re-run after a reboot. Option B is wrong because a cron job in /etc/crontab runs only when the system is powered on at the scheduled time; if the system is rebooted or down during that time, the job is missed entirely without catch-up logic. Option D is wrong because anacron is designed for systems that are not running 24/7, but it does not integrate with systemd's service management and is not the recommended modern approach for ensuring a job runs after a reboot on a systemd-based Linux distribution.

156
Multi-Selecthard

A system administrator is troubleshooting why a user cannot execute a script in their home directory. Which THREE conditions could prevent execution? (Choose three.)

Select 3 answers
A.The script is owned by a different user
B.The user's umask is set to 022
C.The script does not have the execute permission set for the user
D.The filesystem containing the script is mounted with the noexec option
E.The script is interpreted by a shell that is not listed in /etc/shells
AnswersC, D, E

Without execute permission, the script cannot be run.

Why this answer

Option C is correct because for a user to execute a script, the file must have the execute permission bit set for that user (or for the group or others, depending on the user's relationship to the file). Without the execute permission (e.g., `chmod +x`), the shell will refuse to run the script directly, returning a 'Permission denied' error.

Exam trap

CompTIA often tests the misconception that file ownership alone blocks execution, when in fact execute permissions and mount options are the primary blockers, and that `/etc/shells` is irrelevant to direct script execution unless combined with a restricted shell environment.

157
Multi-Selecteasy

A container produces a large amount of log output to stdout. Which TWO methods effectively manage log size in a production environment?

Select 2 answers
A.Use docker logs --tail 100 to limit output
B.Configure journald limits for container logging
C.Use a bind mount to redirect logs to /dev/null
D.Configure the application inside the container to log to a file
E.Set the --log-opt max-size=10m when running the container
AnswersB, E

Journald can be configured to cap log storage for containers.

Why this answer

Option B is correct because journald can be configured to limit the size of log data it stores, including container logs that are sent to the journal. In a production environment, setting `SystemMaxUse=` or `MaxRetentionSec=` in `/etc/systemd/journald.conf` prevents unbounded log growth. Option E is correct because Docker's `--log-opt max-size=10m` truncates the container's log file when it reaches 10 MB, rotating it automatically, which directly manages log size at the container runtime level.

Exam trap

The trap here is that candidates confuse `docker logs --tail` (a display filter) with actual log size management, or assume that redirecting logs to `/dev/null` is a valid production strategy, when in fact it destroys forensic data and violates operational best practices.

158
MCQhard

A Linux administrator is writing a Bash script to automate the backup of a database. The script must run a pre-backup command, check its exit status, and if successful, proceed with the backup; otherwise, log an error and exit. Which code snippet correctly implements this logic?

A.set -e pre_backup_cmd backup_cmd
B.pre_backup_cmd && backup_cmd || echo 'Error' >&2
C.pre_backup_cmd if [ $? -ne 0 ]; then echo 'Error' >&2; exit 1; fi backup_cmd
D.(pre_backup_cmd; if [ $? -ne 0 ]; then echo 'Error' >&2; exit 1; fi) && backup_cmd
AnswerC

This correctly captures the exit status of the pre_backup_cmd and handles failure before proceeding.

Why this answer

Option C correctly runs the pre-backup command, then checks its exit status with `$?`. If the exit status is not zero (indicating failure), it logs an error to stderr and exits with code 1. Only if the pre-backup command succeeds does the script proceed to the backup command.

This matches the requirement exactly: check exit status, log error on failure, and exit.

Exam trap

The trap here is that candidates often choose option B because they think `&&` and `||` provide equivalent conditional logic, but they overlook that the `||` will also catch failures from the backup command itself, not just the pre-backup command, violating the requirement.

How to eliminate wrong answers

Option A is wrong because `set -e` causes the script to exit immediately on any command failure, but it does not log an error message before exiting, nor does it allow conditional logic to proceed with backup only on success. Option B is wrong because the `||` after `backup_cmd` will also trigger the error logging if `backup_cmd` itself fails, even if `pre_backup_cmd` succeeded — this does not match the requirement to only log an error when the pre-backup command fails. Option D is wrong because the subshell `( ... )` runs the pre-backup command and error handling inside a child shell; if the pre-backup command fails, the `exit 1` inside the subshell only exits the subshell, not the main script, and the `&& backup_cmd` will not run, but the main script continues without exiting — failing to meet the requirement to exit the script on pre-backup failure.

159
MCQeasy

A junior administrator is asked to automate the backup of a configuration file every night at 11 PM. The script /usr/local/bin/backup.sh already exists. Which command should the administrator run to schedule this task?

A.systemctl start backup.timer
B.at 23:00 /usr/local/bin/backup.sh
C.echo "0 23 * * * /usr/local/bin/backup.sh" | crontab -
D.nohup /usr/local/bin/backup.sh &
AnswerC

Correct. This appends a cron job entry to the crontab, scheduling the script to run daily at 23:00.

Why this answer

Option C is correct because the `crontab -` command reads from standard input and installs the cron job. The line `0 23 * * * /usr/local/bin/backup.sh` specifies that the script should run at 23:00 (11 PM) every day, matching the requirement exactly. This is the standard method for scheduling recurring tasks in Linux using cron.

Exam trap

The trap here is that candidates often confuse `at` (for one-time tasks) with `cron` (for recurring tasks), or assume `systemctl start` can create a timer on the fly without a pre-existing timer unit file.

How to eliminate wrong answers

Option A is wrong because `systemctl start backup.timer` would start a systemd timer unit, but no such timer has been defined or enabled; this command does not create a new schedule and would fail if the timer unit does not exist. Option B is wrong because the `at` command is used for one-time scheduled tasks, not recurring nightly backups; `at 23:00` would schedule the script to run only once at the next 11 PM, not every night. Option D is wrong because `nohup` runs the script in the background with immunity to hangups, but it does not schedule the task for a future time; it executes immediately and exits.

160
MCQmedium

A user is able to ping the Linux server but cannot connect via SSH. The SSH service is running and listening. Which configuration file should the administrator review FIRST?

A./etc/pam.d/login
B./etc/ssh/sshd_config
C./etc/nsswitch.conf
D./etc/hosts.allow
AnswerB

Contains authentication methods and other critical settings.

Why this answer

The correct answer is B because the SSH service is running and listening, but the user cannot connect. This points to a configuration issue within the SSH daemon itself. The `/etc/ssh/sshd_config` file controls SSH server settings such as allowed authentication methods, port numbers, and user access restrictions (e.g., `AllowUsers`, `DenyUsers`, `PermitRootLogin`).

Reviewing this file first is the logical step to identify why connections are being rejected despite the service being active.

Exam trap

The trap here is that candidates often jump to `/etc/hosts.allow` or PAM files because they associate 'cannot connect' with access control or authentication, but the question specifies the service is running and listening, which narrows the issue to SSH-specific configuration in `sshd_config`.

How to eliminate wrong answers

Option A is wrong because `/etc/pam.d/login` is used for local console login authentication via PAM, not for SSH connections; SSH uses its own PAM service file (e.g., `/etc/pam.d/sshd`) if PAM is enabled. Option C is wrong because `/etc/nsswitch.conf` controls name service resolution order (e.g., files, DNS, LDAP) and does not affect SSH connectivity or authentication. Option D is wrong because `/etc/hosts.allow` is part of the TCP Wrappers system (libwrap), which is deprecated and not used by modern SSH daemons; SSH typically does not consult this file unless explicitly compiled with libwrap support, which is rare in current distributions.

161
MCQmedium

A Linux server is configured to allow SSH access for remote administration. The security team wants to limit SSH access to only users in the 'ssh-users' group. Which configuration should be added to /etc/ssh/sshd_config?

A.AllowUsers ssh-users
B.AllowGroups ssh-users
C.DenyUsers root
D.PermitRootLogin yes
AnswerB

AllowGroups restricts SSH to group members.

Why this answer

Option B is correct because the AllowGroups directive in /etc/ssh/sshd_config restricts SSH logins to only those users who are members of the specified group. By setting 'AllowGroups ssh-users', only users belonging to the 'ssh-users' group will be permitted to authenticate via SSH, directly fulfilling the security team's requirement.

Exam trap

The trap here is that candidates confuse AllowUsers (which takes usernames) with AllowGroups (which takes group names), leading them to incorrectly select option A thinking it will filter by group membership.

How to eliminate wrong answers

Option A is wrong because AllowUsers expects a list of usernames, not a group name; 'AllowUsers ssh-users' would attempt to match a user literally named 'ssh-users', not members of the group. Option C is wrong because 'DenyUsers root' only blocks the root user from SSH access, but does nothing to limit access to only users in the 'ssh-users' group. Option D is wrong because 'PermitRootLogin yes' controls whether root can log in via SSH, not which users or groups are allowed; it is irrelevant to restricting access to a specific group.

162
MCQhard

A Linux administrator is writing a script that must wait for a background process to finish before continuing. The process ID is stored in a variable. Which command should be used to wait for this process?

A.sleep 10
B.wait
C.wait $PID
D.kill -0 $PID
AnswerC

Waits for specific process.

Why this answer

Option C is correct because the `wait` command in Bash, when given a specific process ID (PID), suspends execution of the calling shell script until that background process terminates. This directly fulfills the requirement to wait for a specific background process whose PID is stored in a variable.

Exam trap

CompTIA often tests the distinction between `wait` (which waits for process completion) and `kill -0` (which only checks process existence), leading candidates to mistakenly choose `kill -0` as a waiting mechanism.

How to eliminate wrong answers

Option A is wrong because `sleep 10` simply pauses execution for a fixed 10 seconds, regardless of whether the background process has finished, and does not use the stored PID. Option B is wrong because `wait` without arguments waits for all background processes to finish, not a specific process identified by the PID variable. Option D is wrong because `kill -0 $PID` only checks whether a process with that PID exists and is accessible, sending no signal; it does not wait for the process to complete.

163
MCQeasy

A security engineer needs to verify the authenticity of a downloaded file using its detached GPG signature (file.sig). Which command should be used?

A.gpg --sign file
B.gpg --list-keys
C.gpg --verify file.sig
D.gpg --decrypt file.gpg
AnswerC

This command verifies the detached signature file.sig against the original file (file).

Why this answer

The `gpg --verify file.sig` command is used to verify the authenticity of a file using its detached GPG signature. The detached signature file (file.sig) contains the cryptographic signature, and GPG checks it against the original file (which must be present in the same directory with the same base name) using the signer's public key from the local keyring. This confirms that the file was signed by the holder of the corresponding private key and has not been tampered with.

Exam trap

CompTIA often tests the distinction between detached signatures and embedded signatures, where candidates mistakenly think `--verify` requires the original file as an argument, but GPG automatically infers it from the signature filename.

How to eliminate wrong answers

Option A is wrong because `gpg --sign file` creates a new signature for the file, not verify an existing one. Option B is wrong because `gpg --list-keys` lists public keys in the keyring but does not perform any verification. Option D is wrong because `gpg --decrypt file.gpg` decrypts an encrypted file, not verify a detached signature.

164
MCQmedium

A user reports that a custom application service fails to start with a 'Permission denied' error in the logs. The service runs under the 'appuser' account. Which is the most likely cause and the first step to diagnose?

A.The root password is incorrect; change root password with passwd.
B.SELinux is blocking the service; check journalctl for AVC denials and use restorecon or setsebool.
C.The service binary does not have execute permission for appuser; use chmod +x.
D.The systemd target is not set to multi-user; run systemctl set-default multi-user.target.
AnswerB

SELinux often causes 'Permission denied' and journalctl shows the denial message.

Why this answer

Option B is correct because SELinux denials are a common cause of permission errors for services; journalctl can reveal the SELinux denial message. Option A: file permissions might be an issue but SELinux is more likely with a service; C: root password does not affect service startup; D: systemd targets are for runlevel, not file access.

165
MCQmedium

A user reports that a recently installed application fails to start. The application was installed via a shell script that added a repository and installed the package. The user runs 'ldd /usr/bin/app' and sees several 'not found' libraries. Which of the following is the MOST likely cause?

A.The installation script did not install all required dependencies.
B.The kernel version is outdated.
C.SELinux is blocking the application.
D.The file system is corrupted.
AnswerA

The 'not found' libraries indicate missing dependencies, which can occur if the script failed to install all required packages.

Why this answer

The `ldd` command lists shared library dependencies for a binary. When it reports 'not found' libraries, it means the dynamic linker cannot locate the required `.so` files. Since the application was installed via a shell script that added a repository and installed the package, the most likely cause is that the script failed to install all required dependencies, leaving the binary unable to resolve its shared library links.

Exam trap

The trap here is that candidates may confuse library resolution failures with permission or security issues (like SELinux), but `ldd` output directly points to missing files, not access control.

How to eliminate wrong answers

Option B is wrong because an outdated kernel version would not cause specific shared libraries to be missing; it might cause system call incompatibilities, but `ldd` would still find the libraries if they were installed. Option C is wrong because SELinux blocks access based on security contexts, not by making libraries disappear from the filesystem; `ldd` would still resolve the libraries, though execution might be denied. Option D is wrong because file system corruption would likely cause broader system issues or error messages beyond just missing libraries in `ldd` output, and `ldd` would typically report I/O errors or file not found for the binary itself, not specific library dependencies.

166
MCQeasy

A system administrator needs to restrict SSH access to a Linux server to only users in the 'sshusers' group. Which configuration change achieves this?

A.Add 'DenyUsers *' to /etc/ssh/sshd_config
B.Set 'PermitRootLogin no' in /etc/ssh/sshd_config
C.Add 'AllowGroups sshusers' to /etc/ssh/sshd_config
D.Add 'AllowUsers sshusers' to /etc/ssh/sshd_config
AnswerC

AllowGroups restricts SSH access to members of the specified group.

Why this answer

Option C is correct because the 'AllowGroups' directive in /etc/ssh/sshd_config restricts SSH access to only users who are members of the specified group. When set to 'AllowGroups sshusers', only users belonging to the 'sshusers' group will be permitted to log in via SSH, effectively blocking all others. This is the standard method for group-based access control in OpenSSH.

Exam trap

CompTIA often tests the distinction between 'AllowUsers' (which expects usernames) and 'AllowGroups' (which expects group names), leading candidates to incorrectly choose 'AllowUsers sshusers' thinking it applies to the group rather than a user literal.

How to eliminate wrong answers

Option A is wrong because 'DenyUsers *' denies all users by name, but it does not consider group membership; it would block everyone including root and any user, which is overly restrictive and not the intended group-based restriction. Option B is wrong because 'PermitRootLogin no' only disables root login via SSH, but does nothing to restrict access for other users or enforce group-based access control. Option D is wrong because 'AllowUsers sshusers' expects a list of usernames, not a group name; it would attempt to match a user literally named 'sshusers', which does not exist, effectively denying all users but for the wrong reason and without group-based logic.

167
MCQeasy

The /home partition is nearly full. The administrator wants to increase the size of the home filesystem. Which action should be taken first?

A.Unmount the /home filesystem
B.Use resize2fs on /dev/mapper/vg-home
C.Use lvextend to extend the logical volume
D.Add a new disk to the volume group
AnswerA

Unmounting ensures no writes occur during the resize process, minimizing risk of data corruption.

Why this answer

Option C is correct. For safety, the filesystem should be unmounted before extending the logical volume and resizing the filesystem. Option A and B are steps after unmounting.

Option D is unnecessary unless there is no free space in the volume group.

168
MCQhard

Refer to the exhibit. A web server is experiencing performance issues. Based on the process list shown, which action should the administrator take first?

A.Increase the PID limit in /proc/sys/kernel/pid_max.
B.Kill the parent process of the zombie (PID 1234).
C.Identify and restart the parent process to clean up the zombie.
D.Terminate the zombie process with SIGKILL.
AnswerC

The zombie's parent (PID 1234 - httpd master) should reap it. Restarting the master process will clean orphans.

169
MCQeasy

A Linux administrator needs to find large log files that may be consuming disk space. Which command should be used to locate files larger than 100MB in the /var/log directory?

A.df -h
B.ls -lR /var/log
C.find /var/log -type f -size +100M
D.du -sh /var/log/*
AnswerC

Correct: Finds files larger than 100MB.

Why this answer

The `find` command with `-type f` (regular files) and `-size +100M` (files larger than 100 megabytes) is the correct tool to locate large log files in /var/log. This directly meets the requirement to find files by size, unlike other commands that only show disk usage or directory listings without size filtering.

Exam trap

The trap here is that candidates often confuse `du` (disk usage of directories) or `df` (filesystem free space) with `find`'s file-size filtering, leading them to choose options that show aggregate usage rather than locating individual large files.

How to eliminate wrong answers

Option A is wrong because `df -h` reports filesystem-level disk usage (e.g., total, used, available space on mounted partitions), not individual file sizes. Option B is wrong because `ls -lR /var/log` recursively lists all files and directories with details but does not filter by size, requiring manual inspection to find large files. Option D is wrong because `du -sh /var/log/*` shows the total disk usage of each top-level item in /var/log, but it does not filter for files larger than 100MB and may miss files nested deeper in subdirectories.

170
MCQeasy

An administrator needs to add a script to be executed daily. The script is placed at /etc/cron.daily/myscript. After placing the script, it does not run. Based on the exhibit, what is the most likely issue?

A.The script is owned by the wrong user
B.The cron daemon is not running
C.The script is not executable
D.The script is not listed in /etc/crontab
E.Anacron is not installed
AnswerC

Scripts must have execute permission to be run by run-parts.

Why this answer

Option A is correct because scripts in /etc/cron.daily must be executable. The exhibit shows the existing scripts have execute permission, so the new script likely does not. Option B is wrong because cron.daily runs in the system crontab and does not require an entry in /etc/crontab.

Option C is wrong because anacron is used for missed runs, but cron.daily still executes. Option D is wrong because run-parts is used to execute the scripts, but missing it would affect all, not just one. Option E is wrong because the script should be owned by root like the others.

171
Multi-Selecthard

Which TWO commands can be used to immediately synchronize the system time with an NTP server, even if the time difference is large? (Choose two.)

Select 2 answers
A.chronyd -q
B.systemctl restart ntp
C.timedatectl set-ntp true
D.ntpd -g
E.ntpdate pool.ntp.org
AnswersD, E

ntpd -g allows a large time correction on startup.

Why this answer

ntpd -g and ntpdate both can perform a large time step. ntpd -g allows ntpd to ignore the panic threshold once. ntpdate does a one-time sync. timedatectl set-ntp true enables the NTP service but does not force an immediate sync. chronyd can be used but -q or -n options are not equivalent to immediate sync. systemctl restart ntp restarts the service but does not force sync.

172
MCQeasy

Refer to the exhibit. A Linux administrator runs the netstat command to check listening services. The output shows that services are listening on ports 22, 80, and 443. Which of the following conclusions is correct based on the exhibit?

A.The Apache HTTP server is running and listening on both port 80 and port 443
B.The HTTP server is only listening on the loopback interface
C.A firewall is blocking incoming connections to port 443
D.The SSH daemon is configured to listen on a non-standard port
AnswerA

The exhibit shows httpd (Apache) listening on ports 80 and 443.

Why this answer

The netstat output shows services listening on ports 80 and 443, which are the standard ports for HTTP and HTTPS respectively. Apache HTTP server is the most common service that listens on both these ports simultaneously. The fact that both ports are listed as listening indicates that Apache (or another web server) is bound to these ports and ready to accept connections.

Exam trap

CompTIA often tests the distinction between a service listening on a port and a firewall blocking traffic to that port; candidates mistakenly think a listening service means traffic is reaching it, but netstat only shows the socket state, not firewall rules.

How to eliminate wrong answers

Option B is wrong because the netstat output does not show the listening address as 127.0.0.1 or ::1; it shows 0.0.0.0 or a specific IP, meaning it listens on all interfaces, not just loopback. Option C is wrong because netstat shows the service as listening on port 443; a firewall blocking incoming connections would not prevent the service from listening, it would only block inbound packets from reaching the listening socket. Option D is wrong because SSH daemon (sshd) by default listens on port 22, which is the standard port, not a non-standard one.

173
MCQhard

Based on the exhibit, what is the most likely cause of the sshd service failure?

A.The firewall is blocking port 22
B.The sshd configuration file has incorrect permissions
C.The sshd service is not installed
D.Another process is already listening on port 22
AnswerD

Error message directly indicates address already in use.

Why this answer

The sshd service failed because another process is already listening on port 22, which prevents sshd from binding to that port. This is indicated by the error message in the exhibit (e.g., 'bind: Address already in use'), which is a common symptom when a conflicting service or a previously running instance of sshd occupies the port. The system cannot start a new instance of sshd until the port is freed.

Exam trap

The trap here is that candidates often assume a firewall or permission issue is the cause, but the specific 'Address already in use' error directly points to a port conflict, which is a distinct and common scenario on Linux systems.

How to eliminate wrong answers

Option A is wrong because the firewall blocking port 22 would cause connection timeouts or 'No route to host' errors, not a failure of the sshd service to start; the service would still bind successfully. Option B is wrong because incorrect permissions on the sshd configuration file (e.g., /etc/ssh/sshd_config) would typically cause a 'Bad permissions' error during startup, not a port binding failure. Option C is wrong because if sshd were not installed, the system would report 'Unit sshd.service not found' or 'command not found', not a port conflict error.

174
MCQhard

Refer to the exhibit. The service fails to start with the error 'Failed to start My Service: Unit not found'. What is the most likely cause?

A.The User specified does not exist.
B.The service file is not in the correct directory.
C.The network target is not reached.
D.The ExecStart script is missing.
AnswerB

Unit files must be placed in /etc/systemd/system/ or /lib/systemd/system/ to be recognized.

Why this answer

The error 'Unit not found' indicates that systemd cannot locate the service unit file. Systemd service files must be placed in specific directories such as /etc/systemd/system/ or /usr/lib/systemd/system/. If the file is in the wrong directory, systemd will not recognize the unit, causing the 'Unit not found' error.

Option B correctly identifies this as the most likely cause.

Exam trap

CompTIA often tests the distinction between 'unit not found' (file location issue) and 'command not found' or 'exec format error' (missing executable or script), leading candidates to incorrectly choose the missing ExecStart script option.

How to eliminate wrong answers

Option A is wrong because a non-existent User would cause a different error, such as 'Failed to determine user credentials' or 'User 'xxx' not found', not 'Unit not found'. Option C is wrong because the network target not being reached would result in a dependency failure or timeout, not a 'Unit not found' error. Option D is wrong because a missing ExecStart script would produce an error like 'Exec format error' or 'No such file or directory' when the service attempts to start, not a failure to find the unit itself.

175
MCQeasy

A server is experiencing high CPU load. The administrator needs to identify which process is consuming the most CPU resources in real time. Which command should be used?

A.w
B.vmstat
C.uptime
D.ps aux --sort=-%cpu
E.top
AnswerE

top provides real-time process CPU usage.

Why this answer

Option A is correct because the `top` command provides a real-time, dynamic view of running processes, sorted by CPU usage by default. Option B is wrong because `ps aux --sort=-%cpu` shows a static snapshot sorted by CPU, not real-time. Option C is wrong because `uptime` only shows system load averages.

Option D is wrong because `w` shows who is logged in and what they are doing, not per-process CPU. Option E is wrong because `vmstat` reports system processes, memory, paging, block IO, traps, and CPU activity but not per-process details.

176
MCQhard

An Apache web server (httpd) is serving content from a custom directory /webapps/company. The root directory is labeled with the default_t context, causing httpd to be denied access. Which command should the administrator use to persistently relabel the directory for httpd access?

A.restorecon -v /webapps/company
B.chcon -t httpd_sys_content_t /webapps/company
C.setsebool -P httpd_read_user_content on
D.semanage fcontext -a -t httpd_sys_content_t '/webapps/company(/.*)?'
AnswerD

This sets the persistent default SELinux type for the directory and its contents.

Why this answer

Option D is correct because `semanage fcontext` modifies the SELinux file context policy persistently, and the regex `/webapps/company(/.*)?` ensures the rule applies to the directory and all its contents. This is necessary because `restorecon` (option A) only applies the default context from the policy, which is `default_t` for this custom path, and `chcon` (option B) is non-persistent and will be overwritten by a file system relabel. The `setsebool` (option C) controls a boolean for user content, not the file context of a custom directory.

Exam trap

The trap here is that candidates confuse `chcon` (immediate but non-persistent) with `semanage fcontext` (persistent via policy), or they incorrectly assume `restorecon` can change the context to a non-default type when it only restores the type defined in the policy.

How to eliminate wrong answers

Option A is wrong because `restorecon -v /webapps/company` would reset the context to the default `default_t` type, which is the very context causing the denial, not the `httpd_sys_content_t` type needed for Apache access. Option B is wrong because `chcon -t httpd_sys_content_t /webapps/company` changes the context immediately but is not persistent; it will be reverted to the policy default after a file system relabel or `restorecon` run. Option C is wrong because `setsebool -P httpd_read_user_content on` enables a boolean that allows httpd to read user home directories (typically `/home/*/public_html`), not a custom directory like `/webapps/company`.

177
MCQeasy

A Linux administrator discovers that a user's home directory contains a file with setuid bit set, owned by root. The file is not part of any authorized software. What is the most appropriate immediate action?

A.Move the file to /tmp for further analysis
B.Delete the file immediately to remove the threat
C.Change the file owner to the user with 'chown user:user <file>'
D.Remove the setuid bit with 'chmod u-s <file>'
AnswerD

This removes the setuid bit, preventing privilege escalation, while preserving the file.

Why this answer

Option D is correct because the immediate priority is to neutralize the unauthorized setuid root binary, which poses a privilege escalation risk. Removing the setuid bit with 'chmod u-s' disables the ability for any user to execute the file with root privileges, containing the threat without destroying evidence that may be needed for forensic analysis. This aligns with security best practices of preserving artifacts while mitigating active risks.

Exam trap

The trap here is that candidates often choose deletion (Option B) as the 'obvious' fix, overlooking the forensic value of the file and the fact that removing the setuid bit is a less destructive and equally effective containment measure.

How to eliminate wrong answers

Option A is wrong because moving the file to /tmp does not remove the setuid bit; the file would retain its setuid root capability in /tmp, still allowing privilege escalation. Option B is wrong because deleting the file immediately destroys potential forensic evidence (e.g., timestamps, contents, metadata) that could be critical for understanding the breach or attacker's methods. Option C is wrong because changing the owner to the user does not remove the setuid bit; the file would still execute with the new owner's privileges, which could be the user themselves, failing to eliminate the privilege escalation vector.

178
MCQeasy

An administrator wants to verify which RPM packages are installed on a Red Hat Enterprise Linux system. Which command displays that information?

A.dpkg -l
B.apt list --installed
C.rpm -qa
D.yum list installed
AnswerC

rpm -qa queries all installed RPM packages.

Why this answer

rpm -qa lists all installed RPM packages. dpkg is for Debian. yum and apt are package managers that can list packages but rpm is the base tool. In Linux+, rpm -qa is the most direct answer.

179
MCQhard

A developer reports that a Docker container on a CentOS 7 host cannot connect to the internet. The host itself can access the internet. The container is started with default bridge network. The administrator checks iptables and sees the FORWARD policy is DROP. What is the most likely cause and solution?

A.The container needs to be run with --network host.
B.The container's DNS configuration is incorrect.
C.Add iptables rules to allow forwarding and enable masquerading.
D.AppArmor is blocking outbound connections.
AnswerC

Docker manages iptables, but if the FORWARD policy is DROP without proper rules, container traffic is blocked. Adding rules or restarting Docker restores connectivity.

Why this answer

The default Docker bridge network relies on iptables NAT (masquerading) and FORWARD rules to allow containers to reach external networks. When the FORWARD policy is set to DROP, the host drops all forwarded packets from the container, blocking outbound internet access. Adding iptables rules to allow forwarding (e.g., `-A FORWARD -i docker0 -j ACCEPT`) and enabling masquerading (e.g., `-t nat -A POSTROUTING -s 172.17.0.0/16 -o eth0 -j MASQUERADE`) restores connectivity.

Exam trap

The trap here is that candidates may assume DNS or network mode is the issue, but the explicit mention of the FORWARD policy being DROP directly points to a missing iptables forwarding rule, which is a classic Linux networking troubleshooting scenario.

How to eliminate wrong answers

Option A is wrong because `--network host` bypasses Docker's network isolation and uses the host's network stack directly, which is unnecessary and reduces security; the issue is specifically with the default bridge and iptables forwarding, not the network mode. Option B is wrong because DNS configuration affects name resolution, not raw IP connectivity; the container cannot reach any external IP, indicating a packet forwarding problem rather than a DNS issue. Option D is wrong because AppArmor is a Linux Security Module (LSM) that confines programs via profiles, but it does not manage network forwarding or iptables policies; CentOS 7 uses SELinux by default, not AppArmor, and the symptom points to iptables, not mandatory access control.

180
Multi-Selectmedium

Which TWO statements are true regarding the use of Ansible for automation? (Choose TWO.)

Select 2 answers
A.Ansible requires a dedicated master server to manage nodes.
B.Ansible playbooks are written in YAML.
C.Ansible is agentless and uses SSH for communication.
D.Ansible uses a pull-based model where nodes fetch configurations from a central server.
E.Ansible modules are written in Ruby.
AnswersB, C

Ansible playbooks are YAML files that define automation tasks.

Why this answer

Option B is correct because Ansible playbooks are written in YAML (YAML Ain't Markup Language), which is a human-readable data serialization standard. YAML allows for simple, declarative syntax to define automation tasks, variables, and handlers, making playbooks easy to write and maintain without requiring programming expertise.

Exam trap

The trap here is that candidates often confuse Ansible's push-based model with pull-based tools like Puppet or Chef, or assume a master server is required because other automation tools use a master-agent architecture.

181
MCQeasy

Based on the exhibit, what best describes the security implication?

A.The SUID bit is set, allowing users to run passwd with root privileges to change their own password.
B.The file is world-writable.
C.The SGID bit is set, allowing users to run passwd with group root.
D.The sticky bit is set, preventing deletion of the file.
AnswerA

The 's' in the user execute position indicates SUID.

Why this answer

The SUID (Set User ID) bit is set on the /usr/bin/passwd file, as indicated by the 's' in the owner's execute position (e.g., -rwsr-xr-x). This allows any user to run the passwd command with the effective UID of the file owner (root), enabling them to change their own password by writing to /etc/shadow, which is otherwise only writable by root. This is a standard security mechanism, not a vulnerability, as the passwd binary is carefully designed to only allow password changes for the invoking user.

Exam trap

CompTIA often tests the distinction between SUID, SGID, and sticky bits by presenting a file listing with an 's' in the owner's execute position and expecting candidates to recognize it as SUID, not confusing it with SGID (which would be in the group position) or the sticky bit (which would be a 't' in the others position).

How to eliminate wrong answers

Option B is wrong because the file permissions shown (e.g., -rwsr-xr-x) indicate the file is not world-writable; the 'w' bit for 'others' is not set. Option C is wrong because the SGID bit is not set; the group execute position shows 'x' (or 's' only if SGID were set), and the group is not 'root' but typically 'shadow' or 'root' depending on the system, but the key point is that the 's' is in the owner's position, not the group's. Option D is wrong because the sticky bit is not set; the sticky bit would appear as a 't' in the 'others' execute position, and it is not present in the given permissions.

182
MCQmedium

A security policy requires that SSH root login be disabled, but key-based authentication for users should remain enabled. Which configuration line should be added to /etc/ssh/sshd_config?

A.PermitEmptyPasswords no
B.PermitRootLogin no
C.PasswordAuthentication yes
D.PermitRootLogin prohibit-password
AnswerD

This disables password authentication for root while allowing key-based login.

Why this answer

The directive `PermitRootLogin prohibit-password` in `/etc/ssh/sshd_config` disables password-based authentication for the root user while still allowing key-based authentication (e.g., SSH public key or GSSAPI). This satisfies the security policy requirement to disable root login via passwords but retain the ability for users (including root) to authenticate using SSH keys.

Exam trap

The trap here is that candidates often confuse `PermitRootLogin no` (which blocks all root SSH access) with `PermitRootLogin prohibit-password` (which only blocks password-based root access), leading them to choose option B when the question explicitly requires key-based authentication to remain enabled.

How to eliminate wrong answers

Option A is wrong because `PermitEmptyPasswords no` only prevents login with empty passwords; it does not disable root login or affect key-based authentication. Option B is wrong because `PermitRootLogin no` completely disables all SSH logins for root, including key-based authentication, which violates the requirement to keep key-based authentication enabled. Option C is wrong because `PasswordAuthentication yes` explicitly enables password authentication for all users, including root, which directly contradicts the policy to disable SSH root login.

183
Drag & Dropmedium

Drag and drop the steps to configure a static IP address using the command line in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static IP configuration involves editing the network config file and restarting the service to apply changes.

184
MCQmedium

You are managing a containerized microservices environment using Podman. One of the services needs to access a PostgreSQL database running in a separate container. The database container is named 'db' and uses the default bridge network. The application container is launched with the command: podman run -d --name app --network host myapp. The application fails to connect to the database using the hostname 'db'. Which change should you resolve the issue?

A.Use a user-defined network and connect both containers
B.Use --link db:db when running app container
C.Set environment variable DB_HOST=localhost
D.Run app container on the same network as db using --network bridge
AnswerA

A user-defined network provides automatic DNS resolution, allowing 'db' to resolve to the database container.

Why this answer

The default bridge network in Podman does not provide automatic DNS resolution between containers by name. When the app container uses `--network host`, it shares the host's network stack and is not connected to any container network, so it cannot resolve the container name 'db'. A user-defined network enables built-in DNS resolution, allowing containers to communicate by name.

Connecting both containers to the same user-defined network resolves the connectivity issue.

Exam trap

CompTIA often tests the misconception that the default bridge network supports automatic DNS resolution by container name, when in reality only user-defined networks provide that feature in both Podman and Docker.

How to eliminate wrong answers

Option B is wrong because `--link` is a legacy Docker feature not supported in Podman; Podman uses DNS-based service discovery on user-defined networks instead. Option C is wrong because setting `DB_HOST=localhost` would point to the host's loopback interface, but the database container is not listening on the host's loopback unless port mapping is explicitly configured, which is not the case here. Option D is wrong because `--network bridge` is the default network mode, but the app container is already using `--network host`, which overrides any other network setting; even if both containers were on the default bridge, they would not be able to resolve each other by name without a user-defined network.

185
Multi-Selecthard

Which TWO conditions must be met for a user to successfully delete a file owned by a different user in a directory? (Choose two.)

Select 2 answers
A.The user has write permission on the file
B.The user has write permission on the directory
C.The user has execute permission on the directory
D.The user is the owner of the file
E.The user is a member of the group that owns the directory
AnswersB, C

Write permission on the directory is required to delete entries.

Why this answer

Option A is correct because the user must have write permission on the directory to modify its contents (delete files). Option B is correct because the user must have execute permission on the directory to traverse it. Option C is wrong because file write permission is not required for deletion; directory permissions govern.

Option D is wrong because owning the file is not required; directory permissions override. Option E is wrong because being in the group that owns the directory is not necessary; permissions cover all.

186
Multi-Selectmedium

A Linux administrator is hardening a server. Which TWO actions are effective in preventing unauthorized access via SSH? (Select TWO.)

Select 2 answers
A.Set PermitRootLogin yes
B.Set PasswordAuthentication yes
C.Disable the SSH service
D.Set PermitRootLogin no in /etc/ssh/sshd_config
E.Set PasswordAuthentication no and use SSH keys
AnswersD, E

Prevents direct root login.

Why this answer

Option D is correct because setting `PermitRootLogin no` in `/etc/ssh/sshd_config` prevents direct root login via SSH, forcing administrators to log in as a regular user and then use `su` or `sudo` for privilege escalation. This reduces the attack surface by eliminating the ability to brute-force the root password directly over SSH.

Exam trap

The trap here is that candidates may think disabling the SSH service (Option C) is a valid hardening step, but the question asks for actions that prevent unauthorized access *via SSH* while still allowing legitimate remote administration.

187
Multi-Selecteasy

A security administrator needs to verify the SELinux context of files in a directory. Which TWO commands can be used? (Choose two.)

Select 2 answers
A.getenforce
B.ps -Z
C.ls -Z
D.stat -Z
E.chcon
AnswersC, D

Lists files with their SELinux security context.

Why this answer

Options A and D are correct. ls -Z displays the SELinux context of files, and stat -Z (or stat with appropriate option) also displays the security context. ps -Z is for processes, getenforce shows the current enforcing mode, and chcon changes the context.

188
Multi-Selecthard

A Linux administrator needs to implement a cron job that runs a script every day at 2:30 PM. Which TWO cron schedule expressions are equivalent?

Select 2 answers
A.30 14 * * *
B.30 2 * * * PM
C.30 2 * * *
D.30 2 * * *
E.30 14 * * *
AnswersA, E

2:30 PM.

Why this answer

In cron syntax, the first field is minute (0-59), the second is hour (0-23) in 24-hour format. 2:30 PM corresponds to hour 14 in 24-hour time. Therefore, '30 14 * * *' correctly specifies the job runs at minute 30 of hour 14 every day. Option A and E are identical and both use the correct 24-hour representation.

Exam trap

CompTIA often tests the 24-hour vs 12-hour clock confusion in cron expressions, where candidates mistakenly use '2' for 2 PM instead of converting to '14'.

189
Matchingmedium

Match each Linux process signal to its typical action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hangup, often reload config

Interrupt from keyboard (Ctrl+C)

Force kill (cannot be caught)

Terminate gracefully

Stop/pause process (cannot be caught)

Why these pairings

Signals are used for inter-process communication.

190
MCQmedium

A sysadmin wants to run a containerized web application using Podman. The container needs to persist data across restarts. Which approach ensures data persistence?

A.Run the container with --restart always.
B.Mount a host directory as a volume using -v.
C.Include the data using COPY in the Dockerfile.
D.Use docker commit to save changes.
AnswerB

Mounting a volume allows data to be stored on the host, surviving container restarts and removal.

Why this answer

Option B is correct because mounting a host directory as a volume using the `-v` flag (e.g., `podman run -v /host/path:/container/path ...`) ensures that data written inside the container is stored on the host filesystem. This data persists independently of the container's lifecycle, surviving container restarts, stops, or even removal. Podman, like Docker, treats volumes as external storage that outlives the container.

Exam trap

The trap here is that candidates confuse container restart policies (like `--restart always`) with data persistence, assuming that keeping the container running automatically preserves its data, when in fact the container's writable layer is ephemeral and lost on removal.

How to eliminate wrong answers

Option A is wrong because `--restart always` only controls the container's restart policy (e.g., after a crash or reboot), but it does not preserve data when the container is removed or its filesystem is replaced; any data written inside the container's writable layer is lost upon container deletion. Option C is wrong because the `COPY` instruction in a Dockerfile bakes data into the container image at build time, making it read-only and immutable; it cannot persist runtime data across restarts or container updates. Option D is wrong because `docker commit` creates a new image from a container's current state, which is a manual, snapshot-based approach that does not provide ongoing persistence; it also requires explicit action and bloats image layers, and is not a standard method for persistent storage in production.

191
MCQhard

A company runs a critical web application on a Linux server. The server has 16GB RAM and 4 CPU cores. Recently, users have reported intermittent timeouts and slow response times. The administrator logs in and runs 'top', which shows the web server process using 200% CPU (multi-threaded) and 2GB RAM. Free memory is 12GB, and swap usage is 0. The load average is 3.5, 4.0, 4.2. The administrator checks 'dmesg' and sees no OOM or hardware errors. The web server logs show many 'connection refused' errors during peak times. The application is configured to handle up to 500 concurrent connections. The administrator suspects the issue is related to the number of worker processes or threads. Which of the following is the BEST course of action to resolve the issue?

A.Increase the number of worker processes or threads in the web server configuration.
B.Add more CPU cores by migrating to a larger instance.
C.Decrease the number of worker processes to reduce CPU load.
D.Add more RAM to the server.
AnswerA

This directly addresses the connection refused errors by allowing more concurrent connections.

Why this answer

The web server is using 200% CPU (multi-threaded) and has 12GB free RAM with no swap usage, indicating CPU is the bottleneck, not memory. The load average (3.5–4.2) exceeds the 4 CPU cores, meaning the system is overloaded with processes/threads. The 'connection refused' errors during peak times suggest the server is hitting its connection limit (500 concurrent connections) and rejecting new ones.

Increasing worker processes/threads allows the server to handle more concurrent connections, utilizing the available CPU cores more efficiently to reduce timeouts and refusals.

Exam trap

CompTIA often tests the misconception that high CPU usage always means the server needs fewer workers or more hardware, but the real issue here is that the server is rejecting connections because it has too few workers to handle the configured 500 concurrent connections, not because the CPU is overloaded by existing workers.

How to eliminate wrong answers

Option B is wrong because adding more CPU cores does not address the root cause—the web server is already CPU-bound with 200% usage, but the issue is insufficient worker processes to handle peak connections, not a lack of cores; migrating to a larger instance is an expensive and unnecessary overprovisioning. Option C is wrong because decreasing worker processes would reduce the number of concurrent connections the server can handle, worsening the 'connection refused' errors and increasing timeouts. Option D is wrong because 12GB of free RAM and 0 swap usage indicate memory is not a constraint; adding RAM does not resolve the CPU-bound connection handling limit.

192
MCQmedium

An administrator wants to run a script every Monday at 3:00 PM using a systemd timer. Which unit file configuration is correct for the timer?

A.OnCalendar=Mon *-*-* 15:00:00
B.OnCalendar=weekly Monday 15:00
C.ExecStart=/usr/local/bin/script.sh
D.OnCalendar=daily 15:00
AnswerA

Correct syntax for Monday at 3 PM.

Why this answer

Option A is correct because systemd timer units use the `OnCalendar=` directive with a calendar event format that follows `DayOfWeek Year-Month-Day Hour:Minute:Second`. The pattern `Mon *-*-* 15:00:00` specifies every Monday at 15:00:00, where the asterisks act as wildcards for any year, month, and day. This matches the requirement to run a script every Monday at 3:00 PM.

Exam trap

CompTIA often tests the distinction between timer unit directives and service unit directives, and the trap here is that candidates mistakenly think `ExecStart=` belongs in the timer file or confuse the `OnCalendar=` syntax with cron-style or human-readable formats like 'weekly Monday 15:00'.

How to eliminate wrong answers

Option B is wrong because `OnCalendar=weekly Monday 15:00` is not a valid systemd calendar event format; systemd does not accept the keyword 'weekly' combined with a day name and time in that syntax, and the correct format requires a full timestamp with wildcards. Option C is wrong because `ExecStart=` is a directive for service units, not timer units; timer units use `OnCalendar=` or other time-based triggers, and `ExecStart=` would be placed in the corresponding service unit file. Option D is wrong because `OnCalendar=daily 15:00` would run the script every day at 15:00, not specifically on Mondays, failing the requirement for a weekly Monday-only schedule.

193
Multi-Selecthard

A Linux administrator needs to configure a service to start automatically after a network connection is established. The service should only run when the network is up, and should stop when the network goes down. Which two systemd unit options should be used? (Choose two.)

Select 2 answers
A.Requires=network.target
B.PartOf=network.service
C.BindsTo=network.target
D.Wants=network.target
E.After=network.target
AnswersC, E

BindsTo ties service lifecycle to network; if network stops, service stops.

Why this answer

After=network.target ensures the service starts after network is configured. BindsTo=network.target ties the service lifecycle to the network target; if network goes down, the service stops. Requires does not imply ordering; Wants is weaker; PartOf is for resource partitioning.

194
MCQmedium

A system is experiencing high CPU usage due to a background process with PID 2345. The administrator wants to reduce the process's priority by 5 without stopping it. Which command should be used?

A.kill -STOP 2345
B.renice -n -5 -p 2345
C.kill -9 2345
D.renice -n +5 -p 2345
AnswerD

Adds 5 to the nice value, lowering the priority.

Why this answer

Option B is correct because 'renice -n +5 -p 2345' increases the nice value by 5, lowering the priority. Option A changes the value to -5, which raises priority; C and D use kill with signal names, which would terminate or suspend the process.

195
MCQmedium

An administrator runs the commands shown in the exhibit. The container is accessible via curl using the container IP. However, the administrator cannot access the web server using the host's IP address on port 80. What is the most likely cause?

A.The container's IP address is incorrect.
B.The container's port 80 is not published to the host.
C.Nginx is configured to listen on a different port.
D.The container is not running.
AnswerB

No -p option was used; port is only accessible on the container's network.

Why this answer

Option B is correct because the administrator ran `docker run -d nginx` without the `-p` or `--publish` flag, which means port 80 inside the container is not mapped to any port on the host. The container is accessible via its own IP because Docker networking allows direct container-to-container communication, but the host's IP on port 80 remains unbound, so curl to the host IP fails. Publishing the port with `-p 80:80` would expose the container's port 80 on the host's interface.

Exam trap

The trap here is that candidates assume a running container with a working service is automatically accessible on the host's IP, but Docker requires explicit port publishing to bridge the host network namespace to the container's network namespace.

How to eliminate wrong answers

Option A is wrong because the container's IP address is correct—the administrator can curl the container IP successfully, proving the container is reachable at that address. Option C is wrong because Nginx inside the official nginx container listens on port 80 by default, and the successful curl to the container IP confirms the web server is responding on that port. Option D is wrong because the container is running (the `docker ps` output would show it, and curl to the container IP works), so the issue is not a stopped container.

196
MCQhard

An administrator needs to set a password expiration policy so that all users must change their password every 90 days. Which command and option accomplishes this for an existing user?

A.usermod -e 90 <username>
B.passwd -x 90 <username>
C.chage -W 90 <username>
D.chage -M 90 <username>
AnswerD

This sets the maximum password age to 90 days; the user must change the password after that period.

Why this answer

Option A is correct. chage -M sets the maximum number of days a password is valid. Option B uses an invalid option for passwd. Option C sets the account expiration date.

Option D sets the warning days.

197
MCQhard

Refer to the exhibit. An administrator attempts to mount all filesystems and receives an error. What is the most likely cause?

A.The /var entry has a wrong filesystem type.
B.The UUID for /var is incorrect in fstab.
C.The /var directory has been deleted or is missing.
D.The /var filesystem is corrupted.
AnswerC

The error 'mount point does not exist' and 'No such file or directory' for /var indicate the directory is missing.

198
MCQmedium

After a system update, a custom application no longer runs due to a shared library error. The library exists on the system but is in a non-standard path. Which environment variable should be checked or set to resolve this?

A.LD_PRELOAD
B.PATH
C.LD_LIBRARY_PATH
D.LD_RUN_PATH
AnswerC

This environment variable tells the dynamic linker where to find libraries.

Why this answer

Option C is correct because the LD_LIBRARY_PATH environment variable tells the dynamic linker (ld.so) where to search for shared libraries before the standard system paths. When a custom application fails with a shared library error after an update, and the library exists in a non-standard path, setting LD_LIBRARY_PATH to include that path resolves the issue by allowing the linker to find the library at runtime.

Exam trap

CompTIA often tests the distinction between LD_LIBRARY_PATH (runtime library search path) and LD_RUN_PATH (link-time RPATH embedding), causing candidates to confuse the two when the question explicitly mentions a runtime error after an update.

How to eliminate wrong answers

Option A is wrong because LD_PRELOAD is used to force the loading of a specific shared library before all others, typically for overriding functions or debugging, not for adding a search path for missing libraries. Option B is wrong because PATH controls the search path for executable binaries, not for shared libraries; it is used by the shell to find commands, not by the dynamic linker. Option D is wrong because LD_RUN_PATH is used at link time (when building the application) to embed a library search path into the binary's RPATH, not at runtime to resolve a missing library after the system update.

199
MCQeasy

A system administrator is tasked with ensuring that users cannot delete files owned by other users in a shared directory. Which permission should be set on the directory?

A.Apply an ACL
B.Set the sticky bit
C.Set the SGID bit
D.Set the SUID bit
AnswerB

The sticky bit prevents users from deleting files they do not own in the directory.

Why this answer

The sticky bit (chmod +t) on a directory restricts deletion so that only the file owner, the directory owner, or root can remove files, even if the directory has world-writable permissions. This directly prevents users from deleting files owned by others in a shared directory, which is the requirement.

Exam trap

The trap here is that candidates often confuse the sticky bit with SUID or SGID, or think an ACL is required, but the sticky bit is the exact POSIX mechanism designed for shared directory deletion control.

How to eliminate wrong answers

Option A is wrong because an ACL (Access Control List) provides fine-grained permissions for specific users or groups but does not inherently restrict deletion to file owners; it can be configured to do so, but the standard, simplest solution is the sticky bit, not an ACL. Option C is wrong because the SGID bit (setgid) on a directory causes new files to inherit the directory's group, not restrict deletion; it addresses group ownership inheritance, not deletion prevention. Option D is wrong because the SUID bit (setuid) on a directory is ignored on most Unix/Linux systems (it has no effect on directories) and is used on executables to run with the owner's privileges, not to control file deletion.

200
Multi-Selectmedium

A Linux engineer needs to ensure a bash script runs with strict error handling. Which TWO of the following should be included? (Choose two.)

Select 2 answers
A.set -o pipefail
B.set -n
C.set -e
D.set -x
E.shopt -s histappend
AnswersA, C

Exit on pipeline failure.

Why this answer

Option A, 'set -o pipefail', is correct because it ensures that if any command in a pipeline fails (returns a non-zero exit status), the entire pipeline's exit status reflects that failure. Without it, only the last command's exit status is considered, which can mask errors in earlier pipeline stages. Option C, 'set -e', is correct because it causes the script to exit immediately upon any command returning a non-zero exit status, preventing silent failures from propagating.

Exam trap

CompTIA often tests the distinction between debugging options (set -x) and error-handling options (set -e, set -o pipefail), leading candidates to mistakenly choose set -x as a strict error-handling mechanism.

201
Multi-Selectmedium

Which TWO commands effectively disable a systemd service to prevent it from starting, either automatically or manually? (Select 2.)

Select 2 answers
A.systemctl disable
B.systemctl stop
C.systemctl reset-failed
D.systemctl kill
E.systemctl mask
AnswersA, E

Disable removes the symlink that enables the service at boot, preventing automatic start.

Why this answer

Options B (systemctl disable) and C (systemctl mask) are correct. Disable prevents automatic startup, mask prevents any startup. Stop only halts current session, kill sends signals, reset-failed resets failure state.

202
MCQhard

An administrator is configuring a server to act as a router and needs to enable IP forwarding persistently across reboots. Which file should be modified?

A./etc/network/interfaces
B./etc/sysctl.conf
C./etc/rc.local
D./proc/sys/net/ipv4/ip_forward
AnswerB

Adding net.ipv4.ip_forward=1 here makes it persistent.

Why this answer

The correct file is /etc/sysctl.conf or a file in /etc/sysctl.d/ with the parameter net.ipv4.ip_forward = 1. /proc/sys/net/ipv4/ip_forward is temporary. /etc/network/interfaces is Debian-specific. /etc/rc.local is legacy.

203
Multi-Selecteasy

A system administrator needs to identify which processes are consuming the most memory on a Linux server. Which two commands can be used? (Select TWO).

Select 2 answers
A.vmstat
B.ps -aux
C.free -m
D.top
E.df -h
AnswersB, D

Can be sorted by memory usage using --sort=-%mem.

Why this answer

The `ps -aux` command displays all running processes with detailed information, including memory usage (%MEM and RSS). The `top` command provides a real-time, interactive view of processes sorted by memory consumption by default. Both commands directly show per-process memory usage, making them suitable for identifying the most memory-intensive processes.

Exam trap

The trap here is that candidates confuse system-wide memory reporting commands (like `free` or `vmstat`) with per-process memory analysis tools, leading them to select options that show total memory usage rather than identifying which specific processes are consuming it.

204
MCQeasy

A junior administrator needs to view the logs of a running container named 'webapp'. Which command should be used?

A.docker attach webapp
B.docker logs webapp
C.docker inspect webapp
D.docker stats webapp
AnswerB

Shows logs.

Why this answer

The `docker logs webapp` command retrieves the stdout and stderr output streams from the container's main process, which is the standard way to view logs for a running or stopped container. This is the correct approach because Docker captures these streams and stores them in a JSON file on the host, accessible via the `docker logs` command.

Exam trap

CompTIA often tests the distinction between `docker attach` (interactive session) and `docker logs` (passive log retrieval), trapping candidates who confuse attaching to a container's console with viewing its log history.

How to eliminate wrong answers

Option A is wrong because `docker attach` connects the terminal to the container's main process's stdin/stdout/stderr, which is used for interactive debugging and can block the terminal, not for viewing historical logs. Option C is wrong because `docker inspect` returns detailed metadata about the container (e.g., configuration, network settings, mounts) in JSON format, not the log output. Option D is wrong because `docker stats` displays live resource usage metrics (CPU, memory, network I/O) for running containers, not log content.

205
MCQeasy

A user cannot start the Apache web service. The command 'systemctl start httpd' returns 'Failed to start httpd.service: Unit not found.' What is the most likely cause?

A.Network configuration is incorrect
B.Incorrect file permissions on /etc/httpd/
C.The httpd package is not installed
D.Disk space is full
AnswerC

Unit not found typically means the service is not installed.

Why this answer

The error 'Failed to start httpd.service: Unit not found' indicates that systemd cannot locate a service unit file for httpd. This most commonly occurs when the httpd package (Apache HTTP Server) is not installed on the system. Without the package, no service unit file exists under /usr/lib/systemd/system/, so systemctl cannot start the service.

Exam trap

The trap here is that candidates may confuse a missing package with a service that is installed but not enabled or has configuration issues, leading them to select options like incorrect permissions or network configuration instead of recognizing the fundamental absence of the service unit.

How to eliminate wrong answers

Option A is wrong because an incorrect network configuration would not cause systemd to report 'Unit not found'; it would typically result in a different error such as a timeout or failure to bind to an address. Option B is wrong because incorrect file permissions on /etc/httpd/ would not prevent systemd from finding the service unit; the unit file is located in /usr/lib/systemd/system/, not in /etc/httpd/. Option D is wrong because a full disk would produce a different error, such as 'No space left on device' or a failure to write logs, not a 'Unit not found' message from systemd.

206
MCQhard

Refer to the exhibit. A user cannot access a web server, but another host on the same subnet can. What is the most likely cause?

A.The network router is blocking the user's traffic.
B.The web server is down.
C.DNS is resolving to the wrong IP for the user.
D.The user's workstation has a local firewall blocking outbound HTTPS.
AnswerD

The iptables output shows no rules, but the user's workstation gets 'Connection refused' while another host succeeds, indicating the issue is local to the workstation. A local firewall (e.g., software firewall) might be blocking outbound 443.

207
MCQhard

Based on the exhibit, the service has failed. Which of the following is the most appropriate first step to diagnose the cause of the failure?

A.Check if the service is a timer and was triggered
B.Check the script /usr/local/bin/myservice.sh for errors and run it manually
C.Run systemctl daemon-reload to reload unit files
D.Restart the service using systemctl restart myservice.service
E.Run journalctl -u myservice.service to view logs
AnswerB

Directly diagnose the script's failure.

Why this answer

Option B is correct because the service exited with status 1, indicating that the script /usr/local/bin/myservice.sh encountered an error. Checking the script's output or running it manually will reveal the error. Option A is wrong because restarting without investigation will likely fail again.

Option C is wrong because the process exited, so journalctl for the service will show any output, but the most direct step is to run the script manually. Option D is wrong because the service is not a timer. Option E is wrong because reloading daemon is unnecessary; the unit is already loaded.

208
MCQhard

A sysadmin runs the command and sees the exhibit output. What is the most likely cause of the db pod's status?

A.The container is out of memory.
B.The node running the pod is unreachable.
C.The pod does not have enough CPU resources.
D.The application inside the container is repeatedly crashing.
AnswerD

CrashLoopBackOff means the container exits with an error and is being restarted repeatedly.

Why this answer

The pod's status shows a high restart count (e.g., 5+ restarts) in the output of `kubectl get pods`, which is the classic indicator of a CrashLoopBackOff state. This occurs when the container's entrypoint process exits repeatedly, causing the container to crash and be restarted by the kubelet, until the back-off delay increases. The most likely cause is that the application inside the container is repeatedly crashing, not a resource or node issue.

Exam trap

The trap here is that candidates often confuse a high restart count with a resource exhaustion issue (OOM or CPU), but the key differentiator is the specific exit code and status message shown in `kubectl describe pod` or `kubectl logs`.

How to eliminate wrong answers

Option A is wrong because an out-of-memory (OOM) condition would typically show an OOMKilled status or an Exit Code 137, not a high restart count with CrashLoopBackOff. Option B is wrong because if the node were unreachable, the pod would show a NodeLost or Unknown status, not a running pod with restarts. Option C is wrong because insufficient CPU resources would result in a ContainerCreating or Pending state due to unschedulable pod, not a running pod that repeatedly crashes.

209
MCQmedium

A company runs a web application on a Linux server (Ubuntu 22.04). The application writes log files to /var/log/app/access.log and error.log. Over time, these logs have grown to several gigabytes, causing the /var partition to reach 98% capacity. The administrator decides to implement log rotation using logrotate. They create a configuration file at /etc/logrotate.d/app with the following content: /var/log/app/*.log { weekly rotate 7 compress delaycompress size 100M missingok } They then run `logrotate -d /etc/logrotate.d/app` for debugging, which indicates no errors. However, after several days, the logs are not being rotated. Which step should the administrator take to resolve this?

A.Ensure that the logrotate cron job is enabled and that the configuration file is readable (644) and owned by root.
B.Change the ownership of /var/log/app to appuser:appgroup.
C.Run `logrotate -f /etc/logrotate.d/app` to force rotation immediately.
D.Add a cron job to run logrotate hourly.
AnswerA

The cron job may be disabled or the config file may have wrong permissions; these are common pitfalls.

Why this answer

The most likely cause is that the logrotate cron job (typically /etc/cron.daily/logrotate) is not being executed, or the configuration file has incorrect permissions. The administrator should verify that the cron job is enabled and running daily, and that the config file is readable by the cron process (owned by root, permissions 644). Option A only forces a one-time rotation, not a permanent fix.

Option B is unnecessary because logrotate runs daily by default. Option C is not the root cause; ownership of logs doesn't prevent rotation.

210
MCQmedium

A cron job scheduled by the root user is not executing. Which file is the most likely location for the root user's personal cron table?

A./var/spool/cron/root
B./var/spool/cron/crontabs
C./etc/crontab
D./etc/cron.d
AnswerA

User crontabs are stored in /var/spool/cron/.

Why this answer

User crontabs are stored in /var/spool/cron/ with the username as filename (e.g., /var/spool/cron/root). /etc/crontab is system-wide, /etc/cron.d is for packaged cron jobs, and /var/spool/cron/crontabs is not standard.

211
MCQeasy

A Linux server is configured to use Pluggable Authentication Modules (PAM). Which file is used to define the authentication order for the 'sshd' service?

A./etc/authselect/sshd
B./etc/security/sshd
C./etc/pam.d/sshd
D./etc/pam.d/login
AnswerC

This is the correct PAM configuration file for the SSH daemon.

Why this answer

In Linux, PAM configuration files for individual services are stored in /etc/pam.d/, with the filename matching the service name. For the sshd service, the file /etc/pam.d/sshd defines the authentication order, including the modules and their control flags (e.g., required, sufficient) that PAM will consult during SSH login. This is the standard location per the Linux PAM architecture, as documented in the pam.conf man page.

Exam trap

CompTIA often tests the distinction between /etc/pam.d/sshd and /etc/pam.d/login, as candidates may confuse the SSH service file with the general login file, especially since both handle authentication but for different services.

How to eliminate wrong answers

Option A is wrong because /etc/authselect/sshd is not a standard PAM file; authselect is a tool for managing system authentication profiles, but it does not directly define per-service PAM stacks. Option B is wrong because /etc/security/sshd is not a PAM configuration file; the /etc/security/ directory typically contains files like limits.conf or access.conf, not per-service PAM definitions. Option D is wrong because /etc/pam.d/login is the PAM configuration for the login service (used for console or terminal logins), not for the SSH daemon (sshd).

212
MCQmedium

Refer to the exhibit. The system administrator runs the command 'auditctl -l' and sees the above rules. What is the purpose of these audit rules?

A.To log any changes (write or attribute) to the password, shadow, and group files
B.To log all successful login attempts on the system
C.To log any modifications to the audit configuration itself
D.To log all read accesses to /etc/passwd, /etc/shadow, and /etc/group
AnswerA

The -p wa flag is for write and attribute changes.

Why this answer

The audit rules use the `-w` flag to watch the files `/etc/passwd`, `/etc/shadow`, and `/etc/group` for `wa` (write and attribute change) syscalls. This logs any modification to these critical authentication and authorization files, such as user additions, password changes, or permission changes, which is essential for security monitoring.

Exam trap

The trap here is that candidates confuse the `-p wa` permission (write and attribute) with read access, assuming that watching these files logs all access, when in fact only modifications are recorded.

How to eliminate wrong answers

Option B is wrong because the rules watch for write and attribute changes, not login events; successful logins are typically audited via `-a exit,always -S execve` or `-w /var/log/wtmp -p wa` rules, not by watching these specific files. Option C is wrong because modifications to the audit configuration itself are logged by rules that watch `/etc/audit/audit.rules` or `/etc/audit/rules.d/`, not the password, shadow, and group files. Option D is wrong because the `-p wa` permission only captures write and attribute change operations, not read accesses; to log reads, the permission would need to be `-p r` or `-p rw`.

213
MCQhard

A server is unable to resolve hostnames via DNS. The /etc/resolv.conf file appears correct. Which command can be used to test DNS resolution and display the full query path?

A.nslookup example.com
B.host example.com
C.resolvectl query example.com
D.dig +trace example.com
AnswerD

Correct: Traces the full DNS resolution path.

Why this answer

The `dig +trace example.com` command performs a full iterative DNS resolution from the root nameservers down to the authoritative nameservers for the queried domain, displaying each step of the query path. This is the correct choice because the question specifically asks to 'display the full query path,' which `+trace` provides by following referrals step by step, unlike simpler queries that only show the final answer.

Exam trap

The trap here is that candidates often confuse simple DNS lookup tools (like `nslookup` or `host`) with the `dig +trace` option, assuming any DNS query tool can show the full resolution path, but only `dig +trace` explicitly performs and displays each iterative step.

How to eliminate wrong answers

Option A is wrong because `nslookup example.com` performs a recursive query to the configured DNS resolver and only returns the final answer (or an error), not the full query path. Option B is wrong because `host example.com` similarly performs a simple forward lookup and does not trace the iterative resolution steps. Option C is wrong because `resolvectl query example.com` is a systemd-resolved command that queries the local resolver cache or stub resolver, not performing a full trace of the DNS hierarchy.

214
MCQmedium

A security audit reveals that the /var/log directory has permissions 777. The administrator needs to ensure that only root can write to log files, while still allowing users to read system log files. Which command should the administrator run?

A.chmod 644 /var/log
B.chmod 755 /var/log
C.chmod 700 /var/log
D.chmod 750 /var/log
AnswerB

755 gives owner rwx, group and others rx, allowing read and execute but not write.

Why this answer

Option B is correct because chmod 755 sets the /var/log directory to rwxr-xr-x, meaning root (owner) has full write access, while group and others have read and execute permissions. This allows users to read log files (via execute to traverse the directory) but prevents them from writing, satisfying the audit requirement.

Exam trap

The trap here is that candidates often apply file permission logic to directories, forgetting that directories require the execute bit for access, leading them to choose 644 (which breaks directory traversal) instead of 755.

How to eliminate wrong answers

Option A is wrong because chmod 644 sets permissions to rw-r--r--, which removes the execute bit from the directory, preventing users from listing or accessing files within /var/log (directories require execute to traverse). Option C is wrong because chmod 700 sets permissions to rwx------, which restricts all access to only root, blocking users from reading system log files. Option D is wrong because chmod 750 sets permissions to rwxr-x---, which denies read access to 'others' (non-group users), preventing them from reading log files as required.

215
MCQhard

A financial services company runs a critical trading application on a Linux server. The application logs to /var/log/trade/app.log. Recently, the application has been crashing intermittently. The administrator suspects disk space issues. Upon checking, /var/log/trade is on a separate partition with 200 GB capacity, and df -h shows only 10% used. However, the administrator notices that log rotation is not working; the log file has grown to 50 GB and is still being written to. The administrator needs to immediately free up space without stopping the application, and also ensure proper log rotation is configured. Which command sequence should the administrator use?

A.Run 'mv /var/log/trade/app.log /tmp' to move the file, then create a new empty log file, and check with 'df -h'.
B.Run 'logrotate -f /etc/logrotate.conf' to force rotation, then verify with 'df -h'.
C.Run 'systemctl stop trade && rm /var/log/trade/app.log && systemctl start trade' to stop the application, delete the log, and restart.
D.Run '> /var/log/trade/app.log' to truncate the log file, then check with 'df -h'.
AnswerB

Forces log rotation without stopping the application, freeing space.

Why this answer

Option B is correct because 'logrotate -f' forces an immediate log rotation without stopping the application, which frees disk space by compressing or removing the old log file and creating a new empty one. The administrator can then verify the freed space with 'df -h'. This approach solves both the immediate space issue and ensures proper rotation is configured for the future.

Exam trap

CompTIA often tests the misconception that deleting or moving a log file while an application holds an open file handle will immediately free disk space, when in fact the space is only released after the file handle is closed.

How to eliminate wrong answers

Option A is wrong because moving the log file while the application is still writing to it will cause the application to continue writing to the moved file (since the file handle remains open), and the new empty file will not receive logs until the application is restarted or the file handle is released; this does not free space immediately. Option C is wrong because stopping the application to delete the log file violates the requirement to not stop the application, and deleting the file while the application holds an open handle will not free the disk space until the handle is closed (the space remains allocated). Option D is wrong because truncating the file with '> /var/log/trade/app.log' only empties the file content but does not release the disk space immediately on some filesystems (e.g., ext4 with delayed allocation) and may cause the application to lose its write position or crash if it does not handle the truncation gracefully.

216
MCQhard

A Linux server in a DMZ is experiencing intermittent SSH lockouts. The /var/log/secure shows repeated failed login attempts from multiple IP addresses, but then suddenly the administrator cannot SSH in even with correct credentials. The administrator suspects a brute-force protection mechanism. The server uses PAM with pam_tally2 for login counting. The administrator checks /etc/pam.d/sshd and sees: auth required pam_tally2.so deny=3 unlock_time=300 onerr=succeed file=/var/log/tallylog. What is the most likely reason the administrator is locked out even after 5 minutes?

A.The SSH server is not configured with UsePAM yes, so pam_tally2 is not applied
B.The tallylog file has incorrect permissions, preventing pam_tally2 from reading the count
C.The root account is not subject to pam_tally2 without the 'even_deny_root' option, so the lockout is from another mechanism
D.The DenyHosts service is running and blocks IPs after too many failures
AnswerC

By default, pam_tally2 excludes root unless even_deny_root is set. The administrator is likely using root, and the lockout is caused by something else like fail2ban or iptables.

Why this answer

Option C is correct because pam_tally2 does not apply to the root account unless the 'even_deny_root' option is explicitly added to the pam_tally2 configuration line. Since the administrator is likely logging in as root (or the root account is being targeted), the lockout observed is not from pam_tally2 but from another mechanism such as sshd's own MaxAuthTries or a separate service like fail2ban. The configuration shown only denies regular users after 3 failures and unlocks after 300 seconds, but root remains unaffected by this rule.

Exam trap

The trap here is that candidates assume pam_tally2 applies equally to all users, including root, without realizing the default exemption for root and the need for the 'even_deny_root' option.

How to eliminate wrong answers

Option A is wrong because the question states the server uses PAM with pam_tally2, and the administrator is checking /etc/pam.d/sshd, which implies UsePAM yes is already set; otherwise, the pam_tally2 line would have no effect at all, and the lockout behavior would not be observed. Option B is wrong because incorrect permissions on /var/log/tallylog would cause pam_tally2 to fail (potentially with onerr=succeed allowing access), not cause a lockout; the lockout is still happening, so the file is readable. Option D is wrong because while DenyHosts could cause IP-based lockouts, the question specifically states the administrator suspects a brute-force protection mechanism and checks pam_tally2; the most likely reason given the pam_tally2 configuration is the root account exemption, not an unrelated service.

217
MCQhard

A system administrator is troubleshooting a network issue on a Linux server running CentOS 7. The server is unable to connect to the internet, but internal network connections work fine. The administrator checks the network configuration: the server has a static IP 192.168.1.100/24, default gateway 192.168.1.1, and DNS server 8.8.8.8. The administrator can ping the gateway but cannot ping 8.8.8.8. From the server, a traceroute to 8.8.8.8 stops at the gateway. The administrator also notices that the route table shows a default route via 192.168.1.1. What is the most likely cause?

A.The router is not performing NAT correctly
B.The DNS server is not responding
C.The default gateway is not reachable
D.The subnet mask is incorrectly configured
AnswerA

The traceroute stopping at the gateway suggests the router is not forwarding packets to the internet, likely due to NAT misconfiguration.

Why this answer

The server can ping the gateway (192.168.1.1) but cannot reach 8.8.8.8, and traceroute stops at the gateway. This indicates that the server’s default route is correctly configured and the gateway is reachable, but the router is not forwarding traffic beyond the local subnet. Since internal connections work, the most likely cause is that the router is not performing Network Address Translation (NAT) correctly, which is required to translate private IP addresses (192.168.x.x) to a public IP for internet access.

Exam trap

The trap here is that candidates may think a reachable gateway and a default route guarantee internet connectivity, but they overlook the necessity of NAT for private-to-public IP translation in a typical SOHO or enterprise network.

How to eliminate wrong answers

Option B is wrong because the DNS server (8.8.8.8) is being tested via ICMP ping, not DNS resolution; a non-responding DNS server would not prevent a ping to that IP. Option C is wrong because the administrator can successfully ping the default gateway (192.168.1.1), confirming it is reachable. Option D is wrong because the subnet mask /24 is correct for the 192.168.1.0/24 network, and internal connections work, so there is no subnet mismatch.

218
MCQeasy

Which command will create a compressed tar archive of a directory?

A.tar -czf archive.tar.gz dir
B.tar -xzf archive.tar.gz
C.tar -cf archive.tar dir
D.tar -tf archive.tar
AnswerA

This creates a gzip compressed tar archive.

Why this answer

Option A is correct because the `-czf` flags combine `-c` (create archive), `-z` (compress with gzip), and `-f` (specify archive file name). This creates a compressed tar archive of the specified directory, outputting a `.tar.gz` file. The command `tar -czf archive.tar.gz dir` is the standard syntax for this operation.

Exam trap

CompTIA often tests the distinction between create (`-c`), extract (`-x`), and list (`-t`) flags, and the requirement of `-z` for gzip compression, causing candidates to confuse `-czf` with `-xzf` or omit `-z` entirely.

How to eliminate wrong answers

Option B is wrong because `-xzf` extracts (decompresses) an existing archive, not creates one; the `-x` flag stands for extract. Option C is wrong because `-cf` creates an uncompressed tar archive (`.tar` only), missing the `-z` flag for gzip compression. Option D is wrong because `-tf` lists the contents of an existing archive without creating or compressing anything.

219
MCQmedium

After updating the kernel, the system fails to boot and displays 'Error 15: File not found' from GRUB. What is the most likely cause?

A.The GRUB configuration file is missing
B.The kernel image is missing or the path in grub.cfg is incorrect
C.The initramfs image is missing
D.The hard drive has failed
AnswerB

Correct: Error 15 means file not found, likely kernel.

Why this answer

GRUB error 15 indicates that the specified file path in the GRUB configuration (grub.cfg) cannot be found. Since the error occurs after a kernel update, the most likely cause is that the new kernel image file is missing from the boot partition or the path in grub.cfg does not match the actual file location, preventing GRUB from loading the kernel.

Exam trap

The trap here is that candidates often confuse GRUB error 15 with a missing initramfs, but error 15 occurs specifically when the kernel image path is invalid, while a missing initramfs causes a kernel panic after the kernel starts loading.

How to eliminate wrong answers

Option A is wrong because if the GRUB configuration file itself were missing, GRUB would typically drop to a rescue shell or display a different error (e.g., 'file not found' for /boot/grub/grub.cfg), not error 15 specifically. Option C is wrong because a missing initramfs image would cause a kernel panic during boot after the kernel loads, not a GRUB error 15, which occurs before the kernel is executed. Option D is wrong because a hard drive failure would likely produce hardware-related errors (e.g., 'disk read error' or 'drive not ready') rather than a specific GRUB 'file not found' error, and the system would not reach the GRUB menu stage.

220
MCQhard

A DevOps team uses Git for version control of Ansible playbooks. They notice that a recent commit introduced errors in the playbook. Which Git command sequence should they use to temporarily revert to a previous commit while preserving the faulty commit in history?

A.git checkout HEAD~1
B.git revert HEAD
C.git reset --hard HEAD~1
D.git branch -d faulty-branch
AnswerB

Creates inverse commit, keeps history.

Why this answer

The `git revert HEAD` command creates a new commit that undoes the changes introduced by the most recent commit, effectively reverting the playbook to its previous state while preserving the faulty commit in the project history. This is the correct approach for a team using shared repositories because it maintains a linear, non-destructive history that can be safely pushed to a remote without force-pushing.

Exam trap

The trap here is that candidates confuse `git revert` (which creates a new commit to undo changes) with `git reset` (which removes commits from history), leading them to choose the destructive `git reset --hard` option when the question explicitly requires preserving the faulty commit in history.

How to eliminate wrong answers

Option A is wrong because `git checkout HEAD~1` detaches the HEAD to the previous commit, putting the repository in a detached HEAD state; it does not create a new commit and does not preserve the faulty commit in the active branch history. Option C is wrong because `git reset --hard HEAD~1` permanently removes the faulty commit from the branch history, discarding its changes and rewriting history, which is destructive and dangerous for shared branches. Option D is wrong because `git branch -d faulty-branch` deletes a branch named 'faulty-branch', which does not address reverting the most recent commit on the current branch and is irrelevant to the scenario.

221
Multi-Selecthard

A system administrator is troubleshooting a bash script that fails when run from cron but works when run from the terminal. Which two factors could explain this behavior? (Select TWO.)

Select 2 answers
A.The script uses interactive commands
B.The script uses a different shell interpreter
C.The script uses absolute paths
D.The script runs with a different user ID
E.Different PATH environment variable
AnswersA, E

Commands like read, vi, or those requiring a terminal fail non-interactively.

Why this answer

Option A is correct because interactive commands (e.g., `read`, `select`, or commands that require a TTY) fail when run from cron, as cron does not allocate a terminal. The script expects user input or terminal interaction, which is not available in the cron environment, causing it to hang or error out. Option E is correct because cron runs with a minimal PATH (often `/usr/bin:/bin`), so the script may fail to locate commands that are found in the user's interactive shell PATH (e.g., `/usr/local/bin`).

Exam trap

CompTIA often tests the misconception that cron runs scripts with the same environment as the user's interactive shell, leading candidates to overlook PATH and interactive command issues in favor of user ID or interpreter differences.

222
MCQhard

A security policy requires auditing of all file access attempts. Which Linux kernel feature should be used?

A.auditd
B.journald
C.syslog
D.sysstat
AnswerA

The audit daemon can be configured to watch file accesses using audit rules.

Why this answer

The `auditd` service is the user-space component of the Linux Audit subsystem, which is the kernel feature designed to record file access events. It uses kernel audit rules (configured via `auditctl`) to capture system calls like `open`, `execve`, and `unlink`, enabling detailed auditing of all file access attempts as required by security policies.

Exam trap

The trap here is that candidates confuse `auditd` with general logging tools like `journald` or `syslog`, assuming any logging service can fulfill file access auditing requirements, but only the Linux Audit subsystem provides the necessary kernel-level system call interception and rule-based filtering.

How to eliminate wrong answers

Option B is wrong because `journald` is a system logging daemon that collects log data from various sources (e.g., kernel, services) and stores it in binary journal files; it does not provide granular, rule-based auditing of individual file access attempts. Option C is wrong because `syslog` is a legacy logging protocol and service (e.g., rsyslog, syslog-ng) that handles message-based logging but lacks the kernel-level system call interception needed for file access auditing. Option D is wrong because `sysstat` is a performance monitoring toolset (e.g., sar, iostat) that reports system activity metrics like CPU and I/O usage, not file access events.

223
Multi-Selecteasy

An administrator wants to ensure a critical monitoring script runs every day at 2 AM and sends output to a log file. Which THREE items are essential in the crontab entry? (Select THREE.)

Select 3 answers
A.SHELL=/bin/bash
B.RUNLEVEL=3
C.0 2 * * * /usr/local/bin/script.sh
D.MAILTO=admin@example.com
E.PATH=/usr/local/bin:/usr/bin
AnswersA, C, E

If the script uses bash-specific features, setting SHELL is required; otherwise, cron uses /bin/sh.

Why this answer

Option A is correct because the SHELL variable in a crontab entry defines which shell interpreter is used to execute the cron job. By default, cron uses /bin/sh, but setting SHELL=/bin/bash ensures that bash-specific syntax, aliases, and features (such as [[ ]] or source) are available for the monitoring script. Without this, the script might fail if it relies on bash extensions.

Exam trap

CompTIA often tests the misconception that MAILTO is required for logging output, when in fact output redirection (e.g., >> /var/log/script.log 2>&1) is what sends output to a file, and MAILTO is only for email delivery.

224
MCQeasy

A system administrator notices that a Linux server is running low on disk space. Which command should be used to identify which directories are consuming the most space?

A.ls -laR
B.find / -size +100M
C.df -h
D.du -h /path | sort -rh
AnswerD

du with -h and sort -rh lists directories with human-readable sizes sorted largest first.

Why this answer

Option D is correct because the `du -h /path | sort -rh` command recursively calculates disk usage for each directory under the specified path, displays sizes in human-readable format (`-h`), and then sorts the output in reverse numerical order (`-rh`), showing the largest directories first. This directly identifies which directories are consuming the most space, which is exactly what the system administrator needs.

Exam trap

The trap here is that candidates often pick `df -h` (Option C) because it shows disk space usage, but it only reports filesystem-level totals, not per-directory breakdowns, which fails to identify the specific directories consuming space.

How to eliminate wrong answers

Option A is wrong because `ls -laR` lists all files and directories recursively with details, but it does not sum or sort disk usage; it only shows file sizes individually, making it impractical for identifying the largest directories. Option B is wrong because `find / -size +100M` finds files larger than 100 MB, not directories, and it does not aggregate disk usage per directory; it also may miss smaller files that collectively consume significant space. Option C is wrong because `df -h` reports free and used disk space on mounted filesystems, not per-directory usage; it cannot show which directories are consuming space within a filesystem.

225
MCQmedium

A web server in a remote data center logs timestamps in UTC, but the operations team wants all logs to reflect the local timezone (America/New_York). Which command changes the system timezone?

A.timedatectl set-time '2025-03-01 12:00:00'
B.timedatectl set-timezone America/New_York
C.timedatectl list-timezones
D.timedatectl set-ntp yes
AnswerB

Sets the system timezone to the specified zone.

Why this answer

Option C is correct because 'timedatectl set-timezone' changes the system timezone. Option A sets time with NTP; B sets date; D lists timezones.

Page 2

Page 3 of 7

Page 4

All pages