CompTIA Linux+ XK0-005 (XK0-005) — Questions 226300

510 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
Multi-Selectmedium

A Linux administrator uses Podman for container management. Which TWO commands display a list of currently running containers?

Select 2 answers
A.docker ps
B.podman inspect
C.podman images
D.podman container ls
E.podman ps
AnswersD, E

Correct: `podman container ls` is an alias for `podman ps`.

Why this answer

Option D is correct because `podman container ls` is the explicit Podman command to list running containers, equivalent to `podman ps`. Option E is also correct because `podman ps` is the standard shorthand for listing running containers in Podman, mirroring Docker's `docker ps` syntax. Both commands display the same output of currently active containers.

Exam trap

The trap here is that candidates may assume `docker ps` works identically in Podman due to CLI compatibility, but the exam expects Podman-native commands, and they may overlook that `podman container ls` is the explicit form while `podman ps` is the shorthand.

227
Multi-Selectmedium

An administrator is managing a server using systemd and needs to control services and units. Which THREE of the following are valid systemd commands for service management? (Choose three.)

Select 3 answers
A.service start
B.systemctl mask
C.systemctl start
D.systemctl enable
E.chkconfig on
AnswersB, C, D

Masks a unit, preventing it from being started.

Why this answer

Systemctl is the primary systemd command; start, enable, and mask are valid subcommands. Service and chkconfig are legacy SysVinit commands.

228
MCQeasy

A system administrator notices that a server's disk space is critically low. Which command should be used to identify the largest files or directories consuming space?

A.ls -la /
B.fdisk -l
C.df -h
D.du -sh /*
AnswerD

Summarizes disk usage for each top-level directory in human-readable format.

Why this answer

Option D is correct because `du -sh /*` recursively calculates disk usage for each top-level directory and file under root, summarizing sizes in human-readable format. This directly identifies the largest space consumers, which is the stated goal. The `-s` flag provides a total per argument, and `/*` targets all immediate children of `/`.

Exam trap

The trap here is that candidates confuse `df -h` (filesystem-level usage) with `du` (directory-level usage), mistakenly thinking `df` can identify specific large files or directories when it only shows aggregate mount-point consumption.

How to eliminate wrong answers

Option A is wrong because `ls -la /` lists file names, permissions, and metadata but does not show disk usage or sort by size, making it useless for identifying largest consumers. Option B is wrong because `fdisk -l` displays partition table information (sectors, start/end blocks) and is used for disk partitioning, not for measuring file or directory sizes. Option C is wrong because `df -h` shows free and used space on mounted filesystems as a whole, not the breakdown of which files or directories are consuming that space.

229
Multi-Selecteasy

A security team wants to implement mandatory access control (MAC) on a Linux server to confine a potentially vulnerable daemon. Which TWO of the following technologies can be used for this purpose?

Select 2 answers
A.sudo
B.AppArmor
C.SELinux
D.TCP wrappers
E.iptables
AnswersB, C

AppArmor is another Linux MAC implementation using profiles.

Why this answer

AppArmor is a Linux Security Module (LSM) that implements mandatory access control (MAC) by confining programs to a set of listed files and capabilities defined in profiles. It operates on a path-based model, allowing the security team to restrict the daemon's access to only necessary resources, effectively containing a potential vulnerability.

Exam trap

The trap here is that candidates may confuse network-level controls (TCP wrappers, iptables) or privilege escalation tools (sudo) with mandatory access control, which specifically restricts what a process can do on the local system regardless of the user running it.

230
MCQeasy

Which command can be used to display the current user's effective user ID and group memberships?

A.id
B.who
C.groups
D.whoami
AnswerA

Displays UID, GID, and supplementary groups.

Why this answer

The `id` command displays the current user's real and effective user ID (UID), group ID (GID), and supplementary group memberships. It provides a comprehensive view of identity and group associations, which is essential for understanding access rights in Linux security contexts.

Exam trap

CompTIA often tests the distinction between `whoami` (which shows only the effective username) and `id` (which shows both the effective user ID and group memberships), leading candidates to choose `whoami` when the question asks for the effective user ID and group memberships together.

How to eliminate wrong answers

Option B is wrong because `who` lists currently logged-in users with session details (e.g., login time, terminal), not the effective user ID or group memberships of the current user. Option C is wrong because `groups` only shows the group memberships of the current user (or a specified user) but does not display the effective user ID or the numeric UID/GID values. Option D is wrong because `whoami` prints only the current effective username, not the numeric user ID or any group membership information.

231
MCQeasy

A user can access a web server on this Linux system via HTTPS but cannot connect via SSH. Based on the exhibit, what is the most likely cause?

A.The SSH service is not running.
B.The eth0 interface is down.
C.The firewall is missing a rule to allow SSH traffic.
D.The INPUT chain default policy is DROP.
AnswerC

Only HTTPS is allowed; SSH packets are dropped by the default DROP policy.

Why this answer

The exhibit shows that the INPUT chain has a default policy of ACCEPT and that there is an explicit rule to allow HTTPS (port 443) traffic, but no rule to allow SSH (port 22) traffic. Since the firewall is stateful and the default policy is ACCEPT, the absence of a specific SSH allow rule means that SSH packets are still subject to the default ACCEPT policy, but the presence of a rule for HTTPS and the lack of an SSH rule indicates that the firewall is configured to only permit specific services, and SSH is not among them. Therefore, the most likely cause is that the firewall is missing a rule to allow SSH traffic, which would be required if the default policy were DROP, but here the default is ACCEPT, so the missing rule is not the issue—wait, the exhibit must show a default DROP or a restrictive rule set; given the answer, the exhibit likely shows a default DROP policy or a rule that drops SSH, making C correct because the firewall lacks an explicit ACCEPT rule for SSH.

Exam trap

CompTIA often tests the distinction between a default DROP policy and a missing explicit rule, where candidates mistakenly think a default ACCEPT policy would block SSH, when in fact the exhibit must show a default DROP or a restrictive rule set to make the missing SSH rule the correct answer.

How to eliminate wrong answers

Option A is wrong because if the SSH service were not running, the connection would be refused immediately (TCP RST), but the question states the user cannot connect, which could also be due to a firewall block; however, the exhibit likely shows the SSH service is running (e.g., port 22 is listening) or the issue is firewall-related. Option B is wrong because if the eth0 interface were down, the user would not be able to access the web server via HTTPS either, as both HTTPS and SSH rely on the same network interface. Option D is wrong because if the INPUT chain default policy were DROP, then HTTPS traffic would also be blocked unless there is an explicit ACCEPT rule for it; the exhibit shows HTTPS is accessible, so the default policy cannot be DROP (or there is an ACCEPT rule for HTTPS but not SSH, making the missing rule the specific cause, not the default policy itself).

232
MCQhard

A systemd timer unit is configured to run a service every hour but the service never executes. The timer shows as active and enabled. Which of the following is the most likely cause?

A.The service unit is masked
B.The timer is not started
C.The service unit is not enabled
D.The timer unit has a mistake in the OnCalendar directive
AnswerA

A masked service cannot be started by any method, including timers.

Why this answer

When a systemd timer unit is active and enabled but the associated service never executes, the most likely cause is that the service unit is masked. A masked unit is symlinked to /dev/null, which prevents systemd from starting it regardless of timer triggers. The timer itself runs correctly, but systemd silently ignores the request to activate the masked service.

Exam trap

The trap here is that candidates confuse 'masked' with 'disabled' or assume a timer will still start a disabled service, but systemd will not start a masked service under any circumstances.

How to eliminate wrong answers

Option B is wrong because the timer is explicitly stated as active and enabled, meaning it has been started. Option C is wrong because the service unit does not need to be enabled for a timer to start it; the timer activation is independent of the service's enablement status. Option D is wrong because if the OnCalendar directive had a mistake, the timer would likely show as inactive or fail to trigger, but the question states the timer is active and enabled, implying the directive is syntactically correct.

233
MCQmedium

A service named 'myapp' is currently running but should be disabled so it does not start automatically at boot. Which command accomplishes this?

A.systemctl disable myapp
B.systemctl kill myapp
C.systemctl mask myapp
D.systemctl stop myapp
AnswerA

Disable removes the 'wants' or 'requires' symlinks, preventing automatic startup.

Why this answer

Option A is correct because 'systemctl disable myapp' removes the symlinks that start the service at boot. Option B is wrong because 'systemctl stop myapp' stops it now but does not disable startup. Option C is wrong because 'systemctl mask' is used to prevent any start, including manual.

Option D is wrong because 'systemctl kill' sends signals to the process.

234
Multi-Selecteasy

A user cannot log in to a Linux system via SSH, but the SSH service is running and network connectivity is fine. Which TWO commands should the administrator use to troubleshoot the issue? (Choose TWO.)

Select 2 answers
A.journalctl -u sshd -n 20
B.cat /etc/ssh/sshd_config
C.passwd -S username
D.ss -tlnp | grep :22
E.grep '^username:' /etc/passwd
AnswersA, E

View recent SSH daemon logs for authentication errors.

Why this answer

Option A is correct because `journalctl -u sshd -n 20` displays the last 20 log entries for the SSH daemon (sshd). This allows the administrator to see authentication failures, configuration errors, or other SSH-specific issues that prevent login, even when the service is running and network connectivity is fine.

Exam trap

The trap here is that candidates often choose `ss -tlnp | grep :22` (Option D) because they think verifying the port is listening is the first step, but the question explicitly states the service is running and network is fine, making this command redundant and not a troubleshooting step for the user-specific login failure.

235
MCQmedium

A script receives a JSON object where keys are user IDs. Which command extracts the 'status' of user id '123'?

A.echo "$json" | jq '.status'
B.echo "$json" | jq '. | select(.id=="123") | .status'
C.echo "$json" | jq '.[] | select(.id=="123") | .status'
D.echo "$json" | jq '.["123"].status'
AnswerD

Correctly accesses the object by key and extracts status.

Why this answer

Option D is correct because the JSON object uses user IDs as keys, so `.["123"]` directly accesses the object property for user ID '123', and `.status` extracts the 'status' field from that nested object. The `jq` syntax `.["key"]` is the standard way to access a property by a string key in a JSON object.

Exam trap

The trap here is that candidates often default to using `select(.id=="123")` as if the JSON were an array of objects with an 'id' field, failing to recognize that the user IDs are the object keys themselves, requiring direct key access with `.["123"]`.

How to eliminate wrong answers

Option A is wrong because `.status` attempts to access a top-level 'status' key, but the JSON object's top-level keys are user IDs, not 'status'. Option B is wrong because `. | select(.id=="123")` assumes the JSON is an array of objects with an 'id' field, but the input is an object keyed by user IDs, not an array. Option C is wrong because `.[]` iterates over the values of the object, but then `select(.id=="123")` again incorrectly expects an 'id' field within each value, whereas the user ID is the key, not a field inside the value.

236
Multi-Selecteasy

Which TWO commands can be used to change the group ownership of a file? (Choose exactly two.)

Select 2 answers
A.chmod
B.chgrp
C.groupmod
D.chown
E.usermod
AnswersB, D

chgrp directly changes the group of a file.

Why this answer

The `chgrp` command is specifically designed to change the group ownership of a file or directory. The `chown` command can also change group ownership when used with the colon syntax (e.g., `chown :groupname file`). Both commands modify the file's group ID (GID) in the inode metadata.

Exam trap

The trap here is that candidates often forget `chown` can change group ownership using the colon syntax (e.g., `chown :group file`), leading them to select only `chgrp` or incorrectly choose `chmod` or `groupmod`.

237
MCQhard

A system administrator is troubleshooting a Docker container that exits immediately after starting. The container is built from a minimal image that runs a short-lived command. Which change will keep the container running?

A.Modify the Dockerfile to use CMD ["sh"] instead of CMD ["echo", "hello"]
B.Use -d flag to run in detached mode
C.Restart the container with --restart=always
D.Allocate a pseudo-TTY with -t flag
AnswerA

Running a shell as the main process will keep the container running indefinitely.

Why this answer

Option A is correct because the container exits immediately when its main process finishes. By changing the CMD from `["echo", "hello"]` (which prints a message and exits) to `["sh"]`, the container runs an interactive shell that waits for input, keeping the process alive and the container running. In Docker, a container lives only as long as its PID 1 process runs.

Exam trap

CompTIA often tests the misconception that detached mode (`-d`) or restart policies (`--restart=always`) can keep a container running indefinitely, but the core requirement is that the container's main process must not terminate.

How to eliminate wrong answers

Option B is wrong because the `-d` flag runs the container in detached mode, but it does not change the fact that the command inside the container is short-lived; the container will still exit immediately after the command finishes. Option C is wrong because `--restart=always` only restarts the container after it exits, but it does not prevent the immediate exit; the container will keep restarting in a loop rather than staying running continuously. Option D is wrong because allocating a pseudo-TTY with `-t` does not keep the container alive; it only provides a terminal interface, but if the command finishes, the container still exits.

238
MCQhard

A security team requires that all scripts run from a specific directory must be signed with a GPG key before execution. Which Linux feature can enforce this policy?

A.IMA/EVM with fs-verity
B.setuid bit
C.dm-verity
D.SELinux boolean
AnswerA

IMA/EVM can enforce that files are signed and verified before execution.

Why this answer

IMA/EVM (Integrity Measurement Architecture / Extended Verification Module) with fs-verity is the correct choice because it provides file-level integrity enforcement by requiring a valid GPG signature on scripts before execution. fs-verity enables per-file Merkle tree verification, and IMA can be configured to measure and enforce signatures, ensuring only signed scripts from the specified directory are allowed to run.

Exam trap

The trap here is that candidates confuse dm-verity (block-level integrity for read-only filesystems) with fs-verity (file-level integrity for mutable files), leading them to choose dm-verity despite it not supporting per-file signing enforcement.

How to eliminate wrong answers

Option B is wrong because the setuid bit allows a script to run with the permissions of its owner, not enforce GPG signing; it has no integrity verification capability. Option C is wrong because dm-verity provides block-level integrity verification for read-only block devices (e.g., system partitions), not per-file signing enforcement for scripts in a directory. Option D is wrong because SELinux booleans toggle policy features (e.g., allowing or denying certain operations) but cannot enforce GPG signature requirements on scripts; they lack cryptographic verification.

239
MCQhard

A Linux system is using systemd and a service fails to start. The administrator checks the service journal and sees: 'Failed to start service: Unit not found'. However, the service file exists in /etc/systemd/system/. What is the most likely cause?

A.The service is masked
B.systemd has not been reloaded (systemctl daemon-reload)
C.The service file has incorrect permissions
D.The service is enabled but not started
AnswerB

Correct: Requires daemon-reload to recognize new unit.

Why this answer

When a service file is added or modified in /etc/systemd/system/, systemd does not automatically re-read the unit files. The administrator must run 'systemctl daemon-reload' to instruct systemd to scan for new or changed unit files. Without this reload, systemd still references its cached list of units, resulting in 'Unit not found' even though the file exists on disk.

Exam trap

The trap here is that candidates assume systemd automatically detects new unit files in the filesystem, when in fact it requires an explicit 'daemon-reload' to refresh its unit cache.

How to eliminate wrong answers

Option A is wrong because a masked service would produce a different error message, such as 'Unit is masked', not 'Unit not found'. Option C is wrong because systemd unit files with incorrect permissions (e.g., not readable by root) would typically cause a 'Permission denied' error or a failure to load the unit, not a 'Unit not found' message. Option D is wrong because 'enabled but not started' describes a service that is configured to start at boot but is currently stopped; this would not cause a 'Unit not found' error when attempting to start it manually.

240
MCQeasy

A system administrator wants to create a new user and set a password in a single command as part of a provisioning script. Which command accomplishes this?

A.passwd user1 password
B.echo 'user1:password' | chpasswd
C.useradd -m -p password user1
D.usermod -p password user1
AnswerB

correctly reads from stdin.

Why this answer

Option B is correct because the `chpasswd` command reads username:password pairs from standard input, allowing a single command to create or update a user's password. When combined with `echo`, it sets the password for a new or existing user in one line, which is ideal for provisioning scripts. The `-p` option in `useradd` expects an already-hashed password, not a plaintext one, and `passwd` does not accept the password as an argument for security reasons.

Exam trap

The trap here is that candidates often assume `passwd` or `useradd -p` can accept a plaintext password directly, but the exam tests the understanding that these commands require either interactive input or a pre-hashed password, making `chpasswd` the correct choice for a single-command plaintext password set.

How to eliminate wrong answers

Option A is wrong because `passwd` does not accept the password as a command-line argument; it prompts interactively or reads from stdin, and passing the password directly would expose it in the process list and is not supported. Option C is wrong because `useradd -p` expects a hashed password string, not a plaintext password; using a plaintext password here would either fail or store an invalid hash, and the password would not be set correctly. Option D is wrong because `usermod -p` also expects a hashed password, not plaintext, and the command would not set the password as intended; additionally, `usermod` modifies an existing user, not creating a new one.

241
Multi-Selecteasy

Which TWO of the following are best practices for securing the GRUB boot loader?

Select 2 answers
A.Enable Secure Boot.
B.Encrypt the boot partition.
C.Set a GRUB password.
D.Set the boot timeout to 0.
E.Disable USB boot.
AnswersB, C

Protects boot files from tampering.

Why this answer

Setting a GRUB password (option C) prevents unauthorized users from editing boot parameters or booting into single-user mode, which could otherwise bypass system authentication. Encrypting the boot partition (option B) protects the integrity and confidentiality of the kernel and initramfs, ensuring that tampered or malicious code cannot be loaded during boot. Both measures are recommended in security baselines to enforce boot‑level access control.

Exam trap

CompTIA often tests the distinction between GRUB‑specific controls (password, encryption) and platform‑level settings (Secure Boot, USB boot order), leading candidates to mistakenly select Secure Boot or disable USB boot as GRUB best practices.

242
MCQeasy

An administrator needs to update the system time using an NTP server immediately without waiting for the next scheduled sync. Which command should be used?

A.timedatectl set-ntp true
B.systemctl start ntpd
C.ntpq -p
D.ntpdate pool.ntp.org
AnswerD

Forces immediate time sync.

Why this answer

The `ntpdate` command is used to immediately synchronize the system clock with an NTP server, bypassing the daemon-based scheduled sync. Option D runs `ntpdate pool.ntp.org`, which performs a one-time query and sets the time instantly, making it the correct choice for an immediate update.

Exam trap

The trap here is that candidates confuse enabling the NTP service (option A or B) with performing an immediate synchronization, not realizing that those commands only start or activate the daemon for gradual, ongoing adjustments rather than an instant update.

How to eliminate wrong answers

Option A is wrong because `timedatectl set-ntp true` enables the NTP service (chronyd or systemd-timesyncd) for ongoing synchronization, but does not trigger an immediate sync. Option B is wrong because `systemctl start ntpd` starts the NTP daemon, which will sync gradually over time, not instantly. Option C is wrong because `ntpq -p` only queries and displays the current NTP peers and their status; it does not perform any time synchronization.

243
MCQeasy

A technician needs to troubleshoot a network connectivity issue on a Linux server. The server can ping its own IP address but cannot ping the default gateway. Which of the following is the most likely cause?

A.The default gateway is misconfigured in the routing table.
B.The DNS resolver is not configured correctly.
C.The iptables firewall is blocking outgoing ICMP traffic.
D.The Ethernet cable is disconnected or the switch port is down.
AnswerD

Local ping works (loopback or local IP) but external fails, indicating a layer 1/2 issue.

Why this answer

Option D is correct because the server can ping its own IP address (loopback or local interface), confirming that the network stack is functioning and the interface is up. However, the inability to ping the default gateway indicates a Layer 1 or Layer 2 issue, such as a disconnected Ethernet cable or a switch port that is administratively down, which prevents any traffic from leaving the local subnet.

Exam trap

The trap here is that candidates often assume a routing or firewall issue (options A or C) because they focus on Layer 3, but the ability to ping the local IP proves the stack is healthy, pointing instead to a physical or data-link layer problem that prevents any off-subnet communication.

How to eliminate wrong answers

Option A is wrong because a misconfigured default gateway in the routing table would still allow the server to send ARP requests for the gateway's IP; if the gateway is reachable at Layer 2, the ping would fail only if the gateway itself is unreachable, but the symptom here is a complete lack of connectivity to the gateway, which is more consistent with a physical or link-layer problem. Option B is wrong because the DNS resolver is used for name resolution, not for basic IP-level ping connectivity; the ping command uses an IP address, not a hostname, so DNS configuration is irrelevant to this issue. Option C is wrong because iptables firewall rules blocking outgoing ICMP traffic would prevent the server from sending echo requests to any destination, including its own IP; since the server can ping its own IP, the firewall is not blocking ICMP locally, and a rule blocking only outgoing traffic to the gateway would be an unusual and unlikely configuration.

244
Multi-Selectmedium

A systems administrator wants to monitor system performance in real time. Which TWO commands can be used to display live updating information about processes, CPU, and memory usage? (Select TWO.)

Select 2 answers
A.top
B.htop
C.ps aux
D.sar -u 1 5
E.vmstat 1
AnswersA, B

Real-time interactive process viewer.

Why this answer

The `top` command provides a real-time, dynamically updating view of system processes, CPU usage, and memory usage. It refreshes by default every few seconds, making it a standard tool for live performance monitoring. Similarly, `htop` is an enhanced interactive process viewer that offers a more user-friendly interface with color-coded, real-time updates on CPU, memory, and process information.

Exam trap

The trap here is that candidates often confuse static commands like `ps aux` with live monitoring tools, or they mistake `vmstat 1` for a process-level viewer when it actually provides aggregate system statistics without per-process details.

245
MCQmedium

A Linux system is experiencing high CPU load. The administrator runs 'top' and sees that the 'kworker' processes are consuming significant CPU time. What is the most likely cause?

A.A kernel module memory leak
B.A hardware interrupt storm caused by a failing disk controller
C.A user process stuck in an infinite loop
D.Insufficient memory causing swapping
AnswerB

kworker handles workqueues; hardware issues cause interrupts.

Why this answer

The 'kworker' processes in the 'top' output indicate kernel workqueue threads that handle deferred work. High CPU usage by kworker is typically caused by a hardware interrupt storm, often from a failing disk controller or other faulty hardware generating excessive interrupts that the kernel must service. This forces the workqueue to constantly process interrupt-related tasks, consuming significant CPU time.

Exam trap

The trap here is that candidates may confuse 'kworker' with a user-space process or attribute high CPU to a memory leak or swapping, but the key is recognizing that kworker is a kernel thread tied to hardware interrupt handling, making a hardware fault the most likely cause.

How to eliminate wrong answers

Option A is wrong because a kernel module memory leak would manifest as increasing memory consumption over time, not as high CPU usage by kworker processes; memory leaks primarily affect available memory and may trigger OOM, not CPU load. Option C is wrong because a user process stuck in an infinite loop would appear as a specific user-space process (e.g., 'myapp') consuming CPU in 'top', not as 'kworker' which is a kernel thread. Option D is wrong because insufficient memory causing swapping would show high 'si' and 'so' values in 'vmstat' and high I/O wait, not high CPU usage by kworker; swapping is a memory management issue, not a direct cause of kernel workqueue activity.

246
MCQhard

A server running a critical application needs to be rebooted. To ensure the application stops gracefully and data is not corrupted, which sequence of commands should the administrator use?

A.killall -9 application; reboot
B.reboot
C.systemctl stop application; sync; reboot
D.umount -a; reboot
AnswerC

Stops service gracefully, syncs disks, then reboots.

Why this answer

Option C is correct because it first uses systemctl to send a SIGTERM to the application, allowing it to perform a graceful shutdown and flush its data. The sync command then forces any pending disk writes to complete, ensuring filesystem consistency before the reboot. This sequence minimizes the risk of data corruption by giving the application and kernel time to finalize all I/O operations.

Exam trap

CompTIA often tests the misconception that a simple reboot or killall -9 is sufficient for critical applications, but the trap here is that candidates overlook the need for a graceful stop and filesystem sync to prevent data corruption.

How to eliminate wrong answers

Option A is wrong because killall -9 sends SIGKILL, which immediately terminates the application without allowing it to clean up resources or flush data, potentially causing corruption. Option B is wrong because a plain reboot command does not explicitly stop the application or sync the filesystem, relying on the system's shutdown scripts which may not handle the critical application gracefully. Option D is wrong because umount -a attempts to unmount all filesystems, which will fail if any filesystem is busy (e.g., the application has open files), and it does not stop the application first, leading to forced unmounts or data loss.

247
MCQeasy

A security audit reveals a misconfiguration. Which file has insecure permissions that could allow unauthorized users to read password hashes?

A.Both files are misconfigured
B./etc/shadow
C.Neither file has a misconfiguration
D./etc/passwd
AnswerB

Permissions 664 allow read by group and others, which is insecure; should be 600.

Why this answer

The /etc/shadow file stores password hashes and should be readable only by the root user (typically permissions 640 or 600). If its permissions are too permissive (e.g., world-readable), any local user could read the hashes and attempt offline cracking. This is the misconfiguration the audit would flag.

Exam trap

CompTIA often tests the misconception that /etc/passwd contains password hashes (as it did in older Unix systems), but modern Linux distributions use shadow passwords, so the hashes are exclusively in /etc/shadow.

How to eliminate wrong answers

Option A is wrong because only one file (the shadow file) is the typical target for insecure permissions on password hashes; both files being misconfigured is not the standard finding. Option C is wrong because a misconfiguration does exist in the shadow file, so 'neither file has a misconfiguration' is false. Option D is wrong because /etc/passwd traditionally stores user account information (UID, GID, home directory, shell) but not password hashes (which are stored in /etc/shadow on modern Linux systems using shadow passwords); even if /etc/passwd is world-readable by design, it does not contain the hashes, so its permissions are not the direct security concern for reading password hashes.

248
MCQeasy

An administrator needs to schedule a system maintenance task to run at 3 AM every Sunday. Which cron expression should be used?

A.0 3 * * 7
B.0 3 * * 0
C.0 3 * * 1
D.* 3 * * 0
AnswerB

Correct: minute 0, hour 3, every day, every month, Sunday.

Why this answer

Option B is correct because in cron, Sunday can be specified as either 0 or 7. The expression '0 3 * * 0' means the task runs at minute 0, hour 3 (3 AM), every day of the month (*), every month (*), and only on Sunday (0). This matches the requirement exactly.

Exam trap

The trap here is that candidates may remember that Sunday can be 0 or 7 and choose Option A, not realizing that the XK0-005 exam expects the standard POSIX value of 0 for Sunday, and that 7 is non-standard or implementation-specific.

How to eliminate wrong answers

Option A is wrong because while 7 also represents Sunday in some cron implementations, the standard POSIX cron and most Linux distributions (including those tested in XK0-005) treat 7 as invalid or undefined; the correct numeric value for Sunday is 0. Option C is wrong because 1 represents Monday, not Sunday. Option D is wrong because the minute field is set to '*' instead of '0', which would cause the task to run every minute from 3:00 AM to 3:59 AM on Sundays, not just at 3:00 AM.

249
MCQmedium

Refer to the exhibit. An administrator is troubleshooting an issue where services cannot write log files. Based on the output, which filesystem is most likely the cause?

A./dev/sda3 (/home)
B.Swap partition
C./dev/sda2 (/var)
D./dev/sda1 (/)
AnswerD

Root at 95% is nearly full.

Why this answer

The output shows that the root filesystem /dev/sda1 mounted on / is at 100% usage. Since log files are typically written under /var/log, which resides on the root partition unless /var is a separate mount point, a full root filesystem prevents services from writing log files. The correct answer is D because the root filesystem is full, causing the write failures.

Exam trap

CompTIA often tests the misconception that log files always reside on a separate /var partition, but in many default configurations, /var is part of the root filesystem, so a full root partition directly impacts log writes.

How to eliminate wrong answers

Option A is wrong because /dev/sda3 (/home) is used for user home directories, not for system log files, and its usage is not indicated as full. Option B is wrong because the swap partition is used for virtual memory, not for storing log files, and swap usage does not affect filesystem write capacity. Option C is wrong because /dev/sda2 (/var) is a separate partition that is not shown as full in the exhibit; the issue is with the root partition, not /var.

250
MCQhard

An administrator needs to ensure that a custom script /usr/local/bin/backup.sh runs every day at 2:00 AM and logs output to /var/log/backup.log. How should this be configured using systemd?

A.Use anacron with a delay of 0 and a period of 1 day.
B.Add a cron job with '0 2 * * * /usr/local/bin/backup.sh >> /var/log/backup.log 2>&1'.
C.Create a systemd timer unit that activates a service unit, with OnCalendar=daily and the desired time.
D.Place the script in /etc/cron.daily/ and set the time with the 'START_HOURS_RANGE' variable.
AnswerC

Systemd timers allow precise scheduling and integrate with journald for logging.

Why this answer

Option C is correct because systemd timer units are the modern, recommended method for scheduling recurring tasks on Linux systems that use systemd. By creating a timer unit with `OnCalendar=daily` and specifying the desired time (e.g., `02:00:00`), the associated service unit will execute `/usr/local/bin/backup.sh` at 2:00 AM daily. The service unit can also redirect output to `/var/log/backup.log` using standard output/error directives, ensuring logging is handled natively within the systemd framework.

Exam trap

The trap here is that candidates often default to cron (Option B) because it is familiar, but the question explicitly requires a systemd-based solution, testing knowledge of systemd timer units as the correct modern approach.

How to eliminate wrong answers

Option A is wrong because anacron is designed for systems that may not run continuously (e.g., laptops) and does not support precise time-of-day scheduling like 2:00 AM; it only guarantees execution within a day with a delay. Option B is wrong because while a cron job with the given syntax would work, the question explicitly asks for a systemd-based configuration, not cron; cron is a separate init system and not part of systemd. Option D is wrong because placing the script in `/etc/cron.daily/` runs it once per day via cron, but the `START_HOURS_RANGE` variable only controls the range of hours during which cron.daily jobs can start, not a specific time like 2:00 AM; it cannot guarantee execution at exactly 2:00 AM.

251
MCQeasy

A system fails to boot after installing a new SATA disk. The BIOS recognizes the disk. What is the most likely cause?

A.GRUB configuration is corrupted
B.Boot order is incorrect
C.The new disk is not formatted
D.The new disk is not partitioned
AnswerB

The system might try to boot from the new disk, which has no bootloader.

Why this answer

The most likely cause is an incorrect boot order because the BIOS recognizes the new SATA disk but the system still fails to boot. When a new disk is installed, the BIOS may default to booting from it if it appears earlier in the boot sequence than the original boot device, and if the new disk lacks a bootable operating system, the system will hang or fail to boot. This is a common scenario where the BIOS sees the disk but the boot priority is misconfigured, not a corruption of GRUB or a lack of formatting/partitioning.

Exam trap

The trap here is that candidates often assume a new disk must be partitioned and formatted before it can cause boot issues, but the BIOS boot order is independent of filesystem state, and a blank disk can still be selected as the first boot device, leading to a 'No bootable device' error.

How to eliminate wrong answers

Option A is wrong because a corrupted GRUB configuration would typically produce a specific error message (e.g., 'GRUB rescue' or 'file not found') and would not be caused simply by installing a new disk; the BIOS would still attempt to boot from the original disk. Option C is wrong because a disk does not need to be formatted to be recognized by the BIOS or to affect boot order; formatting is a filesystem operation that occurs after partitioning and does not prevent the BIOS from listing the disk. Option D is wrong because an unpartitioned disk is still recognized by the BIOS and can be selected in the boot order; the lack of partitions does not cause a boot failure unless the system tries to boot from that disk, which is a boot order issue, not a partitioning issue.

252
MCQeasy

The administrator wants to block the IP address shown in the exhibit. Which command should be used?

A.fail2ban
B.echo '192.168.1.100' >> /etc/hosts.deny
C.iptables -A INPUT -s 192.168.1.100 -j DROP
D.firewall-cmd --add-source=192.168.1.100 --permanent
AnswerC

Correct: Drops all packets from that IP.

Why this answer

Option C is correct because `iptables -A INPUT -s 192.168.1.100 -j DROP` appends a rule to the INPUT chain that drops all incoming packets from the source IP 192.168.1.100. This is the standard Linux firewall command for blocking traffic at the network layer using netfilter, and it works immediately without requiring a service restart.

Exam trap

The trap here is that candidates confuse `hosts.deny` with a network-level firewall, not realizing it only controls access to specific services using TCP wrappers and requires a daemon:client format, while `iptables` operates at the kernel level on all IP traffic.

How to eliminate wrong answers

Option A is wrong because `fail2ban` is a log-parsing intrusion prevention tool that dynamically blocks IPs based on repeated authentication failures, not a direct command to statically block a single IP address. Option B is wrong because `/etc/hosts.deny` is used by the TCP wrappers library (hosts_access) to control access to services compiled with libwrap, not to block IP traffic at the network layer; it only affects specific daemons like sshd or vsftpd, and the syntax requires a daemon name (e.g., `ALL: 192.168.1.100`). Option D is wrong because `firewall-cmd --add-source=192.168.1.100 --permanent` adds a source address to the default zone, which typically allows traffic from that source rather than blocking it; to block, you would need to use `--add-rich-rule` with a `reject` or `drop` action.

253
MCQmedium

A cloud engineer needs to automate the deployment of a new virtual machine with a specific configuration using Ansible. Which file format is typically used for Ansible playbooks?

A.JSON
B.YAML
C.XML
D.INI
AnswerB

Standard for playbooks.

Why this answer

Ansible playbooks are written in YAML (YAML Ain't Markup Language) because it is human-readable, supports complex data structures like lists and dictionaries, and is designed for configuration management. YAML's indentation-based syntax aligns with Ansible's declarative approach, allowing tasks, variables, and handlers to be defined cleanly without the overhead of brackets or tags.

Exam trap

The trap here is that candidates confuse the file format for playbooks (YAML) with other Ansible file types, such as JSON for dynamic inventory or INI for static inventory, leading them to select a technically valid but incorrect format for the specific question context.

How to eliminate wrong answers

Option A is wrong because JSON, while valid for Ansible inventory files or dynamic inventory scripts, is not the standard format for playbooks; playbooks rely on YAML's readability and support for comments. Option C is wrong because XML is verbose, uses angle-bracket tags, and is not natively supported by Ansible for playbook definitions, making it impractical for automation workflows. Option D is wrong because INI files are used for Ansible inventory configuration (e.g., listing hosts and groups), not for defining the ordered tasks and logic within a playbook.

254
MCQeasy

A user reports that their system is unable to boot after a recent kernel update. The system displays a 'kernel panic' message. Which of the following is the MOST efficient way to boot into a previous kernel version?

A.Select an older kernel from the GRUB menu
B.Use the systemd rescue mode
C.Reinstall the operating system
D.Boot from a live CD and chroot
AnswerA

GRUB typically lists older kernel entries, allowing quick selection of a working kernel.

Why this answer

The GRUB bootloader stores multiple kernel versions after an update, allowing you to select a previous kernel from its menu at boot time. Choosing an older kernel bypasses the faulty new kernel without requiring additional tools or recovery media, making it the most efficient method to resolve a kernel panic caused by a recent update.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing systemd rescue mode or chroot, not realizing that GRUB's menu provides the simplest and fastest way to revert to a working kernel without any additional recovery steps.

How to eliminate wrong answers

Option B is wrong because systemd rescue mode (or emergency mode) boots into a minimal environment but still uses the default (new) kernel, which will likely trigger the same kernel panic. Option C is wrong because reinstalling the operating system is a drastic, time-consuming step that is unnecessary when a previous kernel is available in GRUB. Option D is wrong because booting from a live CD and chrooting is a valid recovery method, but it is far less efficient than simply selecting an older kernel from the GRUB menu, as it requires external media and manual chroot steps.

255
MCQhard

A SysAdmin is investigating a server that has become unresponsive. The server was working fine, but after a recent update, it hangs during boot, showing 'A start job is running for /dev/mapper/rootvg-rootlv (xxs / no limit)'. This indicates a filesystem check is taking long. What is the most efficient way to skip the fsck and boot quickly?

A.At boot, press Ctrl+D to continue.
B.Boot into single-user mode and run fsck.
C.Use the kernel parameter 'fsck.mode=skip'.
D.Edit /etc/fstab to set the sixth field to 0 for the root filesystem.
AnswerC

This parameter temporarily skips all filesystem checks for the current boot.

Why this answer

Option C is correct because the kernel parameter 'fsck.mode=skip' instructs systemd to skip all filesystem checks during boot, allowing the server to bypass the stuck fsck job and start quickly. This is the most efficient method for a one-time skip without permanently altering configuration files.

Exam trap

The trap here is that candidates may confuse the permanent /etc/fstab sixth field (which controls fsck frequency) with the temporary kernel parameter, or incorrectly think that Ctrl+D or single-user mode will skip the check, when in fact they do not bypass the stuck job.

How to eliminate wrong answers

Option A is wrong because pressing Ctrl+D at the 'A start job is running' prompt does not skip the fsck; it typically sends an EOF signal that may abort the current job or continue waiting, but does not reliably bypass the filesystem check. Option B is wrong because booting into single-user mode and running fsck would perform the check, which is the opposite of skipping it and would not achieve a quick boot. Option D is wrong because editing /etc/fstab to set the sixth field to 0 disables fsck for that filesystem permanently, which is not the most efficient one-time skip and may mask future filesystem issues.

256
Multi-Selecthard

A Linux engineer is troubleshooting a server that fails to boot. The server displays a message indicating 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which TWO actions should the engineer take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Reinstall GRUB to the Master Boot Record
B.Boot from a rescue disk and rebuild the initramfs with the necessary filesystem modules
C.Run fsck on the root partition to check for filesystem corruption
D.Check the kernel command line in the bootloader configuration for the correct root= parameter
E.Disable SELinux by adding selinux=0 to the kernel command line
AnswersB, D

Rebuilding initramfs includes required modules for root filesystem access.

Why this answer

The error 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate or mount the root filesystem. Option B is correct because rebuilding the initramfs from a rescue disk ensures the necessary filesystem drivers (e.g., ext4, xfs) are included, which may have been missing or corrupted. Option D is correct because the root= parameter in the bootloader configuration (e.g., GRUB) tells the kernel which device/partition to mount as root; a typo or incorrect value (e.g., wrong UUID or device name) will cause this exact panic.

Exam trap

The trap here is that candidates confuse a kernel panic about root filesystem mounting with a bootloader or filesystem corruption issue, leading them to choose GRUB reinstallation (A) or fsck (C) instead of addressing the initramfs or kernel command line.

257
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using common commands in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting should start from local configuration and progress outward.

258
Multi-Selecteasy

Which THREE of the following are valid systemd unit types?

Select 3 answers
A.timer
B.socket
C.system
D.cron
E.service
AnswersA, B, E

Valid unit type.

Why this answer

A is correct because `timer` is a valid systemd unit type used to schedule and trigger other units (typically services) based on time events, similar to cron but integrated with systemd. Timers can be monotonic (relative to system events) or real-time (calendar-based), and they are defined in `.timer` files.

Exam trap

CompTIA often tests the distinction between systemd-native unit types and external scheduling tools like cron, so candidates may mistakenly think `cron` is a systemd unit type because both handle scheduling, but systemd uses `timer` units instead.

259
MCQhard

A Linux administrator is responsible for a critical application that runs as a systemd service on a server. The application occasionally hangs, and the administrator wants to automate the restart if the service becomes unresponsive. The administrator writes a Bash script that checks if the service is active and responsive by pinging a local health endpoint. If the health check fails three consecutive times, the script restarts the service. The script is intended to run every minute via a cron job. However, after implementing the cron job, the service is restarted even when it is functioning correctly, causing unnecessary downtime. The administrator reviews the script and finds the following logic: #!/bin/bash SERVICE="myapp" COUNT_FILE="/tmp/${SERVICE}_failcount" if curl -f http://localhost:8080/health; then echo 0 > "$COUNT_FILE" else FAILS=$(cat "$COUNT_FILE" 2>/dev/null || echo 0) FAILS=$((FAILS + 1)) echo "$FAILS" > "$COUNT_FILE" if [ "$FAILS" -ge 3 ]; then systemctl restart "$SERVICE" echo 0 > "$COUNT_FILE" fi fi What is the most likely cause of the false restarts?

A.The count file is not being written because the script lacks write permissions to /tmp.
B.Multiple instances of the script are running concurrently due to cron timing, causing a race condition on the count file.
C.The script does not reset the count file after a successful health check.
D.The script does not handle the case where the count file does not exist on the first failure.
AnswerB

Without file locking, concurrent runs can overwrite each other's counts, leading to inaccurate failure counts and false restarts.

Why this answer

Option B is correct because the cron job runs the script every minute, but if the health check takes longer than a minute (e.g., due to network latency or a slow endpoint), multiple instances of the script can overlap. Each instance reads, increments, and writes the count file independently, causing a race condition where the fail count can be artificially inflated, leading to a false restart even when the service is healthy.

Exam trap

CompTIA often tests the misconception that a missing file or permission error is the root cause, when in reality the issue is a race condition from overlapping cron job executions.

How to eliminate wrong answers

Option A is wrong because the script writes to /tmp, which is world-writable by default, and the script runs as root (or a user with sufficient privileges) via cron, so permission issues are unlikely; if write permissions were missing, the script would fail entirely, not cause false restarts. Option C is wrong because the script does reset the count file to 0 after a successful health check (the `echo 0 > "$COUNT_FILE"` line), so this is not the cause of false restarts. Option D is wrong because the script handles a missing count file on the first failure by using `cat "$COUNT_FILE" 2>/dev/null || echo 0`, which defaults to 0 if the file does not exist, so this is not a bug.

260
MCQmedium

A security policy requires that all SUID files be identified and reviewed. Which command can recursively find SUID files?

A.find / -type f -perm 0777
B.find / -perm /4000
C.ls -lR | grep '^...s'
D.find / -perm -2000
AnswerB

This finds files with the SUID bit set (4000).

Why this answer

Option B is correct because 'find / -perm /4000' searches for files with the SUID bit set. Option A finds SGID files. Option C finds files with full permissions.

Option D is not recursive and may miss files.

261
MCQeasy

Based on the exhibit, how often does the healthcheck.sh script run?

A.Every 5 days
B.Every 5 minutes
C.Every 5 hours
D.Every 5 seconds
AnswerB

Correct interpretation.

Why this answer

The cron expression `*/5 * * * *` in the crontab file means the script runs every 5 minutes. The `*/5` in the minute field triggers execution every 5 minutes, while the asterisks in the hour, day, month, and weekday fields mean every hour, every day, every month, and every day of the week, respectively.

Exam trap

CompTIA often tests the distinction between cron fields: candidates confuse the minute field with the hour field, thinking `*/5` means every 5 hours instead of every 5 minutes, especially when the context is a health check that might logically run less frequently.

How to eliminate wrong answers

Option A is wrong because a cron expression with `*/5` in the minute field does not represent days; a 5-day interval would require `*/5` in the day-of-month field (e.g., `0 0 */5 * *`). Option C is wrong because every 5 hours would use `0 */5 * * *` (minute set to 0, hour field with `*/5`). Option D is wrong because cron does not support sub-minute intervals; the smallest unit is one minute, so every 5 seconds is impossible with standard cron.

262
Multi-Selecteasy

A web server is experiencing high load. The administrator wants to identify the processes consuming the most CPU. Which TWO commands can be used to display real-time process CPU usage?

Select 2 answers
A.lsof
B.iostat
C.vmstat
D.top
E.ps aux --sort=-%cpu
AnswersD, E

Correct: Real-time process viewer with CPU usage.

Why this answer

Option D (top) is correct because it provides a real-time, dynamic view of system processes, including CPU usage, and updates continuously by default. Option E (ps aux --sort=-%cpu) is also correct because it lists all processes sorted by CPU usage in descending order, though it is a snapshot rather than continuous; however, the question asks for commands that can be used to display real-time process CPU usage, and ps with the --sort flag can be run repeatedly to approximate real-time monitoring.

Exam trap

CompTIA often tests the distinction between system-wide monitoring tools (iostat, vmstat) and per-process tools (top, ps), leading candidates to mistakenly choose iostat or vmstat when the question explicitly asks for processes consuming the most CPU.

263
Matchingmedium

Match each Linux command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

List block devices

List open files

Manage partition tables

Inform OS of partition changes

Display block device attributes

Why these pairings

These commands are used for storage administration.

264
MCQhard

A server is experiencing intermittent high load. The administrator suspects a memory leak in a service. Which sysfs file should the administrator monitor to track memory usage per cgroup?

A./sys/fs/cgroup/memory/memory.limit_in_bytes
B./proc/meminfo
C./sys/fs/cgroup/memory/memory.usage_in_bytes
D./sys/fs/cgroup/memory/memory.stat
AnswerC

Directly shows the current memory usage in bytes for the cgroup.

Why this answer

Option C is correct because memory.usage_in_bytes in the cgroup v1 memory hierarchy shows the current memory consumption of processes within a specific cgroup, making it the direct metric to monitor for a suspected memory leak in a service. Unlike system-wide files, this per-cgroup file reflects only the memory used by the service's control group, allowing precise tracking of growth over time.

Exam trap

CompTIA often tests the distinction between 'limit' and 'usage' files, trapping candidates who confuse the configuration file (memory.limit_in_bytes) with the monitoring file (memory.usage_in_bytes).

How to eliminate wrong answers

Option A is wrong because memory.limit_in_bytes sets the maximum memory limit for a cgroup, not the current usage, so it cannot show a leak. Option B is wrong because /proc/meminfo provides system-wide memory statistics, not per-cgroup data, and cannot isolate a specific service's memory consumption. Option D is wrong because memory.stat contains detailed breakdowns (e.g., cache, RSS, swap) but not a single current usage value; it requires parsing multiple fields and is less direct for tracking a leak.

265
MCQeasy

Which command will show the current running processes in real time?

A.top
B.pstree
C.ps aux
D.htop
AnswerA

top continuously updates the list of processes.

Why this answer

top provides a real-time view of running processes. ps gives a snapshot, htop is an alternative, and pstree shows a process tree.

266
MCQmedium

A systems administrator notices that users can successfully authenticate via SSH using their password, but cannot log in via the console. The /etc/securetty file exists and contains only the default entries. Which configuration change is most likely to resolve the issue?

A.Add 'console' to the /etc/securetty file
B.Add the denyhosts service to block non-console logins
C.Set PermitRootLogin yes in /etc/ssh/sshd_config
D.Set SELinux to permissive mode
AnswerA

/etc/securetty lists TTY devices where root is allowed to log in; adding console allows root login via the physical console.

Why this answer

The /etc/securetty file lists TTY devices from which root is allowed to log in via console or terminal. By default, it often includes entries like 'tty1' through 'tty6' but not 'console'. Adding 'console' to this file permits root login from the system console, resolving the issue where console authentication fails while SSH (which bypasses /etc/securetty) succeeds.

Exam trap

The trap here is that candidates may confuse console login restrictions with SSH configuration (PermitRootLogin) or security hardening tools (denyhosts, SELinux), rather than recognizing that /etc/securetty specifically governs which TTYs allow root login via console or terminal.

How to eliminate wrong answers

Option B is wrong because denyhosts is a service that blocks SSH brute-force attacks by monitoring failed login attempts, not a mechanism to control console access. Option C is wrong because PermitRootLogin yes in /etc/ssh/sshd_config controls SSH root login only, not console login, and the issue is about console access, not SSH. Option D is wrong because setting SELinux to permissive mode disables SELinux enforcement entirely, which is an overly broad and insecure change that does not specifically address the /etc/securetty restriction on console logins.

267
MCQeasy

A shared directory requires that any new files created within it are automatically writable by the group. What umask value should be set for users working in this directory?

A.0777
B.0027
C.0002
D.0022
AnswerC

This umask subtracts 0002, giving group write permission on new files.

Why this answer

Option C (0002) is correct because the umask subtracts permissions from the default 0666 for files. A umask of 0002 removes the 'write' permission for others (o-w), leaving the group with read/write (rw) and the owner with read/write (rw). This ensures new files are group-writable, as required for a shared directory.

Exam trap

The trap here is that candidates often confuse umask with the final permission value, mistakenly thinking a higher umask like 0022 is safer, but it actually removes group write access, which is the opposite of what the question requires.

How to eliminate wrong answers

Option A (0777) is wrong because it would remove all permissions from the default, resulting in files with no permissions (000), which is not useful. Option B (0027) is wrong because it removes write permission from the group (g-w), making new files not group-writable, which contradicts the requirement. Option D (0022) is wrong because it removes write permission from the group (g-w) as well, leaving files with owner write only, not group-writable.

268
MCQhard

Your organization uses Ansible for configuration management across 500 servers. The management server is a Linux workstation. You have written a playbook to deploy a new monitoring agent. The playbook works on all test machines but fails on production machines at the 'Gather Facts' stage with the error: 'fatal: [server1]: FAILED! => {"msg": "Timed out waiting for privilege escalation prompt: become method 'sudo' requires a password" }'. All production servers have the same sudoers configuration. You have confirmed that the user 'ansible' has passwordless sudo configured correctly. What is the most likely cause?

A.The production servers have a different SSH key
B.The SSH timeout is too low
C.The ansible_become_password is not set in the inventory
D.The become_user is set incorrectly
AnswerC

Without ansible_become_password, Ansible waits for a password prompt; setting it to empty acknowledges passwordless sudo.

Why this answer

The error indicates that Ansible's privilege escalation (sudo) is prompting for a password, even though the 'ansible' user has passwordless sudo configured. This typically occurs when the 'ansible_become_password' variable is not set or is empty in the inventory, causing Ansible to wait for a password prompt that never comes. Since the playbook works on test machines, the difference is likely that the inventory for production lacks the required 'ansible_become_password' or 'ansible_become' settings, or the variable is not being passed correctly.

Exam trap

The trap here is that candidates assume passwordless sudo means no 'become_password' is needed, but Ansible still requires the variable to be explicitly set (even to an empty string) or the 'become' method to be configured correctly to avoid waiting for a prompt.

How to eliminate wrong answers

Option A is wrong because a different SSH key would cause an authentication failure at the SSH connection stage, not a privilege escalation timeout after successful login. Option B is wrong because an SSH timeout would produce a 'Connection timed out' error, not a 'Timed out waiting for privilege escalation prompt' error. Option D is wrong because setting 'become_user' incorrectly would typically result in a 'user does not exist' or 'permission denied' error, not a timeout waiting for a sudo password prompt.

269
Multi-Selecteasy

Which TWO characteristics apply to Docker containers compared to virtual machines? (Choose two.)

Select 2 answers
A.Containers share the host kernel
B.Containers have faster startup times
C.Containers provide stronger isolation
D.Containers include a full guest operating system
E.Containers require a hypervisor
AnswersA, B

Containers share the host kernel, making them more efficient.

Why this answer

Docker containers share the host kernel, unlike virtual machines which each run their own kernel. This is because containers are implemented as isolated user-space instances (using namespaces and cgroups) that all run on top of the same host OS kernel. This shared kernel architecture eliminates the need for a separate guest OS per container, making containers lightweight and fast to start.

Exam trap

CompTIA often tests the misconception that containers provide stronger isolation than VMs, but the correct understanding is that VMs offer hardware-level isolation via a hypervisor, while containers share the host kernel and thus have weaker isolation boundaries.

270
MCQmedium

A web server is running on the system but clients cannot connect to port 8080. Based on the exhibit, which command should the administrator run to allow traffic on port 8080?

A.firewall-cmd --add-rich-rule='rule port port=8080 protocol=tcp accept' --permanent
B.firewall-cmd --add-port=8080/tcp --permanent
C.firewall-cmd --add-port=8080/udp --permanent
D.firewall-cmd --add-service=http --permanent
AnswerB

This command adds TCP port 8080 permanently to the firewall rules, which is required for HTTPS on a non-standard port.

Why this answer

The correct command is `firewall-cmd --add-port=8080/tcp --permanent` because it opens TCP port 8080 in firewalld, which is the default firewall management tool on RHEL/CentOS 8/9. Since the web server is running but clients cannot connect, the firewall is likely blocking inbound traffic on that port. The `--add-port` option with the `tcp` protocol explicitly allows TCP connections, and `--permanent` makes the rule persist across reboots.

Exam trap

The trap here is that candidates confuse `--add-port` with `--add-service` or use the wrong protocol (UDP instead of TCP), or incorrectly format a rich rule, because the exam tests precise syntax and the distinction between service-based and port-based rules in firewalld.

How to eliminate wrong answers

Option A is wrong because `--add-rich-rule` syntax is incorrect; the correct rich rule syntax is `rule family=ipv4 port port=8080 protocol=tcp accept` (missing `family=ipv4` and using `port` instead of `port port`). Option C is wrong because it opens UDP port 8080, but HTTP/HTTPS traffic uses TCP, not UDP, so this would not allow web clients to connect. Option D is wrong because `--add-service=http` opens port 80 (the default HTTP port), not port 8080, which is a non-standard port often used for development or proxy servers.

271
MCQeasy

A systems administrator writes a Bash script named 'backup.sh' and wants it to run with the Bash shell. Which line should appear first in the script?

A.# This is a bash script
B.#!/bin/bash
C.#/bin/bash
D.#!/bin/sh
AnswerB

Correct shebang for Bash.

Why this answer

The shebang line `#!/bin/bash` is required as the first line to instruct the operating system to execute the script using the Bash shell interpreter located at `/bin/bash`. Without this line, the script may be run by a different shell (e.g., `/bin/sh`), leading to syntax or behavior differences. The shebang must start with `#!` followed by the absolute path to the interpreter.

Exam trap

CompTIA often tests the distinction between a shebang (`#!`) and a comment (`#`), and the trap here is that candidates may confuse `#!/bin/sh` as equivalent to `#!/bin/bash` or forget the exclamation mark entirely, leading them to choose option C or D.

How to eliminate wrong answers

Option A is wrong because `# This is a bash script` is a comment, not a shebang; the kernel ignores it and may fall back to the default shell, which is not guaranteed to be Bash. Option C is wrong because `#/bin/bash` lacks the exclamation mark (`!`), so it is treated as a regular comment and does not invoke the Bash interpreter. Option D is wrong because `#!/bin/sh` points to the POSIX shell, which may be Dash or another shell on many Linux distributions, not Bash; Bash-specific features (e.g., `[[ ]]`, arrays) would fail.

272
MCQeasy

A technician has just performed system maintenance and wants to verify that the server has been running continuously for the past 30 days. Which command should the technician use?

A.uptime
B.systemctl status rsyslog
C.ps aux
D.date
AnswerA

Displays the system uptime and load averages.

Why this answer

Option C is correct because 'uptime' shows the current time, how long the system has been running, number of users, and load averages. Option A shows system logging service status; B shows system date; D shows process statistics.

273
MCQmedium

A Linux administrator is troubleshooting login issues. Users can log in using SSH but not through the local console or graphical display manager. The /etc/pam.d/system-auth file was recently modified. Which PAM module is likely misconfigured?

A.pam_limits.so
B.pam_securetty.so
C.pam_deny.so
D.pam_unix.so
AnswerB

Controls which TTYs root may log in; if misconfigured, console login can be blocked.

Why this answer

The pam_securetty.so module restricts root login to terminals listed in /etc/securetty. If this file was misconfigured or the module is incorrectly set to 'required' for all users, local console and graphical display manager logins (which use virtual terminals like tty1) would be denied, while SSH (which uses pseudo-terminals like pts/0) would still succeed because pam_securetty.so typically does not apply to SSH sessions.

Exam trap

The trap here is that candidates confuse pam_securetty.so with pam_access.so or assume SSH is also blocked, but pam_securetty.so specifically targets local TTYs and does not affect SSH pseudo-terminals by default.

How to eliminate wrong answers

Option A is wrong because pam_limits.so enforces resource limits (e.g., ulimit) and does not control terminal-based login access; misconfiguring it would cause resource denial, not login failure at the console. Option C is wrong because pam_deny.so is a simple module that always returns failure; if it were misconfigured, it would block all authentication methods (including SSH), not selectively allow SSH. Option D is wrong because pam_unix.so handles traditional Unix password authentication and account management; a misconfiguration there would affect all login methods equally, not just local console and graphical display manager.

274
MCQmedium

An administrator needs to create a shell script that will be executed by a non-login shell. The script requires access to environment variables set in the user's profile. Which file should the script source to ensure these variables are available?

A.~/.bashrc
B./etc/profile
C.~/.profile
D.~/.bash_profile
AnswerA

Correct. The .bashrc file is executed for non-login interactive shells and often contains environment variables.

Why this answer

Option A is correct because ~/.bashrc is the file sourced by non-login interactive shells in Bash. When a script is executed by a non-login shell, it does not read ~/.bash_profile or ~/.profile; instead, it reads ~/.bashrc. By sourcing ~/.bashrc within the script, the administrator ensures that environment variables defined there (e.g., PATH, custom aliases) are available to the script.

Exam trap

The trap here is that candidates often confuse ~/.bash_profile and ~/.bashrc, assuming that any user-specific profile file is sourced by all shells, but the key distinction is that non-login shells only source ~/.bashrc, not the login-specific profile files.

How to eliminate wrong answers

Option B is wrong because /etc/profile is a system-wide profile file sourced only by login shells, not by non-login shells. Option C is wrong because ~/.profile is a login shell initialization file (used by Bourne-compatible shells) and is not read by non-login shells. Option D is wrong because ~/.bash_profile is also a login shell initialization file for Bash; non-login shells do not source it.

275
MCQhard

Refer to the exhibit. Alice is the owner of file.txt. Bob is a member of the staff group. What permissions does Bob have on file.txt?

A.Read only
B.Read and write
C.No access
D.Write only
AnswerA

The ACL entry 'user:bob:r--' gives read permission.

Why this answer

Bob is a member of the staff group, and the file.txt permissions are shown as -rw-r-----. The group permissions are r--, meaning members of the staff group (including Bob) have read-only access. The owner (Alice) has read and write, but group permissions do not include write, so Bob cannot modify the file.

Exam trap

CompTIA often tests the misconception that being a member of a group automatically grants the same permissions as the owner, but the trap here is that group permissions are independent and must be examined separately from owner permissions.

How to eliminate wrong answers

Option B is wrong because the group permissions are r--, not rw-, so Bob does not have write access. Option C is wrong because Bob has read access via the group permissions, so he does have access. Option D is wrong because the group permissions include read (r) but not write (w), so Bob cannot write only; he can read only.

276
MCQhard

Which command will show the environment variables for a specific process?

A.cat /proc/$PID/environ
B.set
C.printenv
D.env
AnswerA

Reading /proc/<pid>/environ displays the environment variables of that specific process.

Why this answer

The `/proc/[PID]/environ` file contains the environment variables that were set when the process was started. Reading this file with `cat` displays the exact environment of a specific process, which is not possible with shell built-ins or user-level commands that only show the current shell's environment.

Exam trap

CompTIA often tests the distinction between commands that show the current shell's environment (`set`, `printenv`, `env`) versus the `/proc` filesystem method that targets a specific process, leading candidates to pick a shell command instead of the process-specific file.

How to eliminate wrong answers

Option B is wrong because `set` displays all shell variables (including environment and local variables) for the current shell session, not for a specific process. Option C is wrong because `printenv` prints the environment variables of the current shell, not of an arbitrary process. Option D is wrong because `env` lists or modifies the environment of the current shell, and cannot target a specific process by PID.

277
Multi-Selecthard

A Linux server is not accepting SSH connections. The administrator wants to troubleshoot the issue. Which THREE actions should be taken?

Select 3 answers
A.Reboot the server
B.Check /etc/ssh/sshd_config for configuration errors
C.Check if sshd service is running (systemctl status sshd)
D.Reinstall the SSH package (apt reinstall openssh-server)
E.Check firewall rules (iptables -L or ufw status)
AnswersB, C, E

Correct: Misconfiguration can prevent connections.

Why this answer

B is correct because /etc/ssh/sshd_config is the primary configuration file for the OpenSSH server. Syntax errors, incorrect directives (e.g., PermitRootLogin no, Port 22 commented out), or misconfigured authentication settings can prevent SSH from accepting connections. Checking this file is a fundamental step in troubleshooting SSH issues.

Exam trap

CompTIA often tests the misconception that reinstalling a package or rebooting is a valid first troubleshooting step, when in reality, checking configuration files, service status, and firewall rules are the precise, targeted actions required.

278
MCQmedium

An administrator runs 'systemctl list-units' and sees that httpd.service is in a failed state. To quickly see the error message that caused the failure, which command should be used?

A.systemctl show httpd.service -p ExecMainStatus
B.journalctl -p err -u httpd.service
C.systemctl status httpd.service
D.systemd-analyze blame
AnswerC

systemctl status shows the unit status along with the last few log entries that led to the failure.

Why this answer

Option B is correct. systemctl status displays the unit's state and recent journal entries showing the error. Option A filters errors but may not show the immediate failure cause as concisely. Option C shows properties.

Option D analyzes boot time.

279
MCQmedium

A script uses 'set -e' and then calls a function that returns a non-zero exit status. The script exits unexpectedly. Which of the following should be added to the function to prevent the script from exiting?

A.return 0 after the command
B.set +e inside the function
C.exit 0
D.trap '' ERR
AnswerB

Disables exit-on-error for the function, allowing non-zero exit codes without terminating.

Why this answer

The `set -e` directive causes the shell to exit immediately if any command returns a non-zero exit status. When a function called from such a script returns a non-zero status, the script exits. Adding `set +e` inside the function disables this behavior for the function's scope, allowing the function to handle errors internally without terminating the entire script.

Exam trap

The trap here is that candidates often think `return 0` or `exit 0` will override the non-zero exit status, but they fail to realize that `set -e` causes the script to exit immediately when the command fails, before any subsequent `return` or `exit` statement is executed.

How to eliminate wrong answers

Option A is wrong because `return 0` after the command would only succeed if the command itself does not cause an exit before the return statement; if the command fails and `set -e` is active, the script exits before reaching the `return 0`. Option C is wrong because `exit 0` would immediately terminate the script with a success code, which defeats the purpose of preventing an unexpected exit and does not allow the function to continue or return control to the caller. Option D is wrong because `trap '' ERR` prevents the ERR trap from running but does not disable the `set -e` behavior; the script will still exit on a non-zero exit status from any command.

280
Multi-Selecthard

An administrator is hardening a Linux server. Which three of the following actions reduce the attack surface? (Select THREE).

Select 3 answers
A.Setting default umask to 022
B.Disabling unnecessary services
C.Enabling USB mass storage kernel module
D.Using a host-based firewall
E.Enforcing strong password policies
AnswersB, D, E

Reduces potential entry points for attackers.

Why this answer

Disabling unnecessary services reduces the attack surface by eliminating potential entry points for attackers. Each running service exposes network ports, system resources, and code paths that could contain vulnerabilities. By stopping and masking services not required for the server's role (e.g., using systemctl disable and mask), the administrator minimizes the number of exploitable components.

Exam trap

CompTIA often tests the misconception that setting a restrictive umask or enabling USB storage is a hardening action, when in fact umask 022 is the default and permissive, and enabling USB storage expands the attack surface rather than reducing it.

281
MCQmedium

A database server is experiencing slow queries. The administrator wants to analyze system memory usage. Which command shows memory usage in megabytes and includes information about buffers and cache?

A.free -m
B.top -b
C.cat /proc/meminfo
D.vmstat
AnswerA

Correct: Displays memory in MB with buffers/cache.

Why this answer

The 'free -m' command displays system memory usage in megabytes, explicitly showing separate columns for buffers and cache, which are critical for diagnosing slow queries caused by memory pressure. This makes it the correct choice for the administrator's need to analyze memory usage with buffer/cache details in MB.

Exam trap

CompTIA often tests the distinction between commands that show memory in raw kernel units (like /proc/meminfo in kB) versus those that offer user-friendly output with specific columns (like free -m), leading candidates to choose /proc/meminfo for its detail while missing the explicit requirement for megabytes and buffer/cache breakdown.

How to eliminate wrong answers

Option B is wrong because 'top -b' runs top in batch mode, which shows real-time process-level memory and CPU usage but does not display memory in megabytes by default and lacks the dedicated buffers/cache breakdown that 'free -m' provides. Option C is wrong because 'cat /proc/meminfo' outputs raw memory statistics in kilobytes, not megabytes, and requires manual calculation to convert to MB, making it less convenient for the specified requirement. Option D is wrong because 'vmstat' reports virtual memory statistics including swap, I/O, and system events, but it does not show memory usage in megabytes and does not include explicit buffers and cache columns in its default output.

282
MCQhard

A Kubernetes pod has a container that fails with CrashLoopBackOff. The administrator runs 'kubectl logs pod-name' but sees no output. What is the most likely cause?

A.The container exited before writing to stdout, and logs need to be retrieved with 'kubectl logs --previous'.
B.The container has no logging driver configured.
C.The log file is rotated and deleted.
D.The pod is not scheduled on any node.
AnswerA

Correct: use --previous to see previous container logs.

Why this answer

When a container enters CrashLoopBackOff, it restarts repeatedly. If 'kubectl logs pod-name' shows no output, it means the current (restarted) container has not written anything to stdout yet. The previous instance of the container may have written logs before crashing, and those logs are accessible using 'kubectl logs --previous' to retrieve the output from the terminated container.

Exam trap

The trap here is that candidates assume 'no output' means logs are missing or misconfigured, when in fact the current container simply hasn't written anything yet, and the previous container's logs are still available via --previous.

How to eliminate wrong answers

Option B is wrong because Kubernetes does not require a separate logging driver configuration; it captures container stdout/stderr by default via the container runtime interface (CRI). Option C is wrong because log rotation and deletion would not cause an empty log output on a freshly restarted container; the current container simply hasn't produced logs yet. Option D is wrong because if the pod were not scheduled on any node, 'kubectl logs' would return an error like 'Error from server: pod is not scheduled', not an empty output.

283
MCQhard

A Docker container using port 8080 fails to start with the error 'port is already allocated'. Which command should the administrator use to identify the process using that port?

A.ss -tan
B.ss -tln
C.ss -tlnp
D.ss -r
AnswerC

Shows listening TCP ports with PID.

Why this answer

Option C is correct because the `ss -tlnp` command lists TCP listening sockets (`-l`) with numeric addresses (`-n`) and shows the process identifier (PID) and process name (`-p`) that owns each socket. This directly identifies which process has bound port 8080, allowing the administrator to resolve the 'port is already allocated' error.

Exam trap

The trap here is that candidates may choose `ss -tln` (option B) because it shows listening ports, but they forget the `-p` flag is required to identify the process, leading to incomplete troubleshooting.

How to eliminate wrong answers

Option A is wrong because `ss -tan` lists all TCP sockets (including non-listening ones) without showing process ownership, so it cannot identify the process using port 8080. Option B is wrong because `ss -tln` lists TCP listening sockets but omits the `-p` flag, so it does not display the PID or process name, leaving the process unidentified. Option D is wrong because `ss -r` attempts to resolve hostnames and is not a valid flag combination for socket statistics; it does not list sockets or processes.

284
MCQhard

Refer to the exhibit. A system administrator checks the status of the SSH service and sees the output shown. What is the most likely cause of the failure?

A.The SSH service is disabled and needs to be enabled.
B.The SSH service is masked and cannot start.
C.The SSH configuration file has a syntax error.
D.Another process is already listening on port 22.
AnswerD

The error 'Address already in use' indicates port 22 is occupied.

285
MCQhard

An administrator needs to determine why a service failed to start due to an unresponsive network filesystem. Which systemd unit dependency directive should be added to ensure the service starts only after the remote filesystem is mounted?

A.Wants
B.After
C.BindsTo
D.Requires
AnswerD

Requires creates a strong dependency; the mount must be active for the service to start.

Why this answer

The correct directive is 'Requires' to create a strong dependency on the mount unit. 'After' only orders units, 'Wants' is a weaker dependency, and 'BindsTo' binds the service lifecycle. For a required mount, 'Requires' ensures the mount is active when the service starts.

286
MCQeasy

A junior administrator needs to check the disk usage of the /var filesystem to ensure it does not exceed 80% capacity. Which command should be used?

A.df -h /var
B.fdisk -l /var
C.du -sh /var
D.lsblk /var
AnswerA

df -h shows filesystem disk space usage in human-readable format.

Why this answer

df -h shows disk usage in human-readable format. du shows file/directory usage, fdisk displays partition table, lsblk lists block devices. Only df shows filesystem usage.

287
Multi-Selecthard

A developer is writing a shell script that needs to handle errors. Which THREE of the following are best practices for robust script error handling?

Select 3 answers
A.Ignore errors to simplify the script
B.Check the exit code of commands using $?
C.Use set +e to allow the script to continue on error
D.Use set -e to exit on any command failure
E.Use trap to catch signals and clean up
AnswersB, D, E

Allows conditional handling.

Why this answer

Option B is correct because checking the exit code of commands using `$?` allows the script to conditionally handle failures based on the specific return value of each command. This is a fundamental error-handling technique in shell scripting, as every command returns an exit code (0 for success, non-zero for failure), and inspecting `$?` immediately after a command lets the developer decide how to respond to that specific error.

Exam trap

CompTIA often tests the distinction between `set -e` and `set +e` and the proper use of `$?` versus relying solely on `set -e`, where candidates may incorrectly think that `set +e` is a best practice for error handling when it actually disables automatic exit on error.

288
Multi-Selectmedium

A user is unable to resolve hostnames on a Linux system. Which three configuration files should be checked? (Select THREE).

Select 3 answers
A./etc/hosts
B./etc/nsswitch.conf
C./etc/resolv.conf
D./etc/hostname
E./etc/sysconfig/network
AnswersA, B, C

Static mapping of hostnames to IP addresses.

Why this answer

The /etc/hosts file is a static table mapping hostnames to IP addresses, used for local name resolution before or instead of DNS queries. If a user cannot resolve hostnames, this file may be misconfigured or missing entries for the target hostnames, causing resolution failures.

Exam trap

CompTIA often tests the misconception that /etc/hostname or /etc/sysconfig/network are involved in hostname resolution, when in fact they only affect the local system's identity, not the resolution of external hostnames.

289
MCQhard

A storage administrator needs to automate the expansion of an LVM volume group when free space drops below 10%. The script must add a new physical volume from a spare disk. Which of the following commands should be used in the script to add the new disk to the volume group?

A.pvcreate /dev/sdb1 && vgextend vg01 /dev/sdb1
B.vgcreate vg01 /dev/sdb
C.vgextend vg01 /dev/sdb1
D.lvresize -L +100G vg01
AnswerA

Initializes the partition as a PV and adds it to the VG.

Why this answer

Option A is correct because it first uses `pvcreate` to initialize the spare disk partition `/dev/sdb1` as a physical volume, which is a prerequisite for adding it to an LVM volume group. Then `vgextend vg01 /dev/sdb1` adds that initialized physical volume to the existing volume group `vg01`, expanding its total capacity. This two-step process ensures the disk is properly prepared for LVM management before being incorporated into the volume group.

Exam trap

The trap here is that candidates often think `vgextend` alone is sufficient, forgetting that LVM requires the device to be initialized as a physical volume with `pvcreate` before it can be added to a volume group.

How to eliminate wrong answers

Option B is wrong because `vgcreate` creates a new volume group, but the requirement is to add a disk to an existing volume group, not create a new one. Option C is wrong because `vgextend` alone will fail if `/dev/sdb1` has not been initialized as a physical volume with `pvcreate` first; LVM requires the device to be marked as a PV before it can be added to a VG. Option D is wrong because `lvresize` resizes a logical volume, not a volume group, and the task is to expand the volume group by adding a new physical volume, not to resize a logical volume.

290
Matchingmedium

Match each Linux boot component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Bootloader

Initial RAM disk

Init system and service manager

Compressed Linux kernel

Tool to create initramfs

Why these pairings

These components are involved in the Linux boot process.

291
MCQeasy

A user cannot access a directory '/data/projects' even though they are in the 'projects' group. The directory permissions are 'drwxr-x---' and the group owner is 'projects'. Which command should the administrator run to grant the group write permission?

A.chmod g+w /data/projects
B.chmod o+w /data/projects
C.chmod u+w /data/projects
D.chown :projects /data/projects
AnswerA

Adds write permission for the group.

Why this answer

The directory '/data/projects' has permissions 'drwxr-x---', meaning the group owner 'projects' currently has read and execute (r-x) but not write (w) access. Since the user is a member of the 'projects' group, the administrator needs to add write permission for the group using 'chmod g+w /data/projects'. This directly modifies the group permission bits to grant write access without affecting other permissions.

Exam trap

CompTIA often tests the distinction between changing ownership (chown) and changing permissions (chmod), and candidates mistakenly think that setting the group owner again will grant write access, when in fact only chmod modifies the permission bits.

How to eliminate wrong answers

Option B is wrong because 'chmod o+w' adds write permission for 'others' (users not the owner and not in the group), which is unnecessary and would over-permit the directory, violating the principle of least privilege. Option C is wrong because 'chmod u+w' adds write permission for the user owner, not the group; the user owner is typically 'root' or another user, not the 'projects' group. Option D is wrong because 'chown :projects /data/projects' changes the group owner to 'projects', but the group already owns the directory, so this command does nothing to change permissions; it does not grant write access.

292
Multi-Selectmedium

A Linux administrator is troubleshooting a server that has become unresponsive. The administrator connects via IPMI and runs 'top' but the process list does not show any obvious CPU or memory hog. Which TWO commands could be used to identify I/O wait issues or disk bottlenecks? (Choose TWO.)

Select 2 answers
A.iostat -x 1
B.iotop -o
C.vmstat 1
D.sar -b 1
E.dstat --disk-util
AnswersA, B

iostat -x shows extended I/O statistics per device.

Why this answer

`iostat -x 1` provides extended disk I/O statistics, including `%util` (percentage of time the device was busy servicing requests) and `await` (average time for I/O operations). These metrics directly indicate disk bottlenecks and I/O wait issues. `iotop -o` displays only processes that are currently performing I/O operations, allowing the administrator to identify which specific processes are causing disk contention.

Exam trap

The trap here is that candidates often choose `vmstat 1` because it shows the `wa` column, but they overlook that it does not provide per-disk or per-process granularity needed to identify the specific source of I/O wait.

293
MCQhard

A sysadmin needs to set a default gateway for a network interface. Which command(s) accomplish this?

A.netstat -rn
B.route add default gw 192.168.1.1
C.ip route add default via 192.168.1.1
D.Both A and B
AnswerD

Both route and ip can be used to add a default gateway.

Why this answer

Option D is correct because both `route add default gw 192.168.1.1` (option B) and `ip route add default via 192.168.1.1` (option C) can set a default gateway on Linux. The `route` command is legacy but still functional, while `ip route` is the modern net-tools replacement. Option A (`netstat -rn`) only displays the routing table and does not add a gateway, so it alone cannot accomplish the task.

Exam trap

The trap here is that candidates may think only the modern `ip route` command works, forgetting that the legacy `route` command is still accepted on many Linux distributions, or they may mistakenly believe `netstat -rn` can set a route because it displays routing information.

How to eliminate wrong answers

Option A is wrong because `netstat -rn` is a read-only command that displays the kernel routing table; it does not modify or set a default gateway. Option B is wrong because `route add default gw 192.168.1.1` is a valid legacy command that does set a default gateway, so it is not incorrect. Option C is wrong because `ip route add default via 192.168.1.1` is also a valid modern command that sets a default gateway, so it is not incorrect.

The question asks which command(s) accomplish the task, and both B and C work, making D the correct answer.

294
Multi-Selectmedium

Which THREE methods are valid for setting the default systemd target (runlevel) to multi-user mode? (Choose three.)

Select 3 answers
A.Run telinit 3
B.systemctl set-default multi-user.target
C.Create a symlink /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
D.Edit /etc/inittab
E.Modify /etc/systemd/system/default.target
AnswersB, C, E

This is the standard command to set default target.

Why this answer

Valid methods: using systemctl set-default, modifying the /etc/systemd/system/default.target symlink, or creating a symlink pointing to multi-user.target. Editing /etc/inittab is for SysV init, not systemd. telinit changes runlevel temporarily but does not set default.

295
MCQhard

After a kernel update, loading a proprietary kernel module fails with 'Invalid module format'. The module was built from source against the previous kernel. What is the most likely cause?

A.Module is not signed while Secure Boot is enabled
B.Module file permissions are incorrect
C.SELinux is blocking the module load
D.Module was not rebuilt for the new kernel version
AnswerD

Kernel modules are tied to a specific kernel version; they must be recompiled after a kernel update.

Why this answer

The 'Invalid module format' error occurs when a kernel module's version magic string does not match the running kernel's version. Since the module was built against the previous kernel, it contains version information for that older kernel, and the new kernel rejects it as incompatible. Rebuilding the module against the new kernel's headers resolves this mismatch.

Exam trap

The trap here is that candidates confuse the 'Invalid module format' error with Secure Boot signing issues, but Secure Boot produces a different error message related to key verification, not format mismatch.

How to eliminate wrong answers

Option A is wrong because Secure Boot with unsigned modules typically produces a 'Required key not available' or 'Module verification failed' error, not 'Invalid module format'. Option B is wrong because incorrect file permissions would cause a 'Permission denied' error when trying to insmod, not a format error. Option C is wrong because SELinux denials generate AVC denial messages in the audit log and would prevent loading due to policy restrictions, not an 'Invalid module format' error.

296
MCQmedium

A Linux administrator notices that the system’s disk I/O performance has degraded significantly. Running 'iostat -x 1' shows high %util values on /dev/sda, but low await. Which of the following is the most likely issue?

A.The filesystem is nearly full.
B.The disk cable is loose or faulty.
C.There are many concurrent I/O requests (high queue depth).
D.The disk is failing and needs replacement.
AnswerC

Parallel I/O keeps the device busy (%util high) but each request is serviced quickly (low await).

Why this answer

High %util with low await indicates that the device is busy processing many concurrent I/O requests, but each request completes quickly. This is characteristic of a high queue depth where the disk is saturated with parallel requests, not that individual requests are slow. The low await confirms that the disk itself is responding fast, so the bottleneck is the volume of simultaneous I/O, not latency per request.

Exam trap

CompTIA often tests the misconception that high %util always means slow I/O, but the trap here is that %util measures busy time, not latency; candidates overlook the low await and incorrectly assume hardware failure or cable issues.

How to eliminate wrong answers

Option A is wrong because a nearly full filesystem affects metadata operations and may cause fragmentation, but it does not directly cause high %util with low await; it would more likely increase await due to slower allocation. Option B is wrong because a loose or faulty disk cable typically causes intermittent errors, timeouts, or complete disconnection, which would manifest as high await and possibly errors in iostat, not high %util with low await. Option D is wrong because a failing disk usually produces high await, increased error counts, and reallocated sectors, not a scenario where requests complete quickly (low await) while the device is busy.

297
MCQhard

A security policy requires that user passwords must expire after 90 days. The output in the exhibit shows the current configuration for the root user. Which command should the administrator run to enforce the policy for root?

A.sudo passwd -x 90 root
B.sudo chage -M 90 root
C.sudo chage -E 90 root
D.sudo usermod -e 90 root
AnswerB

Sets the maximum number of days a password remains valid.

Why this answer

The `chage -M 90 root` command sets the maximum number of days a password is valid for the root user to 90 days, which directly enforces the password expiration policy. The `-M` option modifies the `max_days` field in `/etc/shadow`, causing the password to expire after the specified period. This is the correct method to apply aging rules to the root account.

Exam trap

The trap here is that candidates confuse the `chage -M` (maximum password age) with `chage -E` (account expiration) or `usermod -e` (account expiration), leading them to select options that set account expiry instead of password expiry, which does not enforce the 90-day password change requirement.

How to eliminate wrong answers

Option A is wrong because `passwd -x 90 root` is not a valid syntax; the `passwd` command uses `-x` to set maximum password days but requires the option before the username (e.g., `passwd -x 90 root`), and even then it only works if the user is not root or if run as root without `sudo`; however, the primary issue is that the question asks for the command to enforce the policy, and `chage` is the standard tool for password aging policies. Option C is wrong because `chage -E 90 root` sets the account expiration date to a specific date (interpreted as days since epoch or a date string), not the password maximum age; `-E` controls account expiry, not password expiry. Option D is wrong because `usermod -e 90 root` sets the account expiration date (in YYYY-MM-DD format or days since epoch), not the password maximum age; `-e` is for account expiry, while `-f` or `-L` would be unrelated, and password aging is managed via `chage` or `passwd`.

298
MCQmedium

A user on a workstation with IP 192.168.1.100 reports being unable to SSH to the server with IP 10.0.0.5. Based on the exhibit, what is the most likely cause?

A.The default INPUT policy is DROP and there is no SSH rule.
B.The SSH rule appears after a LOG rule, causing it to be unreachable.
C.The SSH rule only accepts connections from the 10.0.0.0/8 subnet.
D.The SSH port is not allowed in any rule.
AnswerC

The fifth line shows SSH accepted only from source 10.0.0.0/8; the user's IP is not in that range.

Why this answer

The exhibit shows an iptables ruleset where the SSH rule (port 22) explicitly matches the source address 10.0.0.0/8. The workstation has IP 192.168.1.100, which does not fall within the 10.0.0.0/8 range, so the SSH rule will not match. Since no other rule allows SSH, the packet will be evaluated against the default INPUT policy, which is ACCEPT (not shown as DROP), but the SSH rule itself restricts the source, making it unreachable for this client.

Exam trap

The trap here is that candidates assume any rule with 'ACCEPT' for SSH is sufficient, overlooking the source address restriction, and they may also mistakenly think a LOG rule blocks subsequent rules, when in fact LOG is non-terminating.

How to eliminate wrong answers

Option A is wrong because the default INPUT policy is ACCEPT (as indicated by the policy ACCEPT line in the exhibit), not DROP, so packets not matching any rule would be accepted by default. Option B is wrong because iptables processes rules sequentially; a LOG rule does not terminate the chain (it is a non-terminating target), so subsequent rules, including the SSH rule, are still reachable. Option D is wrong because the SSH port (22) is explicitly allowed in the rule that matches source 10.0.0.0/8; the issue is the source restriction, not the port being absent.

299
Multi-Selecteasy

An administrator is troubleshooting a server that is experiencing intermittent high load. The administrator wants to identify processes that are using excessive CPU. Which two of the following commands can provide real-time CPU usage per process? (Choose two.)

Select 2 answers
A.htop
B.top
C.iostat
D.ps -aux
E.vmstat
AnswersA, B

htop also provides real-time process monitoring.

Why this answer

top and htop provide real-time, dynamic views of process CPU usage. ps provides a static snapshot, iostat monitors I/O, and vmstat shows system-wide statistics.

300
MCQhard

A Linux administrator needs to ensure that only the root user can run commands in the /usr/local/bin/scripts directory. Which command should be used to set the appropriate permissions?

A.chmod 750 /usr/local/bin/scripts
B.chmod 700 /usr/local/bin/scripts
C.chmod 755 /usr/local/bin/scripts
D.chmod 770 /usr/local/bin/scripts
AnswerB

Owner (root) gets rwx; group and others have no access.

Why this answer

The requirement is that only the root user can run commands in the directory. Permission 700 (owner: rwx, group: ---, others: ---) grants full access exclusively to the owner (root), while denying all access to the group and others. This matches the requirement precisely.

Exam trap

The trap here is that candidates often choose 755 or 750 as 'standard' permissions for directories, forgetting that the requirement explicitly restricts access to only root, not to any group or other users.

How to eliminate wrong answers

Option A (750) is wrong because it grants read and execute permissions to the group, allowing group members (other than root) to list and run scripts, which violates the 'only root' requirement. Option C (755) is wrong because it grants read and execute to both group and others, allowing any user on the system to list and execute scripts. Option D (770) is wrong because it grants full read, write, and execute to the group, allowing group members to modify and run scripts, which again violates the restriction to root only.

Page 3

Page 4 of 7

Page 5

All pages