CompTIA Linux+ XK0-005 (XK0-005) — Questions 301375

510 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

During peak hours, a web server experiences timeouts. The kernel log shows 'possible SYN flooding'. Which kernel parameter should be increased to mitigate this?

A.net.ipv4.tcp_syncookies
B.net.core.somaxconn
C.net.ipv4.tcp_max_syn_backlog
D.net.core.rmem_default
AnswerC

Increasing this value allows more half-open connections, reducing SYN flooding issues.

Why this answer

The kernel log message 'possible SYN flooding' indicates that the system's SYN backlog queue is full, causing new connection requests to be dropped. Increasing `net.ipv4.tcp_max_syn_backlog` expands the maximum number of SYN requests that can be queued before the kernel starts dropping them, directly mitigating the issue.

Exam trap

The trap here is confusing the SYN backlog queue (`tcp_max_syn_backlog`) with the completed connection backlog (`somaxconn`), leading candidates to choose `net.core.somaxconn` even though it only affects fully established connections, not the SYN flood protection mechanism.

How to eliminate wrong answers

Option A is wrong because `net.ipv4.tcp_syncookies` enables SYN cookies as a defense against SYN flood attacks, but it does not increase the queue size; it bypasses the backlog entirely, which can degrade performance for legitimate traffic. Option B is wrong because `net.core.somaxconn` limits the maximum number of connections that can be queued for a listening socket after the three-way handshake is complete, not the SYN backlog queue for half-open connections. Option D is wrong because `net.core.rmem_default` sets the default receive socket buffer size for data transfer, which has no effect on the SYN backlog or connection establishment.

302
MCQmedium

A Linux server is running low on disk space in the /var partition. The administrator runs 'du -sh /var/log/*' and finds that /var/log/syslog is 10 GB. Which of the following is the BEST long-term solution to prevent recurrence?

A.Manually truncate the syslog file with '> /var/log/syslog'.
B.Delete the syslog file and restart the syslog service.
C.Configure logrotate to rotate and compress the syslog file daily.
D.Increase the log rotation frequency in /etc/logrotate.conf to monthly.
AnswerC

logrotate automates rotation, keeping log sizes manageable.

Why this answer

Option C is correct because logrotate is the standard Linux utility for managing log file growth. By configuring logrotate to rotate and compress /var/log/syslog daily, the system automatically archives old logs and prevents a single file from consuming excessive disk space, addressing the root cause without manual intervention.

Exam trap

The trap here is that candidates may confuse 'increasing rotation frequency' with 'reducing log size,' but increasing the interval (e.g., to monthly) actually worsens the problem, while daily rotation with compression is the correct long-term solution.

How to eliminate wrong answers

Option A is wrong because manually truncating the file with '> /var/log/syslog' only frees space temporarily; the syslog daemon will continue writing to the same file, and the problem will recur without any automated management. Option B is wrong because deleting the syslog file and restarting the service is disruptive, may cause loss of log data, and does not implement any automated rotation or retention policy. Option D is wrong because increasing the log rotation frequency to monthly would actually reduce rotation frequency, making the problem worse by allowing the syslog file to grow even larger between rotations.

303
MCQeasy

A Linux administrator writes a script that uses bash-specific features like arrays and process substitution. Which shebang should be used?

A.#!/bin/bash
B.#!/bin/sh
C.#!/usr/bin/python3
D.#!/bin/ksh
AnswerA

Bash supports advanced features like arrays and process substitution.

Why this answer

The correct shebang is #!/bin/bash because the script uses bash-specific features such as arrays and process substitution. The shebang line tells the system to execute the script with the specified interpreter; /bin/bash is the Bourne Again SHell, which supports these features, while /bin/sh may be a POSIX shell that lacks them.

Exam trap

The trap here is that candidates often assume /bin/sh is always bash or that any shell can run bash-specific syntax, but on many Linux distributions /bin/sh is a different shell (e.g., dash) that lacks these extensions.

How to eliminate wrong answers

Option B is wrong because /bin/sh is often a POSIX-compliant shell (like dash on Debian) that does not support bash-specific features such as arrays and process substitution, causing the script to fail. Option C is wrong because /usr/bin/python3 is the Python 3 interpreter, which cannot execute bash syntax. Option D is wrong because /bin/ksh is the Korn shell, which has its own syntax and may not support bash-specific features like process substitution in the same way.

304
MCQhard

An administrator notices that new SSH sessions fail for all users. Which line in the exhibit is most likely causing the failure?

A.account required pam_nologin.so
B.session include password-auth
C.auth required pam_sepermit.so
D.session required pam_loginuid.so
AnswerA

If /etc/nologin exists, this module denies login to all non-root users.

Why this answer

The line 'account required pam_nologin.so' causes new SSH sessions to fail because the pam_nologin module checks for the existence of /etc/nologin. If that file exists, it denies login to all non-root users. This is commonly used during maintenance to prevent new logins, and since the question states 'all users' (including root if root is not explicitly exempted), this PAM module is the direct cause of the failure.

Exam trap

The trap here is that candidates often confuse the 'account' stack with the 'auth' or 'session' stacks, mistakenly thinking a missing authentication module (like pam_sepermit.so) or a session module (like pam_loginuid.so) is the cause, when in fact the account-level pam_nologin.so is specifically designed to block new logins system-wide.

How to eliminate wrong answers

Option B is wrong because 'session include password-auth' is a session management line that handles post-authentication tasks like logging and does not prevent new SSH sessions from being established. Option C is wrong because 'auth required pam_sepermit.so' is an authentication module that enforces SELinux user mapping; it would cause authentication failures for specific users, not block all new SSH sessions globally. Option D is wrong because 'session required pam_loginuid.so' ensures a unique loginuid is set for auditing purposes; failure of this module would cause session setup to fail only if the loginuid cannot be set, but it does not block all new SSH sessions by default.

305
Multi-Selectmedium

A system administrator wants to automate server configuration and management across multiple Linux hosts. Which TWO tools are configuration management solutions designed for this purpose? (Choose two.)

Select 2 answers
A.Docker
B.Nagios
C.Kubernetes
D.Puppet
E.Ansible
AnswersD, E

Puppet is a configuration management tool.

Why this answer

Puppet is a mature configuration management tool that uses a declarative language (Puppet DSL) to define desired system states and enforces them via a client-server (agent-master) architecture over HTTPS. It automates server configuration across multiple hosts by applying manifests that specify packages, services, files, and users, ensuring consistency without manual intervention.

Exam trap

The trap here is that candidates confuse containerization (Docker) or orchestration (Kubernetes) with configuration management, or mistake monitoring (Nagios) for a tool that configures systems, when the question specifically asks for tools that automate server configuration and management across multiple hosts.

306
MCQmedium

Scenario: A cloud hosting company uses SELinux in enforcing mode on all Linux servers. A developer reports that a custom web application running under Apache (httpd) is unable to write log files to /var/log/myapp/. The directory /var/log/myapp/ has permissions 755 and is owned by root:root. The httpd process runs as the 'apache' user. The administrator checks SELinux context: /var/log/myapp is labeled with default_t type. The administrator wants to allow httpd to write to this directory while maintaining security. Which command should the administrator run?

A.Change ownership with 'chown apache:apache /var/log/myapp'
B.Run 'setenforce 0' to disable SELinux
C.Run 'chcon -t httpd_log_t /var/log/myapp'
D.Run 'semanage fcontext -a -t httpd_log_t "/var/log/myapp(/.*)?"' and then 'restorecon -Rv /var/log/myapp'
AnswerD

This permanently sets the context to httpd_log_t, allowing httpd to write.

Why this answer

Option D is correct because it permanently relabels the directory with the httpd_log_t SELinux type, which is specifically designed to allow Apache (httpd) to write log files. The semanage fcontext command adds a file context mapping to the SELinux policy database, and restorecon applies that mapping to the filesystem. This approach maintains SELinux enforcing mode and does not rely on temporary changes like chcon or insecure workarounds like disabling SELinux.

Exam trap

The trap here is that candidates often choose chcon (Option C) because it works immediately, but they overlook that it is not persistent and will be overwritten by restorecon or policy updates, whereas semanage fcontext followed by restorecon is the correct persistent method.

How to eliminate wrong answers

Option A is wrong because changing ownership to apache:apache does not address SELinux type enforcement; the httpd process is still blocked by the default_t type on the directory, regardless of Unix permissions. Option B is wrong because running 'setenforce 0' disables SELinux entirely, which violates the company's security policy of running in enforcing mode and exposes the server to potential threats. Option C is wrong because 'chcon -t httpd_log_t /var/log/myapp' only makes a temporary label change that will be reverted on the next filesystem relabel (e.g., after a policy update or restorecon run), and it does not persist in the SELinux policy database.

307
Multi-Selectmedium

A security audit identifies that the system's /etc/passwd file is world-readable. Which three security issues does this pose? (Select THREE.)

Select 3 answers
A.Attackers can read the encrypted passwords.
B.Attackers can obtain usernames easily.
C.Attackers can see home directory paths.
D.Attackers can see user ID mappings.
E.Attackers can read password hashes.
AnswersB, C, D

/etc/passwd lists all local usernames.

Why this answer

Option B is correct because the /etc/passwd file contains a list of all system usernames. Since the file is world-readable, any user or attacker can easily read this file to enumerate valid usernames, which is a common first step in password guessing or brute-force attacks. Usernames are stored in the first colon-delimited field of each line, making them trivially extractable.

Exam trap

The trap here is that candidates often confuse the legacy practice of storing password hashes in /etc/passwd with the modern shadow password suite, and mistakenly select options A or E, not realizing that /etc/shadow is the actual hash store.

308
MCQhard

An administrator modified kernel parameters in /etc/sysctl.conf. Which command applies the changes without rebooting?

A.sysctl -p
B.sysctl -w
C.sysctl -r
D.sysctl -a
AnswerA

The -p option loads settings from the specified file, defaulting to /etc/sysctl.conf.

Why this answer

Option A is correct because 'sysctl -p' loads settings from /etc/sysctl.conf. Option B is wrong because 'sysctl -a' displays all current values. Option C is wrong because 'sysctl -w' sets a parameter temporarily.

Option D is wrong because 'sysctl -r' is not a valid option.

309
MCQeasy

Refer to the exhibit. A user wants to execute the script 'script.sh' but receives a 'Permission denied' error. Which action should be taken to allow execution?

A.Add execute permission with chmod +x script.sh
B.Change the owner to the user with chown
C.Change the group to the user's primary group
D.Set the permissions to 644 with chmod
AnswerA

Adds execute permission to the file.

Why this answer

The 'Permission denied' error indicates the script lacks the execute permission for the user. The `chmod +x script.sh` command adds the execute permission bit to the file's mode, allowing the user to run it as a program. This is the direct and correct fix for the issue.

Exam trap

CompTIA often tests the misconception that changing ownership or group alone resolves permission errors, when in fact the execute permission bit must be explicitly set for the file to be run as a script.

How to eliminate wrong answers

Option B is wrong because changing the owner with `chown` does not grant execute permission; it only changes file ownership, and the new owner still needs execute permission to run the script. Option C is wrong because changing the group to the user's primary group does not add execute permission; the group must have the execute bit set in the file's permissions for this to work. Option D is wrong because setting permissions to 644 (rw-r--r--) removes any execute bits, which would still prevent execution and is the opposite of what is needed.

310
MCQhard

A developer writes a Dockerfile that installs multiple packages. To reduce the final image size, which of the following practices is most effective?

A.Use a multi-stage build.
B.Combine multiple RUN commands into a single RUN instruction.
C.Use apt-get clean after each installation.
D.Use a minimal base image like alpine.
AnswerB

Reduces number of layers, decreasing image size.

Why this answer

Combining multiple RUN commands into a single RUN instruction reduces the number of layers created in the Docker image. Each RUN instruction creates a new layer, and by merging them, you avoid storing intermediate files (e.g., package cache) across separate layers, which significantly shrinks the final image size. This is a direct and effective method for minimizing image footprint when installing multiple packages.

Exam trap

CompTIA often tests the misconception that using a minimal base image or cleaning up in separate steps is sufficient, when in fact the layer persistence model means only combining RUN commands (and cleaning within the same layer) truly eliminates intermediate file bloat.

How to eliminate wrong answers

Option A is wrong because multi-stage builds primarily reduce image size by separating build-time dependencies from the final runtime image, but they do not directly address the layer overhead from multiple RUN instructions during package installation. Option C is wrong because apt-get clean only removes cached package files within a single layer; if used in separate RUN instructions, the cache is already stored in a previous layer and cannot be reclaimed, making it ineffective for reducing final image size. Option D is wrong because while using a minimal base image like Alpine reduces the base layer size, it does not mitigate the layer bloat caused by multiple RUN instructions; the question specifically asks about the practice for reducing image size when installing multiple packages, and combining RUN commands is more directly impactful.

311
MCQmedium

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The pipeline should build a Docker image, run unit tests, and if successful, push the image to a private registry. Which tool is best suited for orchestrating this pipeline?

A.Git
B.cron
C.Jenkins
D.Ansible
AnswerC

Jenkins is designed for building, testing, and deploying software continuously.

Why this answer

Jenkins is a widely adopted CI/CD automation server that excels at orchestrating complex pipelines, including building Docker images, running unit tests, and pushing images to a private registry. Its pipeline-as-code feature (Jenkinsfile) allows defining stages, triggers, and post-build actions, making it the best fit for this microservices CI/CD workflow.

Exam trap

CompTIA often tests the distinction between CI/CD orchestration tools and general automation or scheduling tools; the trap here is that candidates may confuse Ansible's automation capabilities with CI/CD pipeline orchestration, or think cron can handle complex multi-step workflows with conditional logic.

How to eliminate wrong answers

Option A is wrong because Git is a distributed version control system used for source code management, not for orchestrating CI/CD pipelines or executing build/test/deploy steps. Option B is wrong because cron is a time-based job scheduler in Unix/Linux that can only run simple scripts at fixed intervals; it lacks pipeline logic, dependency management, and integration with Docker registries or test frameworks. Option D is wrong because Ansible is a configuration management and automation tool primarily used for provisioning and infrastructure as code, not for continuous integration pipeline orchestration; it does not natively support event-driven CI/CD triggers or pipeline stages.

312
Drag & Dropmedium

Drag and drop the steps to set up a cron job that runs a script daily in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cron jobs require an executable script and a crontab entry with proper syntax.

313
MCQmedium

An administrator adds a new disk /dev/sdc1 and wants it mounted at /mnt/backup at every boot. Based on the exhibit, which line should be added to /etc/fstab?

A.UUID=xyz789 /backup ext4 defaults 0 0
B.UUID=xyz789 /mnt/backup ext4 nofail 0 0
C./dev/sdc1 /mnt/backup ext4 defaults 0 2
D./dev/sdc1 /mnt/backup ext4 defaults 0 0
E.UUID=xyz789 /mnt/backup ext4 defaults 0 0
AnswerE

Correct format with UUID.

Why this answer

Option C is correct because using UUID is the recommended method. The line should have the mount point, filesystem, options, dump, and pass fields. Option A does not specify the mount point correctly.

Option B uses device name which may change. Option D uses /dev/sdc1 without UUID. Option E has incorrect mount point /mnt/backups (typo).

314
MCQhard

A server is secured with SELinux in enforcing mode. A custom web application needs to write logs to /var/log/webapp. The SELinux type for httpd is httpd_t. Which command sets the correct context for the log directory?

A.semanage fcontext -a -t httpd_log_t "/var/log/webapp(/.*)?" && restorecon -Rv /var/log/webapp
B.chcon -t httpd_sys_content_t /var/log/webapp
C.setsebool -P httpd_enable_homedirs on
D.chcon -t httpd_t /var/log/webapp
AnswerA

This adds a persistent rule and applies the correct type for log files.

Why this answer

Option A is correct because it uses `semanage fcontext` to add a persistent file context rule that assigns the `httpd_log_t` type to the `/var/log/webapp` directory and its contents, then applies it with `restorecon`. The `httpd_log_t` type is specifically designed for log files written by the httpd process, allowing Apache (running as `httpd_t`) to write logs while maintaining SELinux enforcement.

Exam trap

The trap here is that candidates confuse process domains (like `httpd_t`) with file types (like `httpd_log_t`) or mistakenly use `chcon` for a permanent context change, not realizing that `semanage fcontext` with `restorecon` is required for persistent labeling in enforcing mode.

How to eliminate wrong answers

Option B is wrong because `httpd_sys_content_t` is intended for static web content (e.g., HTML, scripts) served by httpd, not for log files; using it would not grant the necessary write permissions for logging and could cause AVC denials. Option C is wrong because `httpd_enable_homedirs` is a boolean that controls access to user home directories, not log directory labeling; it does not set any file context. Option D is wrong because `httpd_t` is a process domain type, not a file type; assigning a process type to a directory would break SELinux labeling and prevent proper access.

315
MCQmedium

The company password policy requires minimum length, complexity, and that passwords cannot be based on dictionary words. Which file should be edited to configure these settings via pam_pwquality?

A./etc/security/pwquality.conf
B./etc/login.defs
C./etc/pam.d/system-auth
D./etc/pam.d/password-auth
AnswerA

This file contains the pam_pwquality parameters such as minlen, dcredit, ucredit, ocredit, and lcredit.

Why this answer

The pam_pwquality module enforces password quality rules such as minimum length, complexity, and dictionary checks. Its configuration file is /etc/security/pwquality.conf, where parameters like minlen, dcredit, ucredit, lcredit, ocredit, and dictcheck are set. Editing this file directly controls the PAM module's behavior without modifying PAM service files.

Exam trap

The trap here is that candidates confuse the PAM service file (which invokes the module) with the module's configuration file, leading them to choose /etc/pam.d/system-auth or /etc/pam.d/password-auth instead of /etc/security/pwquality.conf.

How to eliminate wrong answers

Option B is wrong because /etc/login.defs controls shadow password suite parameters (e.g., PASS_MAX_DAYS, PASS_MIN_LEN) but does not configure pam_pwquality settings. Option C is wrong because /etc/pam.d/system-auth is a PAM service file that includes pam_pwquality via a 'password requisite pam_pwquality.so' line, but it does not contain the configuration parameters themselves. Option D is wrong because /etc/pam.d/password-auth is another PAM service file (often used for non-system logins) that similarly invokes pam_pwquality but is not the configuration file for its settings.

316
Multi-Selecthard

Which TWO are standard methods to boot into rescue mode in a systemd-based Linux distribution?

Select 2 answers
A.Run systemctl rescue
B.Add 'emergency' to kernel command line
C.Append init=/bin/bash to kernel command line
D.Run grub2-mkconfig
E.Set default target to rescue.target and reboot
AnswersA, E

Immediately switches the system to rescue.target.

Why this answer

Option A is correct because `systemctl rescue` directly activates the `rescue.target`, which is the standard systemd mechanism to boot into a single-user, minimal rescue environment. This target mounts essential filesystems and starts basic services, providing a shell for troubleshooting without a full multi-user boot.

Exam trap

The trap here is that candidates confuse 'rescue mode' with 'emergency mode' or legacy `init=/bin/bash` methods, failing to recognize that systemd defines `rescue.target` as the standard, service-aware rescue environment.

317
MCQmedium

An administrator uses Podman containers and wants them to start automatically when the host boots. Which method should be used?

A.podman auto-start on
B.podman generate systemd --new --files, then systemctl enable container-name
C.podman register-service container-name
D.Add a command to /etc/rc.local to start the container
AnswerB

This creates systemd unit files and enables them for automatic startup.

Why this answer

Option B is correct because Podman does not have a built-in auto-start mechanism; instead, it integrates with systemd by generating a systemd service unit file using `podman generate systemd --new --files`. This creates a service that manages the container as a transient unit, and then `systemctl enable` makes it start automatically at boot. This approach leverages systemd's dependency-based boot sequencing and ensures the container is restarted if it fails.

Exam trap

The trap here is that candidates may assume Podman has a simple built-in auto-start toggle like Docker's `--restart always` flag, but Podman requires explicit systemd integration for boot-time startup, and the exam tests knowledge of the correct command sequence (`generate systemd` followed by `systemctl enable`).

How to eliminate wrong answers

Option A is wrong because `podman auto-start on` is not a valid Podman command; Podman does not have a native auto-start feature. Option C is wrong because `podman register-service` is not a real Podman subcommand; Podman uses systemd integration, not a separate registration command. Option D is wrong because while `/etc/rc.local` can start containers, it is a legacy method that lacks systemd's dependency management, restart policies, and logging, making it unreliable for production container management.

318
MCQmedium

A system administrator notices that an unauthorized user gained access to a server via SSH using a compromised user account. Which security measure should be implemented to prevent such attacks in the future?

A.Configure SSH to use key-based authentication only
B.Disable SSH and use Telnet
C.Enforce a complex password policy
D.Allow all users to use sudo without passwords
AnswerA

Key-based authentication is more secure and prevents password attacks.

Why this answer

Option A is correct because configuring SSH to use key-based authentication only eliminates the risk of password-based attacks, such as brute-force or credential theft. Since the compromised user account was accessed via SSH using a password, disabling password authentication and requiring a private key ensures that an attacker cannot log in even if they obtain the user's password hash. This aligns with the principle of least privilege and strong authentication, as SSH keys are cryptographically bound to the client and are not transmitted over the network.

Exam trap

CompTIA often tests the misconception that a strong password policy is sufficient to prevent unauthorized access, but the trap here is that password-based authentication is inherently vulnerable to credential reuse, phishing, and offline cracking, whereas key-based authentication provides cryptographic proof of identity that cannot be easily stolen or guessed.

How to eliminate wrong answers

Option B is wrong because disabling SSH and using Telnet would actually decrease security, as Telnet transmits all data, including credentials, in cleartext, making it trivial for attackers to intercept. Option C is wrong because while a complex password policy can make passwords harder to guess, it does not prevent attacks where the password is already compromised (e.g., via phishing or a data breach); SSH key-based authentication is a stronger, passwordless alternative. Option D is wrong because allowing all users to use sudo without passwords removes all authorization checks for privilege escalation, which would increase the attack surface and allow a compromised account to gain root access without any additional authentication.

319
MCQeasy

A user reports that they receive 'Permission denied' when trying to run a script located in their home directory. The script has permissions -rw-rw-r-- and is owned by the user. Which command should the user run to resolve the issue?

A.chmod g-w script.sh
B.sudo chown user:user script.sh
C.chmod u+x script.sh
D.chmod a+x script.sh
AnswerC

Adds execute permission for the owner, allowing the script to run.

Why this answer

The script has permissions -rw-rw-r--, meaning the owner (user) has read and write but not execute permission. To run it as a script, the execute bit must be set for the owner. The command chmod u+x script.sh adds execute permission for the user, allowing them to run the script directly.

Exam trap

The trap here is that candidates may think 'Permission denied' always means ownership or group issues, leading them to choose chown or group permission changes, when in fact the missing execute bit is the specific cause for script execution failures.

How to eliminate wrong answers

Option A is wrong because chmod g-w removes write permission from the group, which does not add execute permission and would not resolve the 'Permission denied' error. Option B is wrong because sudo chown user:user script.sh changes the owner and group to the user, but the script is already owned by the user, so this does nothing to add execute permission. Option D is wrong because chmod a+x adds execute permission for all (user, group, others), which would work but is overly permissive and not the minimal fix; the question asks which command the user should run, and the most appropriate and secure answer is to add execute only for the owner.

320
MCQmedium

A user is trying to log in to a Linux server via SSH but receives 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'. The user's public key is in ~/.ssh/authorized_keys with proper permissions (600) and owned by the user. The server's sshd_config has 'PubkeyAuthentication yes' and 'PasswordAuthentication no'. What is the most likely additional cause?

A.The server's firewall is blocking port 22.
B.The user's home directory has incorrect permissions (e.g., group-writable).
C.SELinux is blocking the key authentication.
D.The SSH server is not running.
AnswerB

SSH enforces strict permissions on home directory; if group-writable, the key authentication is refused.

Why this answer

Option B is correct because SSH server's `StrictModes` (enabled by default) checks that the user's home directory is not group-writable or world-writable. If the home directory has group-write permission (e.g., 775), SSH refuses to trust `~/.ssh/authorized_keys` even if the file itself has 600 permissions. This is a security measure to prevent other group members from modifying the authorized_keys file indirectly.

Exam trap

CompTIA often tests the subtlety that SSH's `StrictModes` checks parent directory permissions, not just the key file, leading candidates to overlook home directory permissions when the key file itself appears correct.

How to eliminate wrong answers

Option A is wrong because a firewall blocking port 22 would cause a connection timeout or 'Connection refused' error, not the specific 'Permission denied (publickey,...)' message. Option C is wrong because SELinux blocking key authentication would typically produce AVC denial messages in audit logs and a different error (e.g., 'Permission denied (publickey)' without the GSSAPI methods), and the default SELinux policy allows SSH key-based login. Option D is wrong because if the SSH server were not running, the client would receive 'Connection refused' immediately, not an SSH authentication failure message.

321
Multi-Selectmedium

Which TWO options are valid ways to pass environment variables to a Docker container?

Select 2 answers
A.--var VAR=value
B.--env-file file
C.-e VAR=value
D.--variable VAR=value
E.-v VAR=value
AnswersB, C

This loads environment variables from a file.

Why this answer

The correct options are A and B. -e and --env-file are standard methods. -v is for volumes, and --variable is not a valid flag.

322
MCQmedium

Refer to the exhibit. A user reports that the /var directory is not accessible. The system administrator checks the logical volumes and notices that the 'var' logical volume is not activated. Which command should be used to activate it?

A.lvextend -L+10g vg0/var
B.lvchange -ay vg0/var
C.lvscan
D.lvcreate -a y vg0/var
AnswerB

The -ay option activates the logical volume.

Why this answer

The `lvchange -ay vg0/var` command activates the specified logical volume by setting its activation flag to 'y' (yes). This is the correct way to bring an inactive LVM logical volume online so that it can be mounted and accessed.

Exam trap

CompTIA often tests the distinction between commands that modify LVM objects (like `lvextend`, `lvcreate`) versus commands that manage state (like `lvchange`), leading candidates to confuse activation with resizing or creation.

How to eliminate wrong answers

Option A is wrong because `lvextend` is used to increase the size of a logical volume, not to change its activation state. Option C is wrong because `lvscan` only scans and displays the status of all logical volumes; it does not modify their activation state. Option D is wrong because `lvcreate` is used to create a new logical volume, and the `-a y` flag would attempt to create a new volume named 'var' in volume group 'vg0' rather than activating an existing one.

323
Multi-Selecthard

A storage administrator is troubleshooting high disk I/O latency. Which THREE tools can provide detailed block I/O statistics at the device level? (Choose three.)

Select 3 answers
A.dd
B.iostat
C.iotop
D.fstrim
E.blktrace
AnswersB, C, E

Reports I/O statistics per device and partition.

Why this answer

Options A, B, and C are correct. iostat provides device-level CPU and I/O statistics; iotop displays I/O usage by processes; blktrace traces block I/O events. dd is for copying data; fstrim is for SSD trim operations.

324
Multi-Selecteasy

Which TWO commands are used to view a file page by page?

Select 2 answers
A.tail
B.more
C.cat
D.head
E.less
AnswersB, E

more displays a file page by page.

Why this answer

The `more` and `less` commands are both pager utilities that display file contents one screen at a time, allowing the user to scroll forward (and in the case of `less`, backward) through the output. `more` is the traditional pager that pauses after each screenful, while `less` is a more feature-rich pager that supports backward navigation and searching. Both are correct for viewing a file page by page.

Exam trap

The trap here is that candidates may confuse `more` and `less` as being mutually exclusive or think only one is correct, but the question asks for TWO commands, and both are valid pagers; also, some might mistakenly think `cat` with a pipe to `more` or `less` counts, but the question asks for commands used directly to view a file page by page.

325
MCQmedium

Which shebang ensures maximum portability across systems for a Python script?

A.#!/usr/bin/env python3
B.#!/bin/python
C.#!/usr/bin/python
D.#!/usr/local/bin/python3
AnswerA

env uses PATH to locate python3, making it portable across different systems.

Why this answer

Option A is correct because `#!/usr/bin/env python3` uses the `env` utility to locate the `python3` interpreter in the user's `PATH`, making the script portable across different Unix-like systems where Python 3 may be installed in various directories (e.g., `/usr/bin/python3`, `/usr/local/bin/python3`). This shebang avoids hardcoding an absolute path, which is the key to maximum portability.

Exam trap

CompTIA often tests the misconception that hardcoding a common path like `/usr/bin/python` is safe, but the trap is that this path may point to Python 2 on many systems, while the question explicitly requires Python 3 and maximum portability.

How to eliminate wrong answers

Option B is wrong because `/bin/python` is a hardcoded path that often points to Python 2 on many systems, not Python 3, and may not exist at all on modern distributions that have moved Python 3 to `/usr/bin/python3`. Option C is wrong because `#!/usr/bin/python` is a hardcoded path that typically refers to Python 2 on many systems (e.g., RHEL/CentOS 7) and may not be present or may point to a different version, reducing portability. Option D is wrong because `#!/usr/local/bin/python3` is a hardcoded path that assumes Python 3 is installed in `/usr/local/bin`, which is not the default location on most Linux distributions (e.g., Debian/Ubuntu use `/usr/bin/python3`), breaking portability.

326
MCQmedium

Based on the exhibit, why does the mv command fail?

A.The user has exceeded the disk quota on the /etc partition.
B.The /etc filesystem is mounted read-only.
C.SELinux is preventing the move due to file context mismatch.
D.The /etc directory does not have write permissions for root.
AnswerC

SELinux enforcing mode and context mismatch cause denial.

Why this answer

Option C is correct because SELinux enforces mandatory access controls that can prevent file operations even when standard Linux permissions (DAC) allow them. When moving a file from one directory to another, SELinux checks the file context of the source and the target directory; if the context of the file does not match the expected type for the target directory (e.g., moving a file with `unconfined_u:object_r:user_home_t` into `/etc` which expects `etc_t`), the move is denied. The `mv` command fails with a 'Permission denied' error, and the denial is logged in `/var/log/audit/audit.log`.

Exam trap

CompTIA often tests the distinction between DAC (standard Linux permissions) and MAC (SELinux) by presenting a scenario where root appears to have permission but the command still fails, leading candidates to overlook SELinux and incorrectly blame filesystem mount options or directory permissions.

How to eliminate wrong answers

Option A is wrong because disk quotas are enforced per filesystem and user, but `/etc` is a system partition that typically does not have user quotas enabled; moreover, the error message from a quota violation would be 'Disk quota exceeded', not 'Permission denied'. Option B is wrong because if `/etc` were mounted read-only, the `mv` command would fail for all users, including root, and the error would be 'Read-only file system', not a permission denial specific to the user. Option D is wrong because the root user (UID 0) always has write permission to `/etc` regardless of the directory's permission bits, as root bypasses DAC checks; the failure is due to SELinux, not standard Unix permissions.

327
Multi-Selecthard

A Linux system is experiencing kernel panics after a recent update. The administrator wants to boot into a previous kernel version to restore functionality. Which three steps are required to achieve this? (Select THREE).

Select 3 answers
A.After booting, edit /etc/default/grub and set GRUB_DEFAULT to the saved entry, then run update-grub
B.At the GRUB menu, press 'e' to edit the boot entry
C.Run 'yum reinstall kernel' to revert to the previous version
D.Edit /etc/fstab to change root filesystem parameters
E.Select the old kernel from the 'Advanced options for Ubuntu' submenu
AnswersA, B, E

Makes the old kernel the default for future boots.

Why this answer

Option A is correct because after booting into a working kernel, editing /etc/default/grub to set GRUB_DEFAULT to 'saved' and running update-grub (or grub-mkconfig) ensures that the GRUB bootloader will remember and default to the last successfully booted kernel, which can be the previous version. This step is necessary to make the temporary fix persistent across reboots.

Exam trap

CompTIA often tests the distinction between temporary boot fixes (editing GRUB entries at boot time) and permanent configuration changes (editing /etc/default/grub and running update-grub), and candidates may mistakenly think that reinstalling the kernel package reverts to a previous version.

328
MCQmedium

A server running Ubuntu 20.04 has a custom application that is started as a systemd service. The service often fails to start after a system reboot, although it can be started manually with 'systemctl start myapp' without errors. The administrator checks the service status after boot and sees 'Failed to start myapp.service: Unit is not loaded properly: Invalid argument'. Which of the following is the most likely cause of this issue?

A.The service binary does not exist at the specified path.
B.The ExecStart line in the unit file contains an invalid parameter or malformed path.
C.The service uses a Type=oneshot but no RemainAfterExit=yes is set.
D.The service file has a missing [Install] section.
AnswerB

Invalid arguments in ExecStart cause 'Invalid argument' error during loading.

Why this answer

The error 'Invalid argument' typically indicates a syntax error or invalid directive in the unit file. The most common cause is an incorrect path or syntax in the ExecStart line. Option A is correct.

Option B would show a 'not found' error. Option C could be a cause but would produce a different error like 'unrecognized option'. Option D might cause a 'timeout' error.

329
MCQhard

An administrator is configuring a chroot jail for an SFTP user. Which directive in /etc/ssh/sshd_config is used for this purpose?

A.ChrootDirectory /home/%u
B.Subsystem sftp internal-sftp
C.ForceCommand internal-sftp
D.Match Group sftpusers
AnswerA

This sets the chroot directory for the user.

Why this answer

The ChrootDirectory directive in /etc/ssh/sshd_config specifies the path to the directory that will be used as a chroot jail for the user. When set to /home/%u, %u is replaced by the username, confining the SFTP user to their home directory. This is the standard way to restrict an SFTP user's file system access to a specific directory tree.

Exam trap

The trap here is that candidates confuse the directive that enables SFTP (Subsystem or ForceCommand) with the directive that actually creates the chroot jail (ChrootDirectory), leading them to select a functional but incomplete option.

How to eliminate wrong answers

Option B is wrong because Subsystem sftp internal-sftp enables the built-in SFTP subsystem but does not itself enforce a chroot jail; it must be combined with ChrootDirectory or other restrictions. Option C is wrong because ForceCommand internal-sftp forces the user to use only SFTP (not SSH shell), but it does not confine the user to a specific directory; chroot requires ChrootDirectory. Option D is wrong because Match Group sftpusers is a conditional block that applies settings to a group, but it is not a directive that sets the chroot path; ChrootDirectory must be placed inside or outside the Match block to actually define the jail.

330
MCQeasy

A Linux administrator needs to implement file integrity monitoring to detect unauthorized changes to critical system binaries. The administrator decides to use the 'aide' tool. After installing AIDE and initializing the database with 'aide --init', the database is placed at /var/lib/aide/aide.db.new.gz. The administrator then runs 'aide --check' and receives several warnings about files in /tmp being modified. However, the administrator is not concerned about /tmp. What is the simplest way to exclude the /tmp directory from future checks?

A.Run 'aide --update' to update the database with current state of /tmp
B.Move the database to a different location so /tmp is not included
C.Run 'aide --check --verbose' to see more details and manually ignore /tmp messages
D.Edit /etc/aide.conf to add a '!/tmp' directive to exclude /tmp from checking, then run 'aide --init' to rebuild the database
AnswerD

The exclamation mark in aide.conf excludes a directory from monitoring.

Why this answer

Option D is correct because AIDE uses a configuration file (/etc/aide.conf) to define which directories and files to monitor. Adding '!/tmp' to this file tells AIDE to exclude the /tmp directory from all future checks. After editing the configuration, running 'aide --init' rebuilds the database based on the new rules, ensuring /tmp is no longer tracked.

Exam trap

The trap here is that candidates may think '--update' or moving the database will exclude directories, when in fact only the configuration file controls which paths are monitored.

How to eliminate wrong answers

Option A is wrong because 'aide --update' updates the database to reflect the current state of /tmp, which would record the modified files as the new baseline, not exclude /tmp from future checks. Option B is wrong because moving the database does not change the configuration; AIDE still checks the paths defined in /etc/aide.conf, and /tmp would remain included. Option C is wrong because '--check --verbose' only provides more detailed output but does not suppress warnings or alter the configuration; the administrator would still see warnings about /tmp in every subsequent check.

331
MCQhard

A server running Ubuntu 22.04 has AppArmor enabled. After installing a new application, the application is denied access to certain files even though the permissions are correct. The administrator checks the AppArmor profile and finds it is in enforce mode. Which command can be used to temporarily set the profile to complain mode to generate log entries for needed accesses?

A.systemctl restart apparmor
B.aa-enforce /usr/bin/application
C.aa-complain /usr/bin/application
D.apparmor_parser -r /etc/apparmor.d/usr.bin.application
AnswerC

Sets profile to complain mode, logging denials.

Why this answer

Option C, `aa-complain /usr/bin/application`, is correct because it sets the specified AppArmor profile to complain mode, which logs policy violations without blocking access. This allows the administrator to identify which accesses the application needs by reviewing the generated log entries, typically in `/var/log/syslog` or via `ausearch`, while the application continues to run.

Exam trap

The trap here is that candidates confuse `aa-complain` with `aa-enforce` or think that restarting the AppArmor service or reloading the profile will change the mode, when in fact only `aa-complain` or `aa-enforce` directly alter the profile's operational mode.

How to eliminate wrong answers

Option A is wrong because `systemctl restart apparmor` restarts the entire AppArmor service, which does not change the mode of an individual profile to complain mode; it only reloads all profiles in their current state. Option B is wrong because `aa-enforce /usr/bin/application` sets the profile to enforce mode, which is the opposite of what is needed—it would continue blocking access rather than logging. Option D is wrong because `apparmor_parser -r /etc/apparmor.d/usr.bin.application` reloads the profile from disk but does not change its mode; the profile remains in enforce mode if that is how it was defined.

332
MCQmedium

A systems administrator wants to build a custom Docker image from a Dockerfile located in the current directory. Which command should be used?

A.docker create .
B.docker commit .
C.docker build .
D.docker image build .
AnswerC

Builds from Dockerfile.

Why this answer

The `docker build .` command reads the Dockerfile from the current directory and builds a custom Docker image from its instructions. This is the standard command for building an image from a Dockerfile, where the dot represents the build context (the current directory).

Exam trap

The trap here is that candidates may confuse `docker build` with the deprecated `docker image build` syntax or mistakenly think `docker commit` can build from a Dockerfile, when it actually captures container state changes.

How to eliminate wrong answers

Option A is wrong because `docker create .` creates a new container from an existing image, not from a Dockerfile; it expects an image name, not a path. Option B is wrong because `docker commit .` creates a new image from a container's changes, not from a Dockerfile; it requires a container ID or name, not a directory. Option D is wrong because `docker image build .` is not a valid Docker command; the correct subcommand is `docker build`, not `docker image build`.

333
MCQhard

A system administrator is using Ansible to deploy a web application across multiple servers. The playbook uses a variable `app_version` defined in a group_vars file for the `webservers` group. The playbook fails with the error: 'ERROR! 'app_version' is undefined'. The administrator confirms that the variable is correctly spelled and defined in `/etc/ansible/group_vars/webservers`. The playbook runs successfully on the Ansible control node but fails on all managed nodes. What is the most likely cause of this error?

A.The variable `app_version` is misspelled in the task.
B.The group_vars file is not being loaded because the inventory path is not correctly specified.
C.The playbook uses `loop` keyword incorrectly.
D.The playbook is missing a `vars_files` directive to include the variable file.
AnswerB

Ansible loads group_vars relative to the inventory; incorrect path causes undefined variables.

Why this answer

The error 'app_version' is undefined despite the variable being correctly defined in `/etc/ansible/group_vars/webservers` indicates that Ansible is not loading that group_vars file. This typically happens when the inventory path specified in the ansible.cfg or command line does not point to the directory containing the group_vars folder. Ansible automatically loads group_vars only from the directory where the inventory file resides, not from a hardcoded path like `/etc/ansible/group_vars/` unless the inventory is also located there.

Exam trap

The trap here is that candidates assume group_vars files are always loaded from a global path like `/etc/ansible/group_vars/`, but Ansible only loads them relative to the inventory location, not from an absolute path unless the inventory itself is in that directory.

How to eliminate wrong answers

Option A is wrong because the administrator confirmed the variable is correctly spelled in the task, so a misspelling is not the issue. Option C is wrong because the error message is about an undefined variable, not a loop syntax error; an incorrect `loop` keyword would produce a different error like 'ERROR! 'loop' is not a valid attribute'. Option D is wrong because group_vars files are automatically loaded by Ansible based on the inventory group name; a `vars_files` directive is not required for group_vars, only for custom variable files not following the group_vars naming convention.

334
MCQmedium

A company policy requires that only the root user can schedule cron jobs. Which configuration ensures this?

A.Create /etc/cron.allow with only 'root'
B.Add 'root' to /etc/crontab
C.Set /usr/bin/crontab permissions to 700
D.Add all non-root users to /etc/cron.deny
AnswerA

If /etc/cron.allow exists, only users listed can use crontab. Listing only root restricts it to root.

Why this answer

Option D is correct because /etc/cron.allow lists users allowed to use crontab; if it exists and contains only root, then only root can use crontab. Option A is wrong because /etc/crontab is for system-wide cron jobs, not user access control. Option B is wrong because modifying permissions on /usr/bin/crontab could break the binary.

Option C is wrong because /etc/cron.deny blocks users but if it contains all users except root, it's impractical; the standard approach is to use cron.allow.

335
Matchingmedium

Match each Linux networking command to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Show/manipulate routing, devices, tunnels

Investigate sockets

Manage NetworkManager

Capture network packets

Network exploration/security scanning

Why these pairings

These commands are essential for network troubleshooting.

336
MCQhard

A system administrator is investigating why a particular process is not responding. They run strace on the process but get no output. What could be the most likely reason?

A.The process is already being traced by another strace instance.
B.The administrator does not have permission to trace that process.
C.The process is a kernel thread.
D.The process is a zombie process.
AnswerB

Non-root users need CAP_SYS_PTRACE or same UID. If not, strace attaches but gets no events, or fails silently depending on configuration.

Why this answer

The most likely reason strace produces no output is that the administrator lacks the necessary permissions to trace the process. By default, strace uses the ptrace system call, which requires either root privileges or the same user ID as the target process, and the process must not have the `dumpable` attribute set to 0 (e.g., via prctl(PR_SET_DUMPABLE, 0)). Without proper permissions, strace fails silently or returns an error like 'Operation not permitted' depending on the output configuration.

Exam trap

CompTIA often tests the misconception that strace always produces output or that permission issues result in a clear error message, when in fact strace may produce no output if stderr is not captured or if the process is non-dumpable.

How to eliminate wrong answers

Option A is wrong because if the process were already being traced by another strace instance, strace would typically report an error such as 'ptrace: Operation not permitted' or 'ptrace: Device or resource busy', not produce no output. Option C is wrong because kernel threads are not user-space processes and cannot be traced with strace; attempting to attach would result in an immediate error, not silent no output. Option D is wrong because a zombie process has already terminated and has no executable code to trace; strace would fail to attach with an error like 'No such process' or 'ESRCH'.

337
MCQmedium

An Ansible playbook includes the following task: 'ansible.builtin.service: name=nginx state=restarted'. However, the playbook fails with 'module not found'. What is the most likely cause?

A.The playbook is not in the correct directory.
B.The module name uses the wrong FQCN. The correct module is 'ansible.builtin.systemd_service'.
C.The target host does not have nginx installed.
D.The control node does not have Python installed.
AnswerB

The module 'service' has been replaced by 'systemd_service' in newer Ansible.

Why this answer

The error 'module not found' indicates that Ansible cannot locate the module specified in the task. The correct fully qualified collection name (FQCN) for the service module in the `ansible.builtin` collection is `ansible.builtin.service`, not `ansible.builtin.systemd_service`. The `systemd_service` module does not exist in the `ansible.builtin` collection; the correct module for managing systemd services is `ansible.builtin.systemd`, but the standard service module (`ansible.builtin.service`) works across init systems and is the appropriate choice here.

Exam trap

The trap here is that candidates may assume a systemd-specific module name exists (like `systemd_service`) because of the `state=restarted` parameter, but the correct module is simply `ansible.builtin.service`, which handles restarts across all init systems.

How to eliminate wrong answers

Option A is wrong because the playbook's directory location does not affect module resolution; Ansible searches for modules in its configured library paths and collections, not the playbook's directory. Option C is wrong because the error is 'module not found', not a failure related to nginx not being installed; if nginx were missing, the error would be about package or service state, not module resolution. Option D is wrong because the control node's Python installation is not the direct cause of a 'module not found' error; Python is required for module execution, but the error here is about the module name not being recognized by Ansible's module loader.

338
MCQhard

Refer to the exhibit. A remote user is unable to SSH to the server. Based on the journalctl output, what is the most likely cause?

A.The user is entering the wrong password
B.The SSH service is not running
C.The user's IP address is in the hosts.deny file
D.The SSH port is blocked by a firewall
AnswerA

Failed password attempt is logged.

Why this answer

The journalctl output shows 'Failed password for user' followed by 'Connection closed by authenticating user', which indicates that the SSH authentication process was attempted but failed due to an incorrect password. This log entry is generated by the SSH daemon (sshd) when a password authentication attempt fails, and the connection is subsequently closed. No other errors (e.g., connection refused, timeout, or denied by hosts.deny) are present, making incorrect password the most likely cause.

Exam trap

CompTIA often tests the distinction between authentication failures (password/keys) and connectivity failures (service down, firewall, hosts.deny) — the trap here is that candidates see 'Connection closed' and assume a firewall or hosts.deny block, but the 'Failed password' line clearly pinpoints the authentication phase.

How to eliminate wrong answers

Option B is wrong because if the SSH service were not running, the journalctl output would show 'Connection refused' or 'sshd[pid]: fatal: Cannot bind any address' errors, not a failed password attempt. Option C is wrong because if the user's IP were in hosts.deny, the log would show 'Connection closed by [IP]' with a 'refused connect' or 'denied by tcp_wrappers' message, not a password failure. Option D is wrong because a firewall blocking the SSH port would prevent any TCP connection to port 22, resulting in a 'Connection timed out' or 'No route to host' error from the client, not a failed password log on the server.

339
MCQmedium

A newly configured DNS server is unable to resolve any queries from clients. The server is running and network connectivity is verified. What should the administrator check first?

A.Check /etc/resolv.conf on clients
B.Check if DNS service is bound to the loopback address
C.Check if the DNS service is listening on UDP port 53
D.Reboot the DNS server
AnswerC

If the service is not listening, queries cannot be answered.

Why this answer

The most common reason a DNS server fails to resolve queries despite being running and having network connectivity is that the DNS service is not listening on UDP port 53, which is the default port for DNS queries per RFC 1035. Checking this with a command like `ss -ulpn | grep :53` or `netstat -uan | grep :53` directly verifies whether the service is actually accepting incoming queries. This is the first logical step before investigating client-side configurations or rebooting.

Exam trap

The trap here is that candidates often jump to checking client-side resolv.conf or rebooting the server, overlooking the simple verification of whether the DNS service is actually listening on the correct port and protocol (UDP 53) as the first logical troubleshooting step.

How to eliminate wrong answers

Option A is wrong because /etc/resolv.conf on clients defines which DNS servers to query, but the issue is that the server itself cannot resolve queries, not that clients are misconfigured. Option B is wrong because checking if the DNS service is bound to the loopback address (127.0.0.1) would only matter if the server were meant to serve only localhost; the problem is about external queries failing, and binding to loopback would prevent external access, but the more fundamental check is whether the service is listening at all on the correct port. Option D is wrong because rebooting the server is a brute-force, non-diagnostic step that should only be considered after verifying service configuration and port availability; it does not identify the root cause.

340
MCQeasy

A technician needs to find out which port the SSH daemon is listening on. Which command will show this information?

A.lsof -i :22
B.nmap -p 22 localhost
C.netstat -i
D.ss -tlnp
AnswerD

Lists all listening TCP sockets with port numbers and process info.

Why this answer

The `ss -tlnp` command displays listening TCP sockets with numeric addresses and the associated process information. The `-t` flag filters for TCP, `-l` shows only listening sockets, `-n` prevents DNS resolution, and `-p` reveals the PID and program name. Since SSH daemon (sshd) listens on TCP port 22 by default, this command will show the listening port and the sshd process.

Exam trap

The trap here is that candidates often choose `lsof -i :22` because it shows port 22 activity, but they overlook that it does not specifically filter for listening sockets and may require elevated privileges, whereas `ss -tlnp` is the precise tool for listing listening daemons.

How to eliminate wrong answers

Option A is wrong because `lsof -i :22` shows all open files related to port 22, including established connections, not just the listening daemon; it also requires root privileges to see all processes and may not be installed by default. Option B is wrong because `nmap -p 22 localhost` performs a port scan, which tests connectivity to port 22 but does not show which process is listening or the daemon's configuration; it is a scanning tool, not a process inspection tool. Option C is wrong because `netstat -i` displays interface statistics (packets, errors, etc.), not listening ports or socket information; it is unrelated to finding the SSH daemon's listening port.

341
MCQeasy

A system administrator needs to ensure that only specific users can execute the 'sudo' command. Which configuration file should be modified?

A./etc/sudoers
B./etc/shadow
C./etc/passwd
D./etc/group
AnswerA

This file specifies which users or groups can run sudo and which commands.

Why this answer

The /etc/sudoers file controls which users and groups can execute commands with elevated privileges via the sudo utility. It uses a specific syntax to define user privileges, such as 'username ALL=(ALL) ALL', and must be edited with the visudo command to prevent syntax errors that could lock out administrative access. Modifying this file is the standard method for granting or restricting sudo access on Linux systems.

Exam trap

CompTIA often tests the misconception that /etc/group or /etc/passwd controls sudo privileges, but only /etc/sudoers (or files in /etc/sudoers.d/) defines sudo access, and it must be edited with visudo to enforce syntax checking.

How to eliminate wrong answers

Option B is wrong because /etc/shadow stores encrypted user passwords and password aging information, not sudo permissions. Option C is wrong because /etc/passwd contains basic user account information (username, UID, GID, home directory, shell) but does not control sudo access. Option D is wrong because /etc/group defines user group memberships, but sudo privileges are not managed through this file; while groups can be referenced in /etc/sudoers, the file itself is not the configuration file for sudo permissions.

342
MCQhard

A script needs to iterate over all .txt files in a directory. Which loop structure correctly implements this?

A.while read line; do
B.select option; do
C.until condition; do
D.for f in *.txt; do
AnswerD

This bash loop iterates over each .txt file in the current directory.

Why this answer

The `for f in *.txt; do` loop is correct because it uses shell globbing to expand `*.txt` into a list of all .txt filenames in the current directory, then iterates over each filename. This is the standard and most efficient way to process a set of files matching a pattern in Bash and POSIX shell scripting.

Exam trap

The trap here is that candidates may confuse `while read` (which processes lines of text) with iterating over files, or think `select` is a general-purpose loop, when in fact only `for` with a glob pattern directly matches the requirement of iterating over all .txt files.

How to eliminate wrong answers

Option A is wrong because `while read line; do` reads lines from stdin or a file, not filenames matching a pattern, and would require piping `ls *.txt` or similar, which is fragile and not the intended loop for file iteration. Option B is wrong because `select option; do` is used to present a menu of choices to the user for interactive selection, not for iterating over files. Option C is wrong because `until condition; do` runs the loop until a condition becomes true, and does not inherently iterate over a list of files; it would need an explicit counter or file list to work.

343
MCQhard

An administrator is troubleshooting a web server that is running under SELinux enforcing mode. The web content is located in a non-standard directory /webfiles. Using the standard SELinux context 'httpd_sys_content_t', the files are still inaccessible. Which command will properly set the context recursively and persist across relabels?

A.semanage fcontext -a -t httpd_sys_content_t '/webfiles(/.*)?' ; restorecon -Rv /webfiles
B.chcon -R -t httpd_sys_content_t /webfiles
C.setenforce 0
D.restorecon -Rv /webfiles
AnswerA

semanage adds the context rule to the policy, and restorecon applies it recursively. This persists across relabels.

Why this answer

Option C is correct. semanage fcontext adds a rule to the file context database, and restorecon applies it. Option A uses chcon which does not survive relabel. Option B disables SELinux.

Option D only works if a rule already exists.

344
MCQhard

A sysadmin is tasked with creating a script that will run only on weekdays at 9:00 AM using cron. The script should not run on holidays. Which approach best achieves this requirement?

A.Use systemd timers with a calendar specification that excludes holidays
B.Use cron to run at 9:00 on weekdays, and include a test in the script that checks a holiday list
C.Use cron to run at 9:00 every day, and include conditional logic to abort on weekends
D.Use `at` to schedule the job individually each weekday morning
AnswerB

This ensures the script runs on weekdays but can skip holidays by checking within the script.

Why this answer

Option B is correct because cron can schedule the script to run at 9:00 AM on weekdays using the day-of-week field (e.g., `0 9 * * 1-5`), and the script itself can check a holiday list (e.g., a file or API) to exit early on holidays. This approach cleanly separates scheduling from holiday logic, avoiding cron's lack of built-in holiday awareness.

Exam trap

CompTIA often tests the misconception that cron can directly handle holidays, when in fact cron has no concept of holidays and requires external logic (like a script check) to skip them.

How to eliminate wrong answers

Option A is wrong because systemd timers do not natively support excluding arbitrary holidays; they use calendar expressions that can only exclude fixed patterns (e.g., specific dates), not dynamic holiday lists. Option C is wrong because running the script every day and aborting on weekends wastes resources and adds unnecessary complexity; cron's weekday field already handles weekends efficiently. Option D is wrong because using `at` requires manual or scripted scheduling each morning, which is impractical for a recurring weekday job and lacks the built-in weekday filtering that cron provides.

345
MCQeasy

Sarah is a Linux systems administrator for a company that runs a web application inside a Podman container. The container is launched using a systemd service file on a Red Hat Enterprise Linux 8 server. The service file is located at /etc/systemd/system/webapp.service and includes an ExecStart directive that runs `podman run -d --name webapp -p 80:80 nginx`. The server was recently rebooted for kernel updates. After the reboot, the web application is not responding. Sarah logs in and runs `systemctl status webapp.service`, which shows the service is 'disabled' and 'inactive'. She wants to ensure that the container starts automatically after every future reboot. What should Sarah do?

A.Add the line `@reboot /usr/bin/podman start webapp` to root's crontab.
B.Modify the container image to include a restart policy of 'always'.
C.Run `systemctl enable webapp.service` and then start the service.
D.Run `podman generate systemd --new --name webapp` to create a new systemd unit.
AnswerC

Correct: Enabling the systemd service ensures it starts on boot.

Why this answer

Option C is correct because `systemctl enable webapp.service` creates the necessary symlinks to start the service automatically at boot, and `systemctl start webapp.service` immediately starts the container. Since the service is currently disabled and inactive, enabling it ensures the systemd unit is triggered on future reboots, which will execute the `ExecStart` command to run the Podman container.

Exam trap

The trap here is that candidates confuse enabling a systemd service with setting a container's restart policy, thinking that `--restart=always` in the Podman command will survive a reboot, when in fact systemd must be enabled to launch the service after boot.

How to eliminate wrong answers

Option A is wrong because adding a `@reboot` cron job to start the container is a workaround that bypasses systemd's native boot management, leading to potential race conditions and lack of proper dependency handling. Option B is wrong because modifying the container image's restart policy (e.g., `--restart=always`) only affects the container's behavior within Podman, not the systemd service's enablement; after a reboot, the systemd service must be enabled to launch the container. Option D is wrong because `podman generate systemd --new --name webapp` creates a new systemd unit file, but the existing service file at `/etc/systemd/system/webapp.service` already exists and is correctly configured; generating a new unit would be redundant and does not address the need to enable the existing service.

346
MCQhard

A Linux administrator is troubleshooting network connectivity. The server can ping its own IP address but cannot ping the default gateway. The output of 'ip route show' is: 'default via 10.0.0.1 dev eth0 proto static metric 100'. The output of 'ping -c 1 10.0.0.1' fails with 'Destination Host Unreachable'. Which of the following is the MOST likely cause?

A.The eth0 interface is down.
B.The gateway is down or not responding.
C.The default gateway is not set.
D.The subnet mask on eth0 is incorrect, causing the gateway to be considered on a different network.
AnswerD

A wrong subnet mask can make the gateway appear on a different subnet, leading to 'unreachable'.

Why this answer

The server can ping its own IP address, confirming that the local network stack and the eth0 interface are operational. However, the 'Destination Host Unreachable' error when pinging the default gateway (10.0.0.1) indicates that the host does not have a valid route to that destination. Since the default route exists, the most likely cause is an incorrect subnet mask on eth0, which causes the kernel to treat the gateway as being on a different network, thus failing to send ARP requests or forward packets to it.

Exam trap

The trap here is that candidates often assume 'Destination Host Unreachable' always means the gateway is down, but in Linux this error specifically indicates the local host cannot find a layer-2 path to the destination, typically due to a subnet mask mismatch or missing ARP entry.

How to eliminate wrong answers

Option A is wrong because if eth0 were down, the server would not be able to ping its own IP address (127.0.0.1 or the interface IP) successfully, and 'ip route show' would not display a route via eth0. Option B is wrong because the error 'Destination Host Unreachable' is generated by the local host's kernel, not by the remote gateway; if the gateway were down or not responding, the error would be 'Request Timed Out' after ARP resolution succeeds. Option C is wrong because the output of 'ip route show' explicitly shows a default route via 10.0.0.1, so the default gateway is set.

347
MCQeasy

A Linux service fails to start. Which command should the administrator use to examine recent system logs for error messages related to the service?

A.journalctl -xe
B.systemctl list-units
C.tail -f /var/log/messages
D.dmesg -T
AnswerA

Shows recent journal entries with explanations.

Why this answer

The `journalctl -xe` command is correct because it displays the systemd journal with the `-x` flag adding explanatory context to log entries and the `-e` flag jumping to the end of the log, showing the most recent messages. This is the standard way to examine recent system logs for error messages related to a failing service in a systemd-based Linux distribution.

Exam trap

The trap here is that candidates may choose `tail -f /var/log/messages` out of habit from older SysVinit systems, not realizing that systemd-based distributions (which the XK0-005 exam focuses on) use journald as the default logging system, making `journalctl` the correct tool for service-specific log examination.

How to eliminate wrong answers

Option B is wrong because `systemctl list-units` only lists active units and their states, not log messages or error details. Option C is wrong because `tail -f /var/log/messages` follows the traditional syslog file, but many modern distributions (e.g., RHEL 7+, Ubuntu 15.04+) use journald as the primary logging system, so this file may not contain the most recent or complete service logs. Option D is wrong because `dmesg -T` displays kernel ring buffer messages with human-readable timestamps, which are primarily for kernel and hardware-related events, not user-space service errors.

348
MCQhard

A DevOps team wants to automatically run tests before every commit in a local Git repository. Which Git hook should be used?

A.post-receive
B.pre-commit
C.post-commit
D.pre-push
AnswerB

This hook is triggered before the commit is recorded, allowing tests to prevent a failing commit.

Why this answer

The pre-commit hook runs before a commit is created, making it the correct choice for automatically running tests before every commit in a local Git repository. This hook can validate code quality, run unit tests, or check for syntax errors, and if it exits with a non-zero status, the commit is aborted.

Exam trap

The trap here is confusing the timing of Git hooks: candidates often pick pre-push because they think of 'testing before pushing,' but the question explicitly asks about 'before every commit,' which requires the pre-commit hook.

How to eliminate wrong answers

Option A is wrong because post-receive is a server-side hook that runs after updates are pushed to a remote repository, not before a local commit. Option C is wrong because post-commit runs after the commit has already been created, so it cannot prevent a commit from being made. Option D is wrong because pre-push runs before a push to a remote repository, not before a local commit, and it would not catch issues at the commit stage.

349
MCQmedium

Refer to the exhibit. Users report they cannot SSH to the server. Based on the logs, what is the most likely cause?

A.Firewall is blocking port 22.
B.Host keys are missing or corrupted.
C.The SSH service is not running.
D.SSH configuration has incorrect permissions.
AnswerB

The error explicitly states 'Could not load host key' for multiple key files, leading to fatal error.

350
MCQhard

An administrator needs to ensure that a script runs once at system initialization, before any network services start. Which systemd target should the script be associated with?

A.multi-user.target
B.basic.target
C.sysinit.target
D.network.target
AnswerC

Sysinit.target is intended for early system initialization tasks.

Why this answer

Option A is correct because 'sysinit.target' is designed for early system initialization, before network. Option B is wrong because 'multi-user.target' is the general multi-user target, started after network. Option C is wrong because 'basic.target' is also after sysinit but before multi-user.

Option D is wrong because 'network.target' indicates network services are up.

351
MCQmedium

A cron job that runs a backup script at 2 AM has not been executing. The syslog shows no errors from cron. What is the most likely reason the job is not running?

A.The system time zone is incorrect
B.The filesystem is full
C.The cron daemon (crond) is not running
D.The script has incorrect permissions
AnswerC

Cron jobs require the daemon to be active.

Why this answer

The most likely reason is that the cron daemon (crond) is not running. Cron jobs are executed by the cron daemon, which must be active in the background to read the crontab files and launch scheduled tasks. If crond is stopped or not started, no cron jobs will run, and syslog may not show cron-related errors because the daemon is not logging activity.

Exam trap

The trap here is that candidates assume cron errors must appear in syslog if a job fails, but if the daemon itself is not running, there is no process to generate logs, making the absence of errors a key clue.

How to eliminate wrong answers

Option A is wrong because an incorrect system time zone would cause the job to run at the wrong local time, not prevent execution entirely; cron uses the system's configured time zone. Option B is wrong because a full filesystem would typically cause the script to fail with disk write errors, not prevent the cron daemon from attempting to execute the job. Option D is wrong because incorrect script permissions would cause the script to fail when executed, but cron would still attempt to run it and log an error in syslog or mail to the user.

352
Multi-Selectmedium

Which THREE are valid methods to view logs in a systemd-based system?

Select 3 answers
A.cat /var/log/messages
B.journalctl
C.journalctl -u sshd
D.systemctl status sshd
E.dmesg
AnswersB, C, E

Displays the systemd journal.

Why this answer

B is correct because `journalctl` is the primary command for querying the systemd journal, which is the default logging system on systemd-based distributions. It provides structured, binary logs with advanced filtering, and is the direct equivalent of viewing logs via the journal.

Exam trap

The trap here is that candidates confuse `systemctl status` (which shows a brief log snippet) with a full log viewing method, or they assume legacy syslog files like `/var/log/messages` are always present and authoritative on systemd-based systems.

353
MCQhard

Refer to the exhibit. A technician sees that the httpd service has failed. Which command was used to view the detailed error log shown in the exhibit?

A.systemctl status httpd
B.journalctl -u httpd
C.tail -f /var/log/messages
D.systemctl show httpd
AnswerB

The output format matches journalctl filtered by service unit.

Why this answer

Option B is correct because the exhibit shows output from 'journalctl -u httpd.service'. Option A: 'systemctl status httpd' shows a different format; C: 'tail -f /var/log/messages' might show similar but not the specific service unit logs; D: 'systemctl show httpd' shows service properties, not logs.

354
Multi-Selecteasy

Which two commands can be used to view the SELinux context of files or processes?

Select 2 answers
A.chcon
B.getenforce
C.setenforce
D.ps auxZ
E.ls -Z
AnswersD, E

ps auxZ displays the SELinux context of processes.

Why this answer

Options A and B are correct. ls -Z displays file contexts; ps auxZ displays process contexts. getenforce shows enforcement mode; chcon changes context; setenforce changes mode.

355
MCQeasy

A technician needs to identify the network interface configuration and IP address of a system. Which command provides the most comprehensive output for this task?

A.nmcli dev show
B.ip addr show
C.netstat -i
D.ifconfig
E.hostname -I
AnswerB

Shows all interfaces with IP addresses.

Why this answer

Option D is correct because `ip addr show` displays all network interfaces with their IP addresses, MAC addresses, and state. Option A is wrong because `ifconfig` is deprecated and may not show all interfaces. Option B is wrong because `netstat -i` shows interface statistics but not IP addresses.

Option C is wrong because `nmcli dev show` shows device details but requires NetworkManager. Option E is wrong because `hostname -I` shows only IP addresses without interface details.

356
MCQmedium

Refer to the exhibit. A Linux administrator created a systemd service file for a custom script. When starting the service, it fails with 'Unit myservice.service entered failed state.' Which of the following is the most likely cause?

A.The ExecStart path is relative
B.The service type should be forking
C.The service file lacks an [Install] section
D.The Requires directive is missing
AnswerA

Systemd requires absolute paths; a relative path causes the service to fail.

Why this answer

The most likely cause is that the ExecStart path is relative. Systemd requires absolute paths for ExecStart directives; a relative path (e.g., `./script.sh` or just `script.sh`) will cause the unit to fail immediately because systemd cannot resolve the executable location. The error 'entered failed state' typically results from this path resolution failure.

Exam trap

CompTIA often tests the requirement for absolute paths in ExecStart, and the trap here is that candidates may assume relative paths are acceptable or that the [Install] section is mandatory for starting a service, when in fact it is only for enabling.

How to eliminate wrong answers

Option B is wrong because changing the service type to 'forking' would not fix a missing absolute path; forking is used for daemons that spawn child processes and requires a PIDFile, but the immediate failure here is due to the ExecStart path issue. Option C is wrong because the [Install] section is only needed for enabling the service to start at boot (via systemctl enable), not for starting the service manually; the service can start without it. Option D is wrong because the Requires directive is optional and used to declare dependency on other units; its absence does not cause a start failure—it simply means no hard dependency is enforced.

357
MCQhard

A DevOps engineer wants to reduce the size of a Docker image by combining build stages. Which Dockerfile feature should be used?

A.RUN --mount=type=cache
B.Layer caching
C.Multi-stage builds (multiple FROM statements)
D.Using a smaller base image like Alpine
AnswerC

Copies only needed artifacts to final image.

Why this answer

Multi-stage builds, implemented by using multiple FROM statements in a single Dockerfile, allow a DevOps engineer to copy only the necessary artifacts from intermediate build stages into the final image. This eliminates build-time dependencies, tools, and intermediate layers from the final image, significantly reducing its size without sacrificing build functionality.

Exam trap

The trap here is that candidates confuse layer caching (a performance feature) with multi-stage builds (a size-reduction feature), or they assume using a smaller base image alone achieves the same result as eliminating entire build stages.

How to eliminate wrong answers

Option A is wrong because RUN --mount=type=cache is used to persist package manager caches across builds to speed up subsequent builds, not to reduce the final image size by combining build stages. Option B is wrong because layer caching is a performance optimization that reuses unchanged layers from previous builds to accelerate rebuilds, but it does not reduce the size of the final image by combining stages. Option D is wrong because using a smaller base image like Alpine reduces the starting size of the image, but it does not combine build stages or eliminate intermediate build artifacts; multi-stage builds are the specific feature for that purpose.

358
MCQeasy

A junior administrator accidentally modified the /etc/sudoers file and now users report not being able to use sudo. Which command should be used to safely edit the sudoers file?

A.visudo
B.chmod 400 /etc/sudoers
C.echo 'user ALL=(ALL) ALL' >> /etc/sudoers
D.usermod -aG wheel user
AnswerA

visudo safely edits /etc/sudoers with syntax checking and file locking.

Why this answer

The `visudo` command is the correct and safe way to edit the `/etc/sudoers` file because it locks the file against concurrent edits, performs syntax validation before saving, and prevents saving a malformed configuration that could break sudo entirely. This ensures that even if the administrator makes a mistake, the original valid file is preserved, avoiding the exact scenario described where users lose sudo access.

Exam trap

The trap here is that candidates may think any method that writes to the file (like `echo` or `chmod`) can fix the issue, but only `visudo` provides the syntax validation and locking necessary to safely edit the sudoers file without breaking sudo.

How to eliminate wrong answers

Option B is wrong because `chmod 400 /etc/sudoers` sets the file to read-only for the owner, which does not repair syntax errors or restore functionality; it only changes permissions and may even prevent `visudo` from writing a corrected file. Option C is wrong because using `echo` with a redirect appends text without any syntax checking, and if the appended line is malformed or duplicates entries, it can corrupt the file and break sudo. Option D is wrong because `usermod -aG wheel user` adds a user to the wheel group, which is unrelated to fixing a broken sudoers file; it does not validate or repair the syntax of `/etc/sudoers`.

359
MCQhard

After a kernel upgrade, the system fails to boot. Which file should be edited to configure GRUB2 to boot into the previous kernel version by default?

A./etc/grub.d/40_custom
B./boot/grub/grub.conf
C./boot/grub2/grub.cfg
D./etc/default/grub
AnswerD

Correct configuration file for GRUB2 defaults.

Why this answer

/etc/default/grub is the configuration file for GRUB2. After editing, run grub2-mkconfig to regenerate grub.cfg. Directly editing grub.cfg is overwritten on updates. /boot/grub2/grub.cfg is auto-generated. /etc/grub.d/40_custom is for custom entries.

360
MCQhard

Refer to the exhibit. A backup script fails every 5 minutes. Which is the most likely cause?

A.The backup script lacks write permission to the destination directory or file.
B.The mount point /mnt/backup is not accessible.
C.The cron job is running too frequently, causing a race condition.
D.The backup script is not executable.
AnswerA

The log explicitly states 'Permission denied writing to /mnt/backup/backup.tar.gz'.

361
MCQhard

An administrator is tasked with creating a systemd service that runs a Python script after the network is available. The script must restart automatically if it fails. Which systemd service unit directive should be used to ensure restart on failure?

A.Restart=always
B.RemainAfterExit=yes
C.Restart=on-failure
D.RestartSec=5
AnswerC

Restarts the service only when the process exits with a non-zero exit status or is terminated by a signal.

Why this answer

The `Restart=on-failure` directive instructs systemd to restart the service unit only when the process exits with a non-zero exit code, is terminated by a signal (including SIGKILL), or times out. This is the correct choice because the requirement is to restart the script only if it fails, not unconditionally. Using `Restart=always` would restart the service even after a clean exit, which is unnecessary and could mask intentional stops.

Exam trap

CompTIA often tests the distinction between `Restart=always` and `Restart=on-failure`, trapping candidates who assume that 'always' is the safest choice without reading the exact failure condition requirement.

How to eliminate wrong answers

Option A is wrong because `Restart=always` causes the service to restart regardless of the exit status, including normal clean exits, which does not match the requirement to restart only on failure. Option B is wrong because `RemainAfterExit=yes` indicates that the service is considered active even after the main process exits, but it does not control restart behavior on failure. Option D is wrong because `RestartSec=5` specifies a delay (5 seconds) before attempting a restart, but it is not a restart condition directive; it only modifies the timing when used with a `Restart=` setting.

362
MCQmedium

A security policy requires that SSH access be allowed only from the internal management subnet 10.10.10.0/24. Which firewalld rich rule should be added?

A.firewall-cmd --permanent --add-port=22/tcp --add-source=10.10.10.0/24
B.firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" service name="ssh" accept'
C.firewall-cmd --add-source=10.10.10.0/24 --add-service=ssh
D.iptables -A INPUT -s 10.10.10.0/24 -p tcp --dport 22 -j ACCEPT
AnswerB

This rich rule binds the source address to the SSH service.

Why this answer

Option B is correct because it uses the firewalld rich-rule syntax to explicitly define an IPv4 rule that accepts SSH traffic only from the 10.10.10.0/24 source subnet. Rich rules provide granular control over source addresses, services, and actions, which is required by the security policy. The `--add-rich-rule` option allows specifying the rule family, source address, service name, and accept action in a single, persistent rule.

Exam trap

The trap here is that candidates confuse `--add-source` (which binds a source to a zone) with a rule filter, or they think `--add-port` combined with `--add-source` creates a source-restricted port rule, when in fact firewalld requires a rich rule to enforce source-based service restrictions.

How to eliminate wrong answers

Option A is wrong because `--add-port=22/tcp --add-source=10.10.10.0/24` is not valid firewalld syntax; `--add-source` is a zone-level option that sets a source binding, not a rule filter, and `--add-port` opens the port to all sources, ignoring the intended restriction. Option C is wrong because `--add-source=10.10.10.0/24 --add-service=ssh` adds the source to a zone and enables the SSH service for the entire zone, but does not restrict SSH access to only that source; it allows SSH from any source that matches the zone's default rules. Option D is wrong because it uses `iptables` directly, which bypasses firewalld's management and dynamic zone logic; the question specifically asks for a firewalld rich rule, and direct iptables commands are not integrated with firewalld's persistent configuration.

363
MCQmedium

A developer runs a web application inside a Podman container. The application logs HTTP requests to stdout in JSON format. The operations team wants to centralize these logs by forwarding them to a remote syslog server. The administrator considers several approaches. Which approach is the most reliable and recommended way to forward container logs to syslog without modifying the application?

A.Use a cron job to run `podman logs -f` and pipe the output to `logger`.
B.Use `journalctl -u container-name` to export logs via a syslog forwarder.
C.Use `podman exec` to run a log shipper inside the container.
D.Configure the application to write logs to a file in a mounted volume, and have the host's syslog daemon tail that file.
AnswerD

This is a reliable and recommended approach.

Why this answer

Option B is correct because mounting a volume and having the application write logs to a file allows the host syslog daemon to tail that file, decoupling log collection from the container runtime. Option A is inefficient and unreliable. Option C is complex and container logs may not be in journald.

Option D is not recommended as it modifies the container runtime.

364
Matchingmedium

Match each Linux access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Traditional file permissions (owner/group/other)

Fine-grained permissions for users/groups

Mandatory access control with policies

Path-based mandatory access control

Default permission mask for new files

Why these pairings

Linux supports multiple access control models.

365
MCQeasy

You are a systems administrator for a small company. The company uses a Linux server running Ubuntu 22.04 LTS that hosts a web application and a PostgreSQL database. The server has two network interfaces: eth0 (public IP) and eth1 (private IP). The web application listens on port 443 (HTTPS) on eth0, and the PostgreSQL database listens on port 5432 on eth1. The company security policy requires that only the web application should be accessible from the internet; all other ports must be blocked on the public interface. Additionally, SSH access should be allowed only from the internal network (192.168.1.0/24). The current iptables rules are as follows: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT There are no other rules. You need to implement the security policy using iptables. Which of the following sets of commands will achieve the required security policy?

A.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
B.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
C.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
D.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
AnswerA

This correctly implements the policy.

Why this answer

Option A is correct because it sets the default policy to DROP, allows established/related connections, permits HTTPS (port 443) on eth0, restricts SSH (port 22) to the internal network (192.168.1.0/24) on eth1, and then allows all traffic on eth1. This ensures that only the web application is accessible from the internet, SSH is limited to the internal network, and all internal traffic on eth1 is permitted, including PostgreSQL on port 5432.

Exam trap

The trap here is that candidates often forget to allow all traffic on the internal interface (eth1) after setting a default DROP policy, mistakenly thinking that only specific ports need to be opened, which would block essential internal services like PostgreSQL.

How to eliminate wrong answers

Option B is wrong because it places the SSH rule before the HTTPS rule, but more critically, it does not include a rule to allow all traffic on eth1, which would block internal services like PostgreSQL. Option C is wrong because it is identical to Option B and also lacks the rule to allow all traffic on eth1, thus blocking internal database access. Option D is wrong because it allows SSH from any source (no -i eth1 or -s 192.168.1.0/24 restriction), violating the security policy that SSH should only be allowed from the internal network.

366
MCQeasy

The backup script above always outputs 'Backup failed' even when the tar command succeeds. Which of the following is the cause?

A.The tar command should use -czvf
B.The if statement syntax is wrong
C.The variable &? is not defined
D.The correct variable is $? not &?
AnswerD

The script incorrectly uses &? instead of the correct $? variable.

Why this answer

The script uses `&?` to reference the exit status of the `tar` command, but the correct shell variable is `$?`. The `$?` variable holds the exit code of the last executed command (0 for success, non-zero for failure). Using `&?` is a syntax error that results in an empty or invalid value, causing the `if` statement to always evaluate to false (or treat the condition as non-zero), thus always printing 'Backup failed'.

Exam trap

CompTIA often tests the distinction between `$?` and common typos like `&?` or `?$`, exploiting the fact that candidates may overlook the exact syntax of shell special variables and assume any symbol before `?` works.

How to eliminate wrong answers

Option A is wrong because `-czvf` is a valid set of flags for `tar` (create, gzip, verbose, file) and would not cause the script to always output 'Backup failed' if the command succeeds; the issue is not with the tar flags. Option B is wrong because the `if` statement syntax (`if [ condition ]; then ... fi`) is correct; the problem lies in the variable name used inside the condition, not the structure of the if statement. Option C is wrong because `&?` is not a defined variable in bash; the shell does not have a built-in variable named `&?`, and using it does not trigger a special behavior—it simply evaluates to an empty string, which breaks the logic.

367
Multi-Selecthard

A server crashed with a kernel panic. After reboot, the administrator wants to analyze the crash dump. Which THREE actions should be taken to ensure a valid core dump is captured and accessible? (Choose THREE.)

Select 3 answers
A.Configure a dump target in /etc/kdump.conf.
B.Enable and start the kdump service.
C.Set crashkernel=auto in the boot loader.
D.Install kernel-debuginfo packages.
E.Ensure /var/crash has a vmcore file.
AnswersA, B, C

The dump target (e.g., a partition or NFS mount) must be defined to write the core dump.

Why this answer

Option A is correct because /etc/kdump.conf specifies where the crash dump should be saved (e.g., to a local disk, NFS, or SSH target). Without a configured dump target, the kdump mechanism does not know where to write the vmcore file, making the dump inaccessible after a kernel panic.

Exam trap

The trap here is that candidates confuse post-crash verification (checking for a vmcore file) with pre-crash configuration steps, or they mistakenly think debuginfo packages are required for capturing the dump rather than for later analysis.

368
Multi-Selecthard

An administrator notices that a user's crontab file is not executing. Which two commands can the administrator use to verify the user's crontab configuration? (Select TWO.)

Select 2 answers
A.crontab -e -u username
B.crontab -l -u username
C.cat /var/spool/cron/crontabs/username
D.systemctl status cron
E.grep username /etc/crontab
AnswersB, C

Lists the contents of the specified user's crontab.

Why this answer

Option B is correct because `crontab -l -u username` lists the current crontab entries for the specified user, allowing the administrator to verify the configured jobs. Option C is correct because on many Linux distributions, user crontab files are stored as plain text files under `/var/spool/cron/crontabs/username`, and reading that file directly shows the same content. Both commands let the administrator inspect the exact cron schedule and commands for that user.

Exam trap

The trap here is that candidates confuse commands that verify the cron daemon's status (like `systemctl status cron`) with commands that inspect the actual crontab content, or they mistakenly think editing (`-e`) is the same as listing (`-l`).

369
MCQmedium

A Linux administrator is writing a Bash script that needs to parse a CSV file line by line and extract the second field. Which of the following approaches is the most efficient?

A.Using a `while read` loop with IFS=','
B.Using `awk -F',' '{print $2}'`
C.Using `cut -d, -f2`
D.Using `sed` to extract the second column
AnswerB

awk is designed for text processing and can handle quoted fields with proper configuration.

Why this answer

Option B is correct because `awk` is purpose-built for field-based text processing; `awk -F',' '{print $2}'` efficiently splits each line by comma and prints the second field without needing an explicit loop. It handles edge cases like empty fields and large files with minimal overhead, making it the most efficient choice for CSV parsing in a script.

Exam trap

The trap here is that candidates often choose the `while read` loop (option A) because it seems straightforward and Bash-native, but they overlook the severe performance penalty and fragility with quoted fields, while `awk` is the correct, efficient, and robust solution for field parsing in Linux scripting exams.

How to eliminate wrong answers

Option A is wrong because a `while read` loop with IFS=',' is significantly slower on large files due to the overhead of spawning a subshell and reading line by line, and it can mishandle lines with quoted commas or trailing spaces. Option C is wrong because `cut -d, -f2` cannot handle quoted fields containing commas (e.g., 'field1,"field,2",field3') and will incorrectly split such lines. Option D is wrong because `sed` is a stream editor designed for line-oriented text transformations, not field extraction; using `sed` to isolate the second column requires complex regex patterns that are error-prone and less efficient than `awk`.

370
Drag & Dropmedium

Drag and drop the steps to recover a forgotten root password in single-user mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Root password recovery involves booting into single-user mode and remounting root as rw.

371
Multi-Selectmedium

Which two of the following are valid methods to pass environment variables to a Docker container at runtime? (Select TWO.)

Select 2 answers
A.Defining variables in a .env file and using --env-file
B.Using the -e option in docker run
C.Using the ENV instruction in the Dockerfile
D.Using the export command inside the container
E.Using the ARG instruction in the Dockerfile
AnswersA, B

The --env-file option loads environment variables from a file at runtime.

Why this answer

Option A is correct because the `--env-file` flag in `docker run` allows you to pass environment variables from a file (typically a `.env` file) to the container at runtime. This method is useful for managing multiple variables without cluttering the command line and supports variable substitution and quoting rules as defined by Docker.

Exam trap

CompTIA often tests the distinction between build-time instructions (`ENV`, `ARG`) and runtime options (`-e`, `--env-file`), so the trap here is confusing the `ENV` instruction in the Dockerfile (which sets variables at build time) with the `-e` option (which sets variables at runtime).

372
MCQhard

A developer needs to grant a colleague read and write access to a directory /project, but the colleague should not have permission to delete any files created by the developer. The developer wants to set the directory so that all new files created in it automatically belong to the group 'project' and are writable by group. Which combination of configuration should be used?

A.chmod g+s /project && setfacl -m default:g:project:rw /project
B.chmod 1770 /project && usermod -aG project colleague
C.chmod g+s /project && setfacl -m g:project:rwx /project
D.chown .project /project && chmod 2775 /project
AnswerA

Setgid ensures new files inherit project group; default ACL ensures new files have group rw permissions.

Why this answer

To achieve automatic group ownership and default permissions, set the setgid bit (chmod g+s) on the directory and use a default ACL to grant group read/write. Option C does both: chmod g+s sets the setgid bit so new files inherit the group, and setfacl with default:g:project:rw ensures new files get group rw. Option A gives rwx on directory but not default.

Option B sets setgid and permissions but does not use default ACL, so new files may not get group rw. Option D sets sticky bit (1) which prevents users from deleting others' files, but does not automatically set group ownership or permissions.

373
MCQhard

A Linux server runs a critical service managed by a systemd service unit. The administrator needs to configure the service to automatically restart if it crashes, but only up to 3 times within a 30-second window. If the service restarts more than 3 times in 30 seconds, systemd should stop attempting to restart and leave the service in a failed state. Which set of directives should be added to the [Service] section of the unit file to achieve this behavior?

A.`Restart=on-abort` and `MaxStartups=3`
B.`Restart=on-failure` and `StartLimitBurst=5` and `StartLimitIntervalSec=60`
C.`Restart=always` and `RestartSec=10`
D.`Restart=on-failure` and `StartLimitBurst=3` and `StartLimitIntervalSec=30`
AnswerD

This correctly limits restarts to 3 times within 30 seconds.

Why this answer

Option D is correct because it uses `Restart=on-failure` to trigger a restart only when the service crashes (not on other stops), combined with `StartLimitBurst=3` and `StartLimitIntervalSec=30` to limit restarts to 3 attempts within a 30-second window. When the burst limit is exceeded, systemd automatically places the unit in a failed state, exactly matching the requirement.

Exam trap

The trap here is that candidates often confuse `Restart=always` (which restarts on any exit, including intentional stops) with `Restart=on-failure` (which only restarts on crashes), or they misremember the default values of `StartLimitBurst` and `StartLimitIntervalSec`, leading them to pick options with incorrect burst counts or intervals.

How to eliminate wrong answers

Option A is wrong because `Restart=on-abort` only restarts the service if it terminates due to a signal that is not caught (e.g., SIGABRT), not on general crashes, and `MaxStartups` is not a valid systemd directive (it is used in sshd configuration, not unit files). Option B is wrong because `StartLimitBurst=5` and `StartLimitIntervalSec=60` would allow up to 5 restarts in 60 seconds, not the required 3 in 30 seconds. Option C is wrong because `Restart=always` restarts the service regardless of exit reason (including manual stops), and `RestartSec=10` only sets a delay between restarts, with no limit on the number of restart attempts, so the service would keep restarting indefinitely.

374
Multi-Selecthard

Which THREE of the following are valid methods to troubleshoot a service that fails to start?

Select 3 answers
A.Run the service executable manually from the command line to see error output.
B.Review the service logs using journalctl.
C.Check if the service's required dependencies are installed and running.
D.Run df -h to check disk space.
E.Reload the systemd daemon with systemctl daemon-reload.
AnswersA, B, C

Manual execution often gives direct error messages.

Why this answer

Option A is correct because running the service executable manually from the command line often reveals stderr output, error codes, or missing configuration details that are suppressed when the service is started by systemd. This direct execution bypasses the service manager's logging and can show immediate, unfiltered error messages that help pinpoint the failure reason.

Exam trap

The trap here is that candidates often confuse general system health commands (like `df -h`) with service-specific troubleshooting methods, or they think `systemctl daemon-reload` is a diagnostic step when it only reloads configuration without providing error details.

375
MCQeasy

A DevOps engineer needs to automate the deployment of a microservice using Ansible. The playbook should install the latest version of nginx on all web servers. Which Ansible module should be used in the playbook?

A.service: name=nginx state=started
B.command: apt install nginx
C.apt: name=nginx state=latest
D.yum: name=nginx state=latest
AnswerC

The apt module with state=latest ensures the latest version is installed.

Why this answer

Option C is correct because the `apt` module is the proper Ansible module for managing packages on Debian-based systems, and `state=latest` ensures the most recent version of nginx is installed. This aligns with the requirement to automate deployment using Ansible's declarative package management rather than imperative shell commands.

Exam trap

The trap here is that candidates often confuse the `service` module (for managing service state) with package installation modules, or they default to the `command` module out of habit, missing Ansible's dedicated package modules that ensure idempotency and cross-platform compatibility.

How to eliminate wrong answers

Option A is wrong because the `service` module manages the state of a service (started/stopped), not the installation of a package; it assumes nginx is already installed. Option B is wrong because using the `command` module to run `apt install nginx` bypasses Ansible's idempotency and package state management, making the playbook fragile and non-declarative. Option D is wrong because the `yum` module is for Red Hat-based systems (using RPM), while the question does not specify the OS family; without context, `apt` is the safer choice for Debian/Ubuntu, and `yum` would fail on non-RHEL systems.

Page 4

Page 5 of 7

Page 6

All pages