CompTIA Linux+ XK0-005 (XK0-005) — Questions 376450

510 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQhard

A company uses a Linux server running Ubuntu 22.04 LTS as a file server to share documents via Samba. The server has been in operation for over a year without issues. Following a routine system update that included kernel patches and updated Samba packages, users began reporting that they could no longer access any shared folders. The administrator verifies that the smbd and nmbd services are running and have not failed. The Samba configuration has not been changed recently. The server uses ufw as its firewall. When the administrator runs 'ufw status', the output shows that only SSH (port 22) is allowed. The administrator checks for SELinux but finds it is not installed; however, AppArmor is active and the smbd profile is in enforce mode. The administrator examines the AppArmor logs and finds no denials related to smbd. Which of the following is the most likely reason for the connectivity failure?

A.The firewall is blocking Samba ports 137, 138, 139, and 445.
B.The Samba configuration file was corrupted during the update.
C.The kernel update changed the default file system mount options, restricting access.
D.The AppArmor profile is preventing smbd from binding to network interfaces.
AnswerA

ufw only allows SSH; Samba ports are not permitted.

Why this answer

The firewall (ufw) is only allowing SSH (port 22), which means Samba ports 137/138 (NetBIOS), 139 (SMB over NetBIOS), and 445 (SMB over TCP) are blocked. Since the smbd and nmbd services are running and AppArmor shows no denials, the most likely cause is that the firewall rules were reset or not updated after the system update, preventing Samba traffic from reaching the server.

Exam trap

The trap here is that candidates may focus on AppArmor or SELinux because they are security modules, but the absence of denials in AppArmor logs and the explicit ufw output showing only SSH allowed points directly to the firewall as the culprit.

How to eliminate wrong answers

Option B is wrong because the administrator verified that the Samba configuration has not been changed recently, and the services are running without errors, so corruption is unlikely. Option C is wrong because kernel updates do not change default file system mount options; mount options are set in /etc/fstab or at mount time and are not altered by kernel patches. Option D is wrong because the administrator checked AppArmor logs and found no denials related to smbd, indicating the profile is not blocking network binding.

377
MCQhard

An administrator is tasked with setting up a new server that will run a time-sensitive application. The system must have accurate time synchronization. The administrator configures chronyd and adds four NTP servers. After verifying, the administrator notices that the system time drifts significantly. Which configuration parameter in /etc/chrony.conf is most likely causing the drift despite multiple servers?

A.pollinterval 2
B.minsources 2
C.makestep 100 -1
D.maxslewrate 1000
E.local stratum 10
AnswerE

Declares local clock as a high-priority time source, overriding NTP servers.

Why this answer

Option C is correct because if the local clock is set as a prefer time source with high trust, chronyd may use it over NTP servers, causing drift. Option A is wrong because a large maxslewrate can cause rapid time adjustments but not drift. Option B is wrong because a large makestep would allow stepping, not cause drift.

Option D is wrong because a small pollinterval would increase polling frequency, reducing drift. Option E is wrong because minsources is the minimum number of sources to synchronize; if set too low, it might accept inaccurate time, but drift is more likely due to local clock behavior.

378
MCQeasy

A system administrator needs to run a script every 15 minutes. Which systemd unit type is used to schedule this?

A.systemd timer
B.at job
C.anacron
D.cron job
AnswerA

Timer units can be configured with OnCalendar or OnUnitActiveSec to run every 15 minutes.

Why this answer

Systemd timers are the native systemd unit type for scheduling tasks at specified intervals, such as every 15 minutes. They replace traditional cron jobs in systemd-based Linux distributions and are defined with a .timer unit file that triggers a corresponding .service unit. This makes option A correct because the question explicitly asks for the systemd unit type used for scheduling.

Exam trap

The trap here is that candidates familiar with traditional Linux scheduling immediately think of cron, but the question explicitly asks for a 'systemd unit type,' making cron a distractor despite its functional similarity.

How to eliminate wrong answers

Option B (at job) is wrong because the 'at' command schedules a one-time task at a specific time, not recurring every 15 minutes. Option C (anacron) is wrong because anacron is designed for tasks that need to run daily, weekly, or monthly, assuming the system may not be running continuously, and it does not support sub-daily intervals like 15 minutes. Option D (cron job) is wrong because while cron can schedule tasks every 15 minutes, the question specifically asks for a systemd unit type, and cron is a separate service, not a systemd unit.

379
MCQeasy

A developer writes a Python script that uses the `requests` library to fetch data from an API. The script works on the developer's workstation but fails on the server with an import error. What is the most likely cause?

A.The `requests` module is not installed on the server
B.The script uses an incorrect API endpoint
C.The server lacks internet connectivity
D.The script has a syntax error in the import statement
AnswerA

The `requests` module is not part of the standard library and must be installed via pip.

Why this answer

The `requests` library is a third-party Python package that must be installed separately via `pip` or a package manager. The script works on the developer's workstation because `requests` is present there, but fails on the server with an import error, indicating the module is missing from the server's Python environment. This is the most likely cause because an import error specifically points to a missing module, not to network or syntax issues.

Exam trap

CompTIA often tests the distinction between runtime errors (e.g., network issues, bad endpoints) and import-time errors (e.g., missing modules), trapping candidates who confuse an ImportError with a connectivity or syntax problem.

How to eliminate wrong answers

Option B is wrong because an incorrect API endpoint would cause an HTTP error (e.g., 404 or 400) at runtime, not an import error when the script starts. Option C is wrong because lack of internet connectivity would cause a connection timeout or DNS resolution failure during the `requests.get()` call, not an import error when loading the module. Option D is wrong because a syntax error in the import statement would be caught by Python's parser before execution, producing a SyntaxError, not an ImportError; the script works on the workstation, so the import syntax is correct.

380
Multi-Selecthard

Which THREE files are commonly used to store local user account information? (Select 3.)

Select 3 answers
A./etc/group
B./etc/gshadow
C./etc/shadow
D./etc/login.defs
E./etc/passwd
AnswersA, C, E

Contains group information and group member lists.

Why this answer

Options A (/etc/passwd), B (/etc/shadow), and C (/etc/group) are correct. /etc/gshadow stores group passwords, not user accounts. /etc/login.defs contains default configuration for useradd, not account data.

381
MCQmedium

A pod in the Kubernetes cluster is in CrashLoopBackOff. Based on the exhibit, what is the most likely cause?

A.The application inside the container is crashing repeatedly.
B.The container failed to start because of a missing configuration file.
C.The image pull failed due to authentication issues.
D.The container image is not available in the registry.
AnswerA

The CrashLoopBackOff status and BackOff event indicate the application is crashing right after start.

Why this answer

The CrashLoopBackOff status indicates that a container in a pod is repeatedly crashing after starting. Kubernetes attempts to restart the container, but the application inside exits with a non-zero exit code, causing the restart loop. This is most commonly caused by the application itself crashing due to a bug, misconfiguration, or resource issue.

Exam trap

CompTIA often tests the distinction between container startup failures (ImagePullBackOff, ErrImagePull) and runtime crashes (CrashLoopBackOff), so candidates must remember that CrashLoopBackOff implies the container started at least once before crashing.

How to eliminate wrong answers

Option B is wrong because a missing configuration file would typically cause an Init:Error or CreateContainerConfigError, not CrashLoopBackOff, as the container would fail to start at all. Option C is wrong because image pull failures due to authentication issues result in ImagePullBackOff or ErrImagePull, not CrashLoopBackOff. Option D is wrong because an unavailable container image also leads to ImagePullBackOff or ErrImagePull, as the container never starts to crash.

382
Multi-Selectmedium

A systems administrator is troubleshooting a server that fails to boot and displays the error: 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which TWO of the following are most likely causes? (Choose two.)

Select 2 answers
A.Missing or misconfigured root filesystem in /etc/fstab
B.Faulty RAM
C.Corrupted initramfs image
D.Overwritten MBR
E.Incorrect boot loader configuration pointing to wrong kernel
AnswersA, C

Correct: If the root filesystem is missing or misconfigured, the kernel cannot mount it.

Why this answer

Option A is correct because the error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate or mount the root filesystem. A missing or misconfigured root filesystem entry in /etc/fstab (e.g., wrong device name, wrong UUID, or missing entry) prevents the kernel from mounting the root partition, leading to a kernel panic. The 'unknown-block(0,0)' specifically means the kernel cannot resolve the block device for the root filesystem.

Exam trap

The trap here is that candidates often confuse a boot loader misconfiguration (Option E) with a root filesystem issue, but the kernel must successfully load before a VFS error can occur, so the problem lies after boot loader execution.

383
MCQhard

An administrator configures a new web server with Apache and needs to ensure it starts automatically after a system reboot. The administrator runs 'systemctl enable httpd' but the service still does not start after reboot. What is the most likely reason?

A.The service name is incorrect; it should be 'apache2' instead of 'httpd'.
B.The administrator forgot to run 'systemctl start httpd' after enabling it.
C.The httpd service is masked, preventing it from starting.
D.The systemd daemon needs to be reloaded with 'systemctl daemon-reload'.
AnswerC

A masked service cannot be started; check with 'systemctl is-enabled httpd'.

Why this answer

The most likely reason the httpd service does not start after reboot despite being enabled is that it is masked. A masked service is symlinked to /dev/null, which prevents systemd from starting it even if it is enabled. The 'systemctl enable' command creates the necessary symlinks for automatic startup, but a mask overrides this by blocking the service unit entirely.

Exam trap

The trap here is that candidates often confuse 'enabled' with 'started' and assume the service must be started manually after enabling, overlooking the more subtle masking mechanism that prevents automatic startup despite the enable state.

How to eliminate wrong answers

Option A is wrong because the service name 'httpd' is correct for Apache on RHEL/CentOS/Fedora systems; 'apache2' is used on Debian/Ubuntu, but the question does not specify the distribution, and the administrator used 'httpd' which is standard for the given context. Option B is wrong because 'systemctl start httpd' starts the service immediately but is not required for automatic startup after reboot; enabling the service is sufficient for that purpose. Option D is wrong because 'systemctl daemon-reload' is used to reload systemd manager configuration after unit files change, but it is not needed after enabling a service; enabling only creates symlinks, not unit file modifications.

384
MCQeasy

Refer to the exhibit. An administrator creates this systemd unit file for a backup script. When the administrator runs `systemctl start backup.service`, the script runs but the service shows 'inactive (dead)' immediately. What change should be made to keep the service active until the script finishes?

A.Add 'RemainAfterExit=yes' to the [Service] section
B.Change the service type to 'forking'
C.Add 'ExecStop' to the service definition
D.Change the service type to 'simple'
AnswerA

RemainAfterExit=yes keeps the service in 'active' state even after the process exits, which is what the administrator wants.

Why this answer

The correct answer is A because adding 'RemainAfterExit=yes' to the [Service] section tells systemd to consider the service as active even after the main process (the backup script) exits. Without this directive, systemd sees the process terminate and immediately marks the service as 'inactive (dead)', even though the script may still be running or its effects are ongoing. This is the standard way to keep a service unit in an 'active' state after the main command completes.

Exam trap

The trap here is that candidates often confuse 'RemainAfterExit' with service types like 'forking' or 'simple', mistakenly thinking changing the type will keep the service active, when in fact only 'RemainAfterExit' explicitly tells systemd to remain active after the process exits.

How to eliminate wrong answers

Option B is wrong because changing the service type to 'forking' is used when the process forks and the parent exits, leaving a child process running; it does not keep the service active after the script finishes if the script itself exits. Option C is wrong because adding 'ExecStop' defines a command to run when the service is stopped, but it does not affect the service state after the main process exits. Option D is wrong because changing the service type to 'simple' is the default and behaves the same as the current configuration—systemd considers the service active only while the main process is running, so it will still show 'inactive (dead)' immediately after the script finishes.

385
MCQhard

A file server running RHEL 8 uses NFS to export directories. Clients report that they cannot mount an NFS share. The server's firewall is configured but NFS-related services are enabled. The administrator checks `exportfs -v` and sees the export is listed. Which service must be added to the firewall to allow NFS?

A.rpc-bind
B.nfs
C.samba
D.mountd
AnswerB

The nfs service is essential; adding it allows the NFS server port (2049).

Why this answer

Option B is correct because NFS on RHEL 8 requires the 'nfs' service to be added to the firewall to allow incoming NFS traffic. The 'nfs' service in firewalld opens TCP and UDP ports 2049, which is the standard port for NFSv4. Even though NFS-related services are enabled, the firewall must explicitly permit this port for clients to mount the share.

Exam trap

CompTIA often tests the misconception that 'mountd' is a valid firewalld service name, when in fact it must be configured as a custom port or covered by the 'nfs' service, leading candidates to select option D incorrectly.

How to eliminate wrong answers

Option A is wrong because 'rpc-bind' opens port 111 for RPC portmapper, which is needed for NFSv3 but not for NFSv4; the question does not specify NFS version, and RHEL 8 defaults to NFSv4, making 'nfs' the required service. Option C is wrong because 'samba' is used for SMB/CIFS file sharing, not NFS, and adding it would not allow NFS mounts. Option D is wrong because 'mountd' is not a standard firewalld service; the NFS mount protocol (rpc.mountd) uses a dynamically assigned port and is typically handled by adding the 'nfs' service or explicitly opening the port range, but 'mountd' as a service name is not valid in firewalld.

386
MCQmedium

A Linux server is experiencing slow boot times. The administrator wants to identify which systemd services are taking the longest to start. Which command should be used?

A.systemd-analyze time
B.journalctl -b -p 3
C.systemctl list-units --all
D.systemd-analyze blame
AnswerD

This displays each service and its initialization time, sorted descending.

Why this answer

Option D is correct. systemd-analyze blame lists services and their start times, sorted by time. Option A shows a summary of boot time breakdown. Option B lists units but not start times.

Option C shows kernel and initrd time.

387
Multi-Selecthard

A network administrator needs to diagnose connectivity issues from a Linux server to a remote host. Which of the following tools can provide information about the path and latency? (Choose three.)

Select 3 answers
A.iproute
B.netstat
C.mtr
D.traceroute
E.ping
AnswersC, D, E

Combines ping and traceroute functionality.

Why this answer

C (mtr) is correct because it combines the functionality of traceroute and ping into a single diagnostic tool, continuously probing each hop along the path to a remote host and reporting both the route and real-time latency statistics. This makes it ideal for identifying where packet loss or high latency occurs along the network path.

Exam trap

The trap here is that candidates may think ping alone is sufficient for diagnosing path issues, but ping only tests end-to-end connectivity and latency to the final destination, not the performance of each intermediate hop, which is why mtr and traceroute are needed alongside ping.

388
Multi-Selectmedium

Which TWO container networking modes allow a container to have its own IP address on the host network? (Choose TWO.)

Select 2 answers
A.Macvlan
B.Host
C.None
D.Overlay
E.Bridge
AnswersA, E

Container gets its own MAC/IP on physical network.

Why this answer

Macvlan mode assigns each container a unique MAC address and IP address from the host's physical network, making the container appear as a separate device on the same subnet. Bridge mode creates a virtual bridge (typically docker0) and assigns containers IPs from a private subnet, allowing them to communicate with the host network via NAT. Both modes give the container its own IP address on the host network, though bridge uses a private range while macvlan uses the host's subnet directly.

Exam trap

The trap here is that candidates often confuse 'own IP address' with 'own network namespace'—Host mode gives the container its own namespace but shares the host's IP, while Bridge gives a private IP that is not directly on the host's physical subnet, leading some to incorrectly select Host or Overlay.

389
Multi-Selecteasy

A Linux system fails to boot with the error 'No bootable device found'. Which two troubleshooting steps should be taken? (Select TWO).

Select 2 answers
A.Check the SATA cable connections
B.Reinstall the kernel
C.Run fsck on the root filesystem
D.Verify the GRUB configuration
E.Check the boot order in BIOS/UEFI
AnswersD, E

Corrupted or missing GRUB can cause 'No bootable device' error.

Why this answer

The error 'No bootable device found' indicates that the system's BIOS/UEFI cannot locate a valid bootloader or operating system on any available storage device. Verifying the boot order in BIOS/UEFI (Option E) ensures that the correct disk is set as the first boot device, which is a common cause of this error. Checking the GRUB configuration (Option D) is also critical because if GRUB is missing, corrupted, or misconfigured, the system will not find a bootable kernel, even if the disk is correctly detected.

Exam trap

The trap here is that candidates often confuse filesystem corruption (fsck) or kernel issues with bootloader problems, but the 'No bootable device found' error specifically points to the firmware's inability to locate a bootable partition or bootloader, not to filesystem or kernel corruption.

390
MCQeasy

A user attempts to run a command using sudo but receives 'user is not in the sudoers file. This incident will be reported.' Which file should be edited to grant the user sudo access?

A.Edit /etc/passwd directly
B.Edit /etc/group to add user to the wheel group
C.Edit /etc/shadow
D.Use visudo to edit /etc/sudoers
AnswerD

The proper way to grant sudo access.

Why this answer

The correct answer is D because the sudoers file, typically located at /etc/sudoers, controls which users and groups are permitted to run commands with sudo. The visudo command must be used to edit this file safely, as it performs syntax checking to prevent lockouts due to misconfiguration. Directly editing /etc/sudoers with a regular text editor can lead to syntax errors that break sudo functionality.

Exam trap

The trap here is that candidates may think adding a user to the wheel group (Option B) is sufficient, but without a corresponding entry in the sudoers file (e.g., '%wheel ALL=(ALL) ALL'), the group membership alone does not grant sudo privileges.

How to eliminate wrong answers

Option A is wrong because /etc/passwd stores user account information (like UID, home directory, shell) but does not contain sudo privileges; editing it would not grant sudo access. Option B is wrong because simply adding a user to the wheel group does not automatically grant sudo access unless the sudoers file contains an entry like '%wheel ALL=(ALL) ALL'; the group membership alone is insufficient. Option C is wrong because /etc/shadow stores encrypted password hashes and password aging information, not sudo permissions; editing it would not affect sudo access.

391
MCQhard

A Linux server is experiencing high I/O wait, as shown by the 'iostat -x' command: 'avg-cpu: %iowait=45' and '/dev/sda: await=120ms, %util=95%'. The server has 16 GB of RAM, and the administrator notices that the system is using a significant amount of swap: 'free -m' shows 4 GB of swap used out of 8 GB. The server runs a database application that performs many synchronous writes. The administrator wants to reduce I/O wait without adding physical memory. Which of the following kernel parameter changes is most likely to help by reducing the frequency of write operations to disk?

A.Increase vm.dirty_ratio from 20 to 40.
B.Increase vm.dirty_writeback_centisecs from 500 to 1000.
C.Set vm.swappiness to 0.
D.Decrease vm.dirty_background_ratio from 10 to 5.
AnswerB

Increasing the interval between writeback cycles allows more dirty pages to accumulate, possibly merging writes and reducing the number of I/O operations, thus lowering iowait.

Why this answer

Increasing vm.dirty_writeback_centisecs (time between writeback flushes) allows more dirty pages to accumulate before being written, reducing write frequency and potentially merging writes, which can lower I/O wait if the I/O subsystem is efficient at handling larger writes. However, if the writeback interval is too high, it may increase burstiness. The other options: increasing dirty_ratio or dirty_background_ratio would allow more dirty pages in memory, which could temporarily reduce writes but might cause burstier writes and not reduce overall I/O wait.

Decreasing dirty_writeback_centisecs would increase write frequency, likely worsening iowait. So Option C is the most plausible correct answer. Option D (swappiness) affects swap tendency, but swap usage indicates memory pressure; reducing swappiness might reduce swap but not directly address synchronous database writes.

392
MCQmedium

A system administrator notices that the httpd service fails to start. Which command should be used to view the most recent log entries for that specific service?

A.systemctl status httpd
B.dmesg | grep httpd
C.journalctl -u httpd
D.tail -f /var/log/messages
AnswerC

Displays journal entries for the httpd unit.

Why this answer

journalctl -u httpd shows logs from the systemd journal for the httpd unit. tail on /var/log/messages may work but is not service-specific. dmesg shows kernel logs. systemctl status shows recent logs but not as detailed as journalctl.

393
MCQmedium

A system is running out of disk space in the /var/log directory. The administrator needs to temporarily free up space while preserving the latest log entries. Which approach is best?

A.Run logrotate with compression enabled
B.find /var/log -mtime +7 -delete
C.cat /dev/null > /var/log/messages
D.rm -rf /var/log/*
AnswerA

Rotates and compresses logs, preserving recent entries.

Why this answer

Logrotate with compression is the best approach because it rotates, compresses, and optionally removes old log files while preserving the latest entries. It can be configured to keep a specific number of rotated logs, thus freeing disk space without deleting current logs. This matches the requirement to temporarily free up space while retaining the most recent log data.

Exam trap

CompTIA often tests the misconception that deleting old files with find or truncating a log file is a safe way to free space, but the correct approach is to use logrotate to manage log rotation and compression while preserving the latest entries.

How to eliminate wrong answers

Option B is wrong because 'find /var/log -mtime +7 -delete' deletes all log files older than 7 days, which may remove important historical logs and does not preserve the latest entries in a controlled manner. Option C is wrong because 'cat /dev/null > /var/log/messages' truncates the file, which destroys all existing log entries in that file, failing to preserve the latest entries. Option D is wrong because 'rm -rf /var/log/*' removes all files and subdirectories in /var/log, including current logs, which is destructive and does not preserve any entries.

394
Multi-Selecthard

A security-conscious administrator runs containers with Podman. Which THREE methods ensure that a container runs with the least privilege required?

Select 3 answers
A.--privileged
B.--user 1000
C.--cap-drop=ALL
D.--read-only=true
E.--security-opt seccomp=default.json
AnswersB, C, E

Runs the container as a non-root user, reducing privilege.

Why this answer

Option B is correct because using `--user 1000` runs the container process with a non-root user (UID 1000), which reduces the attack surface by preventing root-level access inside the container. This is a fundamental least-privilege practice, as containers default to running as root unless explicitly changed.

Exam trap

CompTIA often tests the misconception that `--read-only=true` is a privilege-reduction method, when in fact it only restricts filesystem writes and does not limit user or capability privileges.

395
Multi-Selecthard

An administrator is troubleshooting a slow system. Which two commands can be used to identify processes consuming excessive CPU or memory? (Choose two.)

Select 2 answers
A.free -m
B.iostat -x
C.ps aux --sort=-%mem
D.df -h
E.top
AnswersC, E

ps with sorting shows processes by memory usage.

Why this answer

Option C is correct because `ps aux --sort=-%mem` lists all processes with their memory usage, sorted by memory consumption in descending order, making it easy to identify processes consuming excessive memory. Option E is correct because `top` provides a real-time, dynamic view of system processes, including CPU and memory usage, and allows sorting by these metrics interactively.

Exam trap

CompTIA often tests the distinction between system-level resource commands (like `free`, `df`, `iostat`) and process-level monitoring commands (`ps`, `top`), leading candidates to choose commands that show overall usage rather than per-process details.

396
MCQhard

A Linux server experiences a kernel panic after a recent driver update. The system is still operational but unstable. Which command should be used to gather detailed information about the kernel modules currently loaded?

A.modinfo
B.lsmod
C.dmesg
D.modprobe -l
AnswerB

Lists all loaded kernel modules.

Why this answer

B is correct because `lsmod` lists all currently loaded kernel modules by reading the `/proc/modules` file, showing their size, usage count, and dependencies. In a kernel panic scenario after a driver update, this command quickly reveals which modules are active, helping identify the problematic driver without further destabilizing the system.

Exam trap

The trap here is that candidates confuse `lsmod` (runtime loaded modules) with `modinfo` (module metadata) or `dmesg` (kernel logs), or mistakenly think `modprobe -l` lists loaded modules when it actually lists available modules (and is deprecated).

How to eliminate wrong answers

Option A is wrong because `modinfo` displays detailed metadata about a specific kernel module (e.g., author, description, parameters), but it does not list currently loaded modules; it requires the module name as an argument and reads the module file, not runtime state. Option C is wrong because `dmesg` prints the kernel ring buffer messages, which can show panic logs and driver errors, but it does not list currently loaded modules; it is useful for post-mortem analysis but not for a real-time inventory of loaded modules. Option D is wrong because `modprobe -l` is not a valid option in modern Linux; `modprobe` is used to load or unload modules, and listing available modules is done with `modprobe -l` only in older versions (deprecated), but it lists all installable modules, not those currently loaded.

397
MCQhard

Refer to the exhibit. An administrator can SSH to the server but cannot ping 10.0.0.1. What is the most likely cause?

A.The destination host 10.0.0.1 is not responding to ping due to a firewall or ICMP being disabled on that host.
B.The ping is being blocked by the nftables output chain, which is not configured.
C.ICMP is blocked by the nftables input chain policy drop.
D.The destination host 10.0.0.1 does not have a route back.
AnswerA

The 'Destination Port Unreachable' message indicates the remote host received the ping but sent back an ICMP unreachable, likely because ping is disabled or filtered on that host.

398
MCQeasy

A system administrator needs to check the current runlevel on a system that uses systemd. Which command should the administrator use?

A.hostnamectl
B.getenforce
C.systemctl get-default
D.uname -r
AnswerC

Displays the default target (runlevel equivalent).

Why this answer

Option C is correct because `systemctl get-default` displays the default target (runlevel equivalent) on a systemd-based Linux system. Systemd uses targets instead of traditional SysV runlevels, and this command shows which target is set as the default at boot, such as `multi-user.target` or `graphical.target`.

Exam trap

The trap here is that candidates familiar with SysV init may expect a command like `runlevel` or `who -r`, but systemd uses `systemctl get-default` for the default target and `systemctl list-units --type=target` to see the current active target, not a direct runlevel command.

How to eliminate wrong answers

Option A is wrong because `hostnamectl` is used to query or change the system hostname and related settings, not to check the current runlevel or default target. Option B is wrong because `getenforce` is a SELinux command that returns the current enforcement mode (Enforcing, Permissive, or Disabled), and has nothing to do with runlevels or systemd targets. Option D is wrong because `uname -r` prints the kernel release version, not the runlevel or default target.

399
Matchingmedium

Match each Linux filesystem to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose Linux filesystem

High-performance, scalable filesystem

Copy-on-write with snapshots

Temporary filesystem in RAM

Advanced filesystem with volume management

Why these pairings

These filesystems are commonly used in Linux environments.

400
Multi-Selectmedium

A system administrator is troubleshooting a network issue where a server cannot reach external websites. The server can ping the default gateway and internal hosts. Which TWO commands should the administrator use to further diagnose the problem? (Choose TWO.)

Select 2 answers
A.nslookup google.com
B.route -n
C.ping 127.0.0.1
D.ifconfig eth0
E.traceroute 8.8.8.8
AnswersA, E

Tests DNS resolution; if it fails, that could be the reason for not reaching external sites by name.

Why this answer

The server can reach internal hosts and the default gateway, which rules out Layer 2/3 connectivity issues within the local network. However, it cannot reach external websites, suggesting a DNS resolution failure or a routing problem beyond the gateway. 'nslookup google.com' (A) tests DNS resolution by querying the configured DNS server for the IP address of google.com; if it fails, the issue is with DNS. 'traceroute 8.8.8.8' (E) traces the path to a known external IP (Google's public DNS), bypassing DNS, to determine if packets are being dropped or misrouted after the gateway.

Exam trap

The trap here is that candidates often choose 'route -n' (B) thinking it will show a missing default route, but since the server can ping the gateway, the default route is present; the real issue is either DNS or a routing problem beyond the first hop, which 'traceroute' (E) specifically addresses.

401
MCQmedium

A cron job runs a script that uses a command only available in a custom directory. The script fails from cron but works in the user's shell. Which of the following is the most common cause?

A.The script is not executable
B.The script has incorrect line endings
C.The cron job runs as root but command is in user's PATH
D.The cron job does not source the user's .bashrc
AnswerD

Cron's minimal environment lacks the custom PATH defined in .bashrc.

Why this answer

The most common cause is that cron jobs run in a minimal environment and do not source the user's shell initialization files like .bashrc. This means the custom directory containing the command is not in the PATH variable when the script executes under cron, even though it works in the user's interactive shell where .bashrc is sourced.

Exam trap

CompTIA often tests the misconception that cron inherits the user's interactive shell environment, leading candidates to incorrectly choose option C (user mismatch) instead of recognizing that cron does not source shell initialization files.

How to eliminate wrong answers

Option A is wrong because if the script were not executable, it would fail in both the user's shell and cron, not just cron. Option B is wrong because incorrect line endings (e.g., Windows CRLF) would cause syntax errors in both environments, not selectively in cron. Option C is wrong because if the cron job runs as root, root's PATH typically includes system directories, but the custom directory is unlikely to be in root's PATH either; however, the question states the command is in a custom directory, and the core issue is that cron does not source any user's shell profile, so the PATH is not set to include that custom directory regardless of the user.

402
MCQmedium

An Apache web server hosted on a Linux system is unable to connect to a backend database server on port 3306. Based on the exhibit, which action should the administrator take to resolve the issue?

A.Set the httpd_can_network_connect boolean to on.
B.Disable SELinux by setting SELINUX=disabled in /etc/selinux/config.
C.Enable the httpd_enable_home_dirs boolean.
D.Change the SELinux context of the index.html file to httpd_sys_content_t.
AnswerA

This boolean controls whether httpd can initiate outbound network connections.

Why this answer

The Apache web server cannot connect to the backend database server on port 3306 because SELinux is blocking the outbound network connection. The boolean `httpd_can_network_connect` controls whether the httpd daemon is allowed to initiate outbound TCP connections to remote hosts. Setting this boolean to `on` permits Apache to connect to the database server, resolving the connectivity issue without disabling SELinux entirely.

Exam trap

CompTIA often tests the misconception that SELinux issues are always file-context problems, leading candidates to choose a file-context fix (Option D) when the actual issue is a network connection boolean.

How to eliminate wrong answers

Option B is wrong because disabling SELinux entirely (SELINUX=disabled) removes all SELinux protections, which is an insecure and overly broad solution that violates the principle of least privilege; the correct approach is to enable only the specific boolean needed. Option C is wrong because the `httpd_enable_home_dirs` boolean controls whether httpd can access user home directories (e.g., for UserDir), not outbound network connections to a database server. Option D is wrong because changing the SELinux context of `index.html` to `httpd_sys_content_t` affects file access for serving web content, not the ability of httpd to make outbound TCP connections to a remote database.

403
MCQhard

A user on a shared system cannot create files larger than 1MB, even though the filesystem has ample free space. Which command should the administrator use to investigate?

A.df -h
B.fdisk -l
C.lsblk
D.quota -u username
AnswerD

quota -u shows the user's disk quota limits and current usage.

Why this answer

Option D is correct because 'quota -u username' displays the user's current quota limits. Option A is wrong because 'df -h' shows filesystem-level free space, not per-user limits. Option B is wrong because 'lsblk' shows block devices.

Option C is wrong because 'fdisk -l' shows partition tables.

404
MCQhard

A company's web server running Apache on CentOS 7 has been compromised. The attacker exploited a vulnerability in the web application and gained access to the system as the 'apache' user. The administrator wants to prevent similar attacks in the future by hardening the server. Currently, the Apache process runs as the 'apache' user and can execute arbitrary code. The administrator considers enabling SELinux with targeted policy to confine the httpd daemon. However, after setting SELinux to enforcing and installing the 'httpd' SELinux package, the web server fails to serve pages over HTTPS. The administrator checks the audit log (/var/log/audit/audit.log) and sees denials related to port binding. What is the most likely cause of the issue?

A.The SSL certificate files have incorrect SELinux context (e.g., httpd_sys_content_t instead of cert_t)
B.The httpd binary must have the httpd_exec_t context
C.The boolean httpd_enable_homedirs must be enabled to allow HTTPS
D.The port 443 is not labeled with the http_port_t type; use semanage port -a -t http_port_t -p tcp 443
AnswerD

SELinux requires ports to be labeled for the daemon to bind. Without this, httpd cannot listen on 443.

Why this answer

The issue is that SELinux is blocking Apache from binding to port 443 because that port is not labeled with the http_port_t type. By default, SELinux only allows httpd to bind to ports that have the http_port_t context (e.g., 80, 443, 8080). If port 443 lacks this label, the httpd process will be denied permission to bind, even though the firewall may allow it.

The administrator must use `semanage port -a -t http_port_t -p tcp 443` to assign the correct SELinux port type.

Exam trap

The trap here is that candidates often focus on file contexts or booleans, overlooking that SELinux also controls network port access via port labeling, which is a distinct and frequently tested concept in the XK0-005 exam.

How to eliminate wrong answers

Option A is wrong because the SELinux context for SSL certificate files should be cert_t or httpd_sys_content_t, but incorrect file context would cause read/access denials, not port binding denials. Option B is wrong because the httpd binary already has the httpd_exec_t context by default when installed via the httpd package; this context is required for execution, not for port binding. Option C is wrong because the httpd_enable_homedirs boolean controls whether httpd can access user home directories, not whether it can bind to HTTPS ports.

405
MCQeasy

Refer to the exhibit. Which service is likely causing the longest boot delay?

A.sshd.service
B.firewalld.service
C.network.service
D.postfix.service
AnswerB

Has the highest boot time in the list.

Why this answer

Option A is correct because firewalld.service has the highest time (1.234s) in the blame output. The other services have lower times.

406
MCQhard

A Linux administrator is configuring a firewall using iptables to allow incoming HTTP and HTTPS traffic but block all other incoming traffic. Which set of rules should be applied?

A.iptables -P INPUT DROP; iptables -A INPUT -p tcp -j ACCEPT
B.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -A INPUT -j DROP
C.iptables -P INPUT DROP; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
D.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
AnswerC

Default DROP blocks all; allow only HTTP/HTTPS.

Why this answer

Option C is correct because it sets the default policy for the INPUT chain to DROP, which blocks all incoming traffic by default, and then explicitly adds rules to ACCEPT TCP traffic on ports 80 (HTTP) and 443 (HTTPS). This implements a whitelist approach: only the specified services are allowed, and all other incoming packets are dropped by the default policy. The order is critical — the ACCEPT rules must be evaluated before the default DROP policy takes effect for unmatched traffic.

Exam trap

The trap here is that candidates often confuse the default policy with explicit rules, thinking that setting a default ACCEPT and then adding a DROP rule at the end will block all other traffic, but the default policy is evaluated only after all rules are checked, so a default ACCEPT will allow unmatched traffic regardless of a final DROP rule.

How to eliminate wrong answers

Option A is wrong because it sets the default policy to DROP but then adds a rule that accepts all TCP traffic regardless of destination port, which would allow all TCP-based traffic (including SSH, SMTP, etc.), not just HTTP and HTTPS. Option B is wrong because it sets the default policy to ACCEPT, which allows all incoming traffic by default, and then adds ACCEPT rules for ports 80 and 443 (which are redundant since the default already accepts everything), and finally adds a DROP rule that would only affect packets not matched by the earlier ACCEPT rules — but because the default policy is ACCEPT, the final DROP rule is effectively useless for traffic that doesn't match the earlier rules (since the default already accepts it). Option D is wrong because it sets the default policy to ACCEPT, which permits all incoming traffic, and then adds ACCEPT rules for ports 80 and 443 (which are unnecessary), but does not include any rule to block other traffic, so all incoming traffic is allowed.

407
MCQeasy

An administrator needs to run a backup script every day at 2:00 AM. The script is located at /usr/local/bin/backup.sh and is executable. The administrator considers several methods to schedule this task. Which method should the administrator use to ensure the script runs at exactly 2:00 AM every day without additional configuration overhead?

A.Add the following line to the crontab for root: `0 2 * * * /usr/local/bin/backup.sh`
B.Append the script path to /etc/rc.local file.
C.Place the script in /etc/cron.daily/ directory.
D.Create a systemd timer unit that triggers the script daily at 2:00 AM.
AnswerA

This crontab entry schedules the script to run at exactly 2:00 AM daily.

Why this answer

The correct method is to add a cron job via crontab because cron is the standard Unix/Linux utility for scheduling tasks at specific times. The syntax `0 2 * * *` precisely defines execution at 2:00 AM daily (minute 0, hour 2, every day, every month, every day of week), and the script path is fully qualified. This approach requires no additional configuration overhead beyond a single crontab entry.

Exam trap

The trap here is that candidates may confuse cron.daily (which runs daily but at a non-configurable time) with a user-crontab entry, or assume systemd timers are simpler than they actually are, overlooking the extra unit files required.

How to eliminate wrong answers

Option B is wrong because /etc/rc.local runs once at system boot, not at a specific daily time like 2:00 AM. Option C is wrong because /etc/cron.daily/ runs once per day but at a system-defined time (typically around 6:25 AM via anacron), not at exactly 2:00 AM, and it cannot be precisely scheduled. Option D is wrong because while a systemd timer can achieve the same result, it requires creating both a service unit and a timer unit, which introduces significantly more configuration overhead compared to a simple crontab entry.

408
MCQmedium

You are a Linux administrator at a company that runs a web application in Docker containers on a single host. The application consists of a front-end container (nginx) and a back-end container (node.js). Recently, after a system update, the front-end container fails to start with the error: 'Error response from daemon: driver failed programming external connectivity on endpoint frontend: (iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name)'. Which action should you take to resolve the issue?

A.Restart the Docker daemon with systemctl restart docker
B.Reinstall iptables
C.Change the network driver to macvlan
D.Update the kernel to the latest version
AnswerA

Restarting Docker recreates its iptables chains and rules, fixing the missing chain error.

Why this answer

The error indicates that the Docker daemon's iptables rules are corrupted or missing, often caused by a system update that restarted or modified the iptables service. Restarting the Docker daemon with `systemctl restart docker` forces Docker to reinitialize its iptables chains (e.g., DOCKER, DOCKER-USER) and reapply the necessary rules, resolving the connectivity failure.

Exam trap

CompTIA often tests the misconception that iptables itself is broken or needs reinstallation, when the real issue is that Docker's custom iptables chains were lost and need to be recreated by restarting the Docker daemon.

How to eliminate wrong answers

Option B is wrong because reinstalling iptables is unnecessary; the iptables command itself is present and functional (the error is about a missing chain, not a missing binary). Option C is wrong because changing the network driver to macvlan would alter the networking model but does not address the missing iptables chain; the issue is with Docker's default bridge network and its iptables rules. Option D is wrong because updating the kernel is not required; the error stems from a configuration mismatch between Docker and iptables, not a kernel compatibility issue.

409
Multi-Selectmedium

Which TWO commands can be used to display the amount of free and used memory on a Linux system?

Select 2 answers
A.df -h
B.du -sh
C.free -h
D.cat /proc/meminfo
E.iostat
AnswersC, D

free displays memory usage in human-readable format.

Why this answer

The `free -h` command displays the total, used, and free physical memory (RAM) and swap space in a human-readable format. The `cat /proc/meminfo` command reads the kernel's memory statistics directly from the virtual filesystem, providing detailed information about memory usage, including free, available, buffered, and cached memory. Both commands are standard tools for inspecting memory utilization on a Linux system.

Exam trap

CompTIA often tests the distinction between disk space commands (`df`, `du`) and memory commands (`free`, `/proc/meminfo`), trapping candidates who confuse filesystem usage with RAM usage.

410
MCQmedium

A system administrator wants to ensure that a container can access host devices such as USB drives. Which Docker run option should be used?

A.--device /dev/ttyUSB0
B.--privileged
C.--pid=host
D.--net=host
AnswerA

This grants the container access to the specified host device.

Why this answer

The `--device` flag in Docker allows a container to directly access a specific host device, such as `/dev/ttyUSB0` for a USB drive or serial adapter. This grants the container read/write permissions to the device node without requiring full privileged access, making it the precise and secure option for this requirement.

Exam trap

The trap here is that candidates often choose `--privileged` because they think it is the only way to give a container hardware access, but the exam tests the understanding that `--device` provides granular, secure device access without the broad security implications of full privilege escalation.

How to eliminate wrong answers

Option B is wrong because `--privileged` grants the container all capabilities and full access to all host devices, which is excessive and a security risk; it is not the targeted solution for accessing a specific device like a USB drive. Option C is wrong because `--pid=host` shares the host's PID namespace with the container, allowing the container to see all host processes, but it does not provide any access to host devices. Option D is wrong because `--net=host` makes the container use the host's network stack directly, which affects networking only and has no effect on device access.

411
MCQmedium

An administrator needs to ensure that the SSH service only allows key-based authentication and disables password authentication. Which configuration file and directive should be modified?

A./etc/ssh/sshd_config; PasswordAuthentication yes
B./etc/ssh/sshd_config; PubkeyAuthentication no
C./etc/ssh/ssh_config; PasswordAuthentication no
D./etc/ssh/sshd_config; PasswordAuthentication no
AnswerD

Correct file and directive to disable password authentication.

Why this answer

Option D is correct because the SSH server configuration file is /etc/ssh/sshd_config, and setting 'PasswordAuthentication no' disables password-based logins, forcing key-based authentication. This directive must be set on the server side (sshd_config), not the client side (ssh_config), to enforce the policy for all incoming SSH connections.

Exam trap

The trap here is confusing the client configuration file (/etc/ssh/ssh_config) with the server configuration file (/etc/ssh/sshd_config), leading candidates to select option C, which would have no effect on the SSH server's authentication behavior.

How to eliminate wrong answers

Option A is wrong because 'PasswordAuthentication yes' would enable password authentication, which is the opposite of the required outcome. Option B is wrong because 'PubkeyAuthentication no' would disable public key authentication, preventing key-based access entirely. Option C is wrong because /etc/ssh/ssh_config is the client-side configuration file; modifying it only affects outgoing SSH connections from that host, not incoming connections to the SSH server.

412
MCQhard

An administrator is configuring a custom kernel module to be loaded automatically at boot for a specialized hardware device. The module is named 'custom_hw'. Which file should be created to ensure the module is loaded at boot?

A./etc/modules-load.d/custom_hw.conf with the line 'custom_hw'
B./etc/sysconfig/modules/custom_hw.modules with modprobe commands
C./etc/modprobe.d/custom_hw.conf with 'options custom_hw param=value'
D./etc/modprobe.d/blacklist.conf with 'blacklist custom_hw'
AnswerA

This file lists module names to be loaded at boot.

Why this answer

Option B is correct because modules-load.d directory contains .conf files with module names to be loaded at boot. Option A is for module parameters; C is for blacklisting; D is not a standard configuration file.

413
MCQhard

A system administrator installs a new application that is failing to write to its configuration file in /etc. SELinux is enforcing. Which command would show the relevant SELinux denials?

A.sealert
B.ausearch -m avc -ts recent
C.getenforce
D.audit2why
AnswerB

Correct: Searches audit log for SELinux denials.

Why this answer

The `ausearch -m avc -ts recent` command queries the audit log for AVC (Access Vector Cache) denial messages, which are the specific SELinux denials logged when a process is blocked from accessing a resource. This is the direct way to view recent SELinux denials in an enforcing mode environment, as it filters audit records by message type (AVC) and time range (recent).

Exam trap

CompTIA often tests the distinction between commands that show denials (ausearch) versus commands that interpret or explain denials (audit2why, sealert), leading candidates to pick a tool that requires the denial data as input rather than one that retrieves it directly.

How to eliminate wrong answers

Option A is wrong because `sealert` is a GUI tool that analyzes SELinux denial messages and provides human-readable explanations, but it does not directly show the raw denials from the audit log; it requires the denials to already be present in the audit log or to be run with a specific file. Option C is wrong because `getenforce` only displays the current SELinux mode (Enforcing, Permissive, or Disabled) and does not show any denial logs. Option D is wrong because `audit2why` interprets AVC denial messages from audit logs and explains why access was denied, but it does not show the denials themselves; it requires input from `ausearch` or a log file to function.

414
MCQeasy

A file has permissions -rwxr-x---. The administrator wants to give the group write permission using symbolic mode. Which command is correct?

A.chmod 775 file
B.chmod o+w file
C.chmod u+w file
D.chmod g+w file
AnswerD

g+w adds write permission to the group, leaving other permissions unchanged.

Why this answer

Option B is correct because 'chmod g+w file' adds write permission for the group. Option A is wrong because 'chmod 775' sets permissions to rwxrwxr-x (not adding but setting). Option C is wrong because 'chmod o+w' adds write for others.

Option D is wrong because 'chmod u+w' adds write for the owner.

415
Multi-Selecthard

Which THREE statements about Ansible are true? (Choose three.)

Select 2 answers
A.Ansible playbooks are written in YAML
B.Ansible uses a centralized master server
C.Ansible requires Python on the control node only
D.Ansible is idempotent
E.Ansible requires an agent to be installed on managed nodes
AnswersA, D

Playbooks are YAML files.

Why this answer

Ansible playbooks are written in YAML because YAML is a human-readable data serialization language that allows Ansible to define automation workflows declaratively. The control node parses the YAML playbook into Python data structures, which are then executed against managed nodes via modules. This design eliminates the need for a custom domain-specific language and simplifies version control and collaboration.

Exam trap

CompTIA often tests the misconception that Ansible requires a master server (like Puppet or Chef) or that it needs agents on managed nodes, but the trap here is that Ansible is agentless and uses a simple push model from a single control node.

416
MCQmedium

Refer to the exhibit. The system log is not updating. What is the cause?

A.The syslog file size exceeded 1GB and was rotated.
B.The syslog file permissions are incorrect.
C.The root filesystem is almost full, leaving no space for log growth.
D.rsyslogd was restarted and lost its configuration.
AnswerC

df shows 95% usage on / and rsyslogd error states 'No space left on device'.

417
Drag & Dropmedium

Drag and drop the steps to create a new LVM logical volume in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

LVM requires physical volumes, a volume group, and then a logical volume before formatting and mounting.

418
MCQmedium

A server is experiencing frequent kernel panics. The administrator wants to capture the crash dump for analysis. Which kernel parameter must be set to enable crash dumps?

A.panic=10
B.kdump_enabled=1
C.irqpoll
D.crashkernel=auto
AnswerD

This parameter allocates memory for the crash kernel so that a dump can be captured.

Why this answer

The `crashkernel=auto` kernel parameter is required to reserve a portion of system memory for the kdump mechanism, which captures a crash dump when a kernel panic occurs. Without this reserved memory, the crash dump cannot be written to disk because the kernel has no safe memory region to operate the dump capture kernel. This parameter is set in the bootloader configuration (e.g., GRUB) and is specific to the kdump service on Linux systems.

Exam trap

The trap here is that candidates confuse the kdump service configuration (e.g., enabling kdump via systemctl) with the required kernel boot parameter `crashkernel`, leading them to select `kdump_enabled=1` as if it were a kernel parameter.

How to eliminate wrong answers

Option A is wrong because `panic=10` sets a timeout in seconds after which the system automatically reboots on a kernel panic, but it does not enable crash dump capture. Option B is wrong because `kdump_enabled=1` is not a valid kernel parameter; the kdump service is controlled via systemd or init scripts, not a kernel boot parameter. Option C is wrong because `irqpoll` is a kernel parameter used to work around interrupt problems by polling IRQs, and it has no role in crash dump capture.

419
MCQhard

An administrator is configuring a Linux firewall to allow incoming SSH (port 22) and HTTPS (port 443) traffic while denying all other incoming traffic. Using iptables, which set of commands achieves this?

A.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
B.iptables -P INPUT DROP; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
C.iptables -P FORWARD DROP; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
D.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -p tcp --dport 443 -j DROP
AnswerB

Default DROP drops all incoming packets, then specific ACCEPT rules allow SSH and HTTPS.

Why this answer

Option B is correct because it first sets the default policy on the INPUT chain to DROP, which denies all incoming traffic by default. It then adds rules to explicitly ACCEPT incoming TCP traffic on ports 22 (SSH) and 443 (HTTPS), achieving the requirement of allowing only those two services while dropping everything else.

Exam trap

CompTIA often tests the distinction between the INPUT and FORWARD chains, and the trap here is that candidates mistakenly set the default policy on FORWARD instead of INPUT, thinking it controls incoming traffic to the local host.

How to eliminate wrong answers

Option A is wrong because it sets the default INPUT policy to ACCEPT, which allows all incoming traffic by default, then adds ACCEPT rules for ports 22 and 443 — this does not deny other traffic, it just redundantly accepts those ports. Option C is wrong because it sets the default policy on the FORWARD chain to DROP, but the requirement is about incoming traffic to the local system, which is governed by the INPUT chain, not FORWARD; the INPUT chain's default policy remains ACCEPT, so all incoming traffic is still allowed. Option D is wrong because it sets the default INPUT policy to ACCEPT and then adds DROP rules for ports 22 and 443, which would block SSH and HTTPS while allowing all other traffic — the exact opposite of the requirement.

420
Multi-Selectmedium

Which TWO commands can be used to check the kernel version currently running on a system? (Choose two.)

Select 2 answers
A.sysctl kernel.version
B.cat /proc/version
C.lsb_release -a
D.uptime
E.uname -r
AnswersB, E

Contains kernel version string.

Why this answer

Option A shows the kernel version via `uname -r`. Option C shows the kernel version via `cat /proc/version`. Option B shows distribution version.

Option D shows kernel parameters. Option E shows system uptime.

421
MCQeasy

A database administrator needs to schedule a one-time system backup to run at 2:00 AM tomorrow. Which command should be used?

A.systemd-run --on-calendar='*-*-* 02:00:00' /usr/bin/backup
B.at 2:00 AM tomorrow
C.echo '/usr/bin/backup' | atq
D.crontab -e
AnswerB

Schedules a one-time job at the specified time.

Why this answer

Option B is correct because 'at' is designed for one-time scheduled tasks. Option A is for recurring tasks; C is for repeating intervals; D shows the command to run but does not schedule it.

422
MCQeasy

A system administrator needs to determine which process is using the most memory on a Linux server. Which command should be used to display processes sorted by memory usage?

A.top -o %MEM
B.vmstat 1 5
C.ps aux --sort=-%mem
D.free -m
AnswerC

Correctly sorts processes by memory usage descending.

Why this answer

Option C is correct because `ps aux --sort=-%mem` lists all processes with detailed information and sorts them by memory usage in descending order, showing the most memory-intensive process first. The `-%mem` flag specifies sorting by the %MEM column (resident set size as a percentage of total physical memory) in reverse order, which directly answers the requirement to determine which process is using the most memory.

Exam trap

CompTIA often tests the distinction between commands that show system-wide memory statistics (like `free` or `vmstat`) versus commands that display per-process memory usage (like `ps` or `top`), and candidates may mistakenly choose `free -m` because it shows memory usage, even though it does not identify which process is consuming the most memory.

How to eliminate wrong answers

Option A is wrong because `top -o %MEM` sorts processes by memory usage interactively, but the `-o` flag is not a valid option for the `top` command in most Linux distributions; the correct syntax is `top -o %MEM` (with a space) or simply pressing 'M' inside top, but the given command would fail or produce an error. Option B is wrong because `vmstat 1 5` reports system-wide virtual memory statistics (processes, memory, paging, block I/O, traps, and CPU activity) at one-second intervals for five samples, but it does not list individual processes or sort them by memory usage. Option D is wrong because `free -m` displays total, used, and free physical and swap memory in megabytes, but it provides no information about individual processes or their memory consumption.

423
MCQeasy

A system administrator is troubleshooting a server that is experiencing periodic slowdowns. The administrator runs the 'ps aux' command and notices a process named 'cpu_burn' that is consistently using over 90% CPU. The administrator wants to identify which user is running the process and then terminate it. The server runs Red Hat Enterprise Linux 8. Which command should the administrator use to determine the owner of the 'cpu_burn' process?

A.ps -u cpu_burn
B.ps -ef | grep cpu_burn
C.top -bn1 | grep cpu_burn
D.ps -eo pid,user,comm | grep [c]pu_burn
AnswerD

This shows PID and user for the process, and the bracket trick avoids matching the grep process itself.

Why this answer

The 'ps -eo pid,user,comm' command outputs the PID, user, and command name for all processes, useful for identifying the owner of a specific process. Option A can show user but 'grep cpu_burn' will match other fields. Option B is correct as it directly greps the command name.

Option C uses 'top' which is interactive and not efficient for scripting. Option D shows all processes filtered by user, but that doesn't help find the user.

424
MCQmedium

An administrator wants to restrict SSH access to only users in the 'sshusers' group. Which configuration should be added to /etc/ssh/sshd_config?

A.AllowUsers sshusers
B.DenyUsers sshusers
C.AllowGroups sshusers
D.PermitRootLogin no
AnswerC

This allows only users in the sshusers group.

Why this answer

Option C is correct because the `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH login to users who are members of the specified group. By setting `AllowGroups sshusers`, only users belonging to the 'sshusers' group will be permitted to authenticate via SSH, while all others are denied. This matches the administrator's requirement precisely.

Exam trap

The trap here is that candidates confuse `AllowUsers` (which matches usernames) with `AllowGroups` (which matches group names), leading them to incorrectly select Option A thinking it applies to the group name.

How to eliminate wrong answers

Option A is wrong because `AllowUsers` specifies individual usernames, not groups; `AllowUsers sshusers` would only allow a user literally named 'sshusers', not members of the group. Option B is wrong because `DenyUsers` explicitly denies specific users; `DenyUsers sshusers` would block the user named 'sshusers', which is the opposite of the requirement. Option D is wrong because `PermitRootLogin no` only prevents root from logging in via SSH, but does nothing to restrict access based on group membership.

425
Multi-Selecteasy

A junior administrator needs to monitor system resource usage on a production server. Which TWO commands should the administrator use to check CPU and memory utilization in real-time? (Choose two.)

Select 2 answers
A.top
B.df
C.uptime
D.lsof
E.free
AnswersA, E

Top displays real-time CPU and memory usage along with processes.

Why this answer

Top provides real-time CPU, memory, and process information. Free shows memory usage. Df checks disk space, lsof lists open files, and uptime shows system load but not resource utilization in real-time.

426
MCQhard

An administrator is investigating a security breach. The attacker gained root access via an application vulnerability. The administrator needs to determine which commands were executed by the attacker after gaining access. Which log file should be examined first?

A./var/log/syslog
B./var/log/secure
C./var/log/audit/audit.log
D./var/log/auth.log
E./root/.bash_history
AnswerE

Contains the root user's command history.

Why this answer

Option C is correct because `~/.bash_history` in the root user's home directory contains the command history for all commands executed by root in interactive bash sessions. Option A is wrong because /var/log/auth.log logs authentication attempts, not command execution. Option B is wrong because /var/log/syslog contains system messages but not per-user command history.

Option D is wrong because /var/log/secure logs authentication-related events on Red Hat systems. Option E is wrong because /var/log/audit/audit.log contains audit events but requires auditd to be configured.

427
MCQhard

You are a DevOps engineer managing a Git repository for a large development team. Your CI/CD pipeline runs automated tests on every push. Recently, developers have been pushing commits that break the build. You need to enforce that all commits pass the tests before being pushed to the remote repository. Which Git hook should you implement on the client side?

A.pre-receive
B.pre-commit
C.post-commit
D.pre-push
AnswerD

Pre-push runs after commit but before push, ensuring tests pass before code leaves the local machine.

Why this answer

The pre-push hook (option D) runs after a `git push` command is issued but before the data is actually sent to the remote repository. This allows you to run tests locally and abort the push if they fail, enforcing that only commits that pass tests are pushed. It is the correct client-side hook for this requirement.

Exam trap

CompTIA often tests the distinction between client-side and server-side hooks, and the trap here is that candidates confuse pre-receive (server-side) with pre-push (client-side), thinking any hook that runs 'before receive' will block the push on the client.

How to eliminate wrong answers

Option A is wrong because pre-receive is a server-side hook that runs on the remote repository after the push is received, so it cannot prevent the push from being sent from the client. Option B is wrong because pre-commit runs before each commit is created, not before a push, so it cannot enforce that all commits in a push pass tests. Option C is wrong because post-commit runs after a commit is created and cannot abort the commit or push, making it useless for blocking broken commits from being pushed.

428
MCQeasy

A system administrator wants to ensure that the /tmp directory is mounted with noexec to prevent code execution from temporary files. Which file should be modified to persist this across reboots?

A./etc/mtab
B./etc/fstab
C./etc/sysconfig/network
D./etc/security/limits.conf
AnswerB

Used to define persistent mount options.

Why this answer

The /etc/fstab file is the system configuration file that defines how disk partitions, block devices, and remote filesystems are mounted at boot time. Adding the noexec mount option to the /tmp entry in /etc/fstab ensures that the /tmp directory is mounted with the noexec flag persistently across reboots, preventing execution of binaries from temporary files.

Exam trap

The trap here is that candidates may confuse /etc/mtab (a runtime snapshot) with /etc/fstab (the persistent configuration file), or think that modifying /etc/mtab will make changes permanent, when in fact it is overwritten on every mount event.

How to eliminate wrong answers

Option A is wrong because /etc/mtab is a dynamically generated file that lists currently mounted filesystems; modifying it does not persist mount options across reboots. Option C is wrong because /etc/sysconfig/network is used for network configuration (e.g., hostname, gateway) and has no role in filesystem mount options. Option D is wrong because /etc/security/limits.conf is used to set per-user resource limits (e.g., file size, number of processes) via PAM, not to control filesystem mount behavior.

429
MCQeasy

A user reports that a Linux workstation fails to boot and displays 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which of the following is the most likely cause?

A.A filesystem listed in /etc/fstab has errors.
B.A memory module is faulty.
C.The boot loader is missing or corrupted.
D.The root filesystem device is incorrectly specified in the kernel command line.
AnswerD

The error 'unable to mount root fs' often means the root= parameter points to a nonexistent or wrong device.

Why this answer

The error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates that the kernel cannot locate the root filesystem device. The most likely cause is that the root filesystem device is incorrectly specified in the kernel command line (e.g., via a bootloader parameter like root=), preventing the kernel from finding the correct block device to mount as root.

Exam trap

The trap here is that candidates often confuse a boot loader issue (which prevents kernel loading) with a kernel command line misconfiguration (which allows the kernel to load but fail to mount root), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because filesystem errors in /etc/fstab would typically cause a failure during the mount of additional filesystems after the root is already mounted, not a kernel panic at boot before the root filesystem is accessed. Option B is wrong because a faulty memory module usually causes random crashes, kernel panics with memory-related errors, or system instability, not a specific VFS root mount failure with unknown-block(0,0). Option C is wrong because a missing or corrupted boot loader would prevent the kernel from being loaded at all, resulting in a blank screen or a 'boot device not found' error, not a kernel panic after the kernel has started executing.

430
MCQmedium

A system administrator needs to configure a daily backup that creates hard links to unchanged files to save space. Which tool and option combination is most appropriate?

A.dd if=/source of=/destination conv=sync
B.cp -al /source /destination
C.rsync -a --link-dest=/previous/backup /source /current/backup
D.tar --hard-link --create /source > /destination/backup.tar
AnswerC

rsync --link-dest creates hard links to files in the previous backup that have not changed, saving disk space.

Why this answer

Option A is correct. rsync with --link-dest creates hard links to unchanged files, enabling incremental backups. Option B copies with hard links but not incremental. Option C does not handle incremental hard links.

Option D is for disk cloning.

431
MCQhard

A custom application service 'myapp.service' fails to start on a RHEL 8 system with the error: "Failed at step EXEC spawning /usr/local/bin/myapp: Permission denied". The service runs as user 'myapp'. The binary /usr/local/bin/myapp has permissions 755 and is owned by root:root. The user myapp is not in the sudoers. The administrator checks SELinux and finds the binary has the context 'unconfined_u:object_r:usr_t:s0'. The service unit file does not specify any SELinux context. What is the most likely cause of the failure?

A.The user myapp does not have read access to the binary.
B.The SELinux context of the binary is incorrect; it should be bin_t.
C.The binary is located in a directory that is not in the systemd safe path.
D.The binary is not executable by myapp due to file permissions.
AnswerB

The binary has usr_t context, which is not allowed for execution by the service; restoring to bin_t fixes it.

Why this answer

The error occurs because SELinux is enforcing and the binary has the type 'usr_t', which is not allowed to be executed by the service's domain (probably init_t or custom domain). The correct type for executables in /usr/local/bin is 'bin_t'. The solution is to restore the SELinux context to the default for binaries using `restorecon -v /usr/local/bin/myapp` or changing it to bin_t.

Option A is incorrect because permissions allow execution. Option C is unlikely because /usr/local/bin is in PATH. Option D is incorrect as user has execute permission.

432
MCQhard

An administrator needs to audit all write operations to the /etc/shadow file. Which audit rule should be added to /etc/audit/rules.d/audit.rules?

A.-w /etc/shadow -k identity
B.-w /etc/shadow -p rwxa
C.-a always,exit -S open -F path=/etc/shadow
D.-w /etc/shadow -p wa
AnswerD

This watches /etc/shadow for write and attribute changes, which includes modifications.

Why this answer

Option D is correct because the audit rule `-w /etc/shadow -p wa` uses the `-w` (watch) flag to monitor the file for write (`w`) and attribute change (`a`) permissions, which captures all write operations to `/etc/shadow`. This is the standard syntax for auditing file writes in Linux auditd, and it directly meets the requirement to audit write operations without unnecessary syscall filtering.

Exam trap

The trap here is that candidates often confuse the `-p` permission flags with syscall-based rules, mistakenly choosing option C because they think `-S open` captures all writes, but they overlook that writes can occur via other syscalls (like `write`) and that `-w -p wa` is the correct, simpler approach for file-based auditing.

How to eliminate wrong answers

Option A is wrong because `-k identity` only adds a key label to the audit record but does not specify any permission filters (`-p`), so it would log all accesses (read, write, execute, attribute change) to `/etc/shadow`, not just write operations. Option B is wrong because `-p rwxa` monitors read (`r`), write (`w`), execute (`x`), and attribute change (`a`) — this is overly broad and would generate excessive audit records for reads and executes, not just writes. Option C is wrong because `-a always,exit -S open -F path=/etc/shadow` uses the `open` syscall, which captures file opens but not all write operations (e.g., writes via `write` syscall on an already open file descriptor would be missed); it also lacks the `-p wa` permission filter that directly targets write and attribute changes.

433
MCQeasy

Refer to the exhibit. After adding a firewall rule, the web server becomes unreachable from the internal network 192.168.1.0/24. Which line is the cause?

A.Default policy (INPUT ACCEPT)
B.Missing rule for RELATED traffic
C.Line: -A INPUT -p tcp --dport 80 -j DROP
D.Line: -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
AnswerC

This rule drops all HTTP traffic, including from 192.168.1.0/24, before an ACCEPT rule.

Why this answer

Option C is correct because the firewall rule `-A INPUT -p tcp --dport 80 -j DROP` explicitly drops all incoming TCP traffic destined for port 80, regardless of source. Since the web server listens on port 80, this rule blocks all HTTP requests, including those from the internal network 192.168.1.0/24. The rule is placed before any ACCEPT rule for the same port, so the DROP action takes precedence, making the server unreachable.

Exam trap

The trap here is that candidates may focus on the source IP restriction in option D and assume it is the cause, overlooking the fact that iptables processes rules in order and a preceding DROP rule for the same port will block all traffic, including from the allowed subnet.

How to eliminate wrong answers

Option A is wrong because the default policy of ACCEPT on the INPUT chain would allow traffic by default, but the explicit DROP rule for port 80 overrides that default, so the default policy is not the cause. Option B is wrong because RELATED traffic is associated with connection tracking (e.g., FTP data connections) and is not relevant to HTTP traffic on port 80; the issue is a direct DROP rule, not a missing RELATED rule. Option D is wrong because while it correctly allows traffic from 192.168.1.0/24 to port 80, it is placed after the DROP rule (line order matters in iptables), so the DROP rule is matched first and the ACCEPT rule is never evaluated.

434
MCQhard

An application is being denied access to a file due to SELinux. Which command can be used to temporarily set the SELinux context of the file to match the expected type for the application?

A.chcon -t httpd_sys_content_t /var/www/html/index.html
B.setenforce 0
C.restorecon -v /var/www/html/index.html
D.semanage fcontext -a -t httpd_sys_content_t /var/www/html
AnswerA

Changes SELinux context to the specified type.

Why this answer

Option A is correct because the `chcon` command is used to temporarily change the SELinux context of a file without modifying the SELinux policy. By specifying `-t httpd_sys_content_t`, the file's type is set to the expected type for Apache (httpd) to access it, resolving the denial immediately. This change is not persistent across file system relabeling, making it ideal for temporary troubleshooting.

Exam trap

The trap here is that candidates confuse `chcon` (temporary, immediate change) with `restorecon` (reverts to policy default) or `semanage fcontext` (persistent policy rule that requires an extra step to apply), leading them to pick an option that either disables SELinux or does not immediately fix the file context.

How to eliminate wrong answers

Option B is wrong because `setenforce 0` disables SELinux entirely (sets it to permissive mode), which is a drastic measure that bypasses all SELinux protections rather than fixing the specific file context issue. Option C is wrong because `restorecon -v` restores the file's SELinux context to the default policy-defined type, which would only help if the current context is incorrect and the default matches the expected type; it does not set a custom type like `httpd_sys_content_t`. Option D is wrong because `semanage fcontext -a -t httpd_sys_content_t /var/www/html` adds a persistent rule to the SELinux policy for the file, but it does not immediately apply the context to the file; a subsequent `restorecon` or `touch` is required to activate the change, so it is not a temporary fix.

435
MCQhard

An administrator configures Docker as shown in the exhibit. After starting a container, the warning about the 'user' directive appears. What is the most likely cause?

A.The storage driver overlay2 is not compatible with the systemd cgroup driver.
B.The cgroup driver configured in daemon.json does not match the actual driver in use.
C.The container is running with reduced privileges, and nginx cannot use the 'user' directive.
D.The log driver configuration is causing nginx to log warnings.
AnswerB

The daemon.json specifies systemd, but docker info shows cgroupfs, indicating a mismatch.

Why this answer

The warning about the 'user' directive indicates a mismatch between the cgroup driver configured in Docker's daemon.json and the cgroup driver actually in use by the system (e.g., systemd vs. cgroupfs). Docker expects the configured driver to match the system's init system; when they differ, Docker emits warnings because cgroup management may behave inconsistently, affecting resource limits and container isolation.

Exam trap

CompTIA often tests the subtle distinction between a configuration mismatch warning and an actual runtime failure, leading candidates to misinterpret the warning as a functional error in nginx or storage compatibility.

How to eliminate wrong answers

Option A is wrong because overlay2 is a storage driver and has no direct compatibility issue with the systemd cgroup driver; the warning is about cgroup driver mismatch, not storage. Option C is wrong because the 'user' directive in nginx is unrelated to container privilege reduction; the warning originates from Docker's cgroup driver check, not from nginx's runtime behavior. Option D is wrong because the log driver configuration does not cause warnings about the 'user' directive; log driver settings affect log output format and destination, not cgroup driver validation.

436
MCQhard

Refer to the exhibit. The development team is using Git to manage their project. A release candidate needs to include only the changes from the `feature/update` branch, but NOT the 'Add new module' commit. Which Git command sequence should be used to create a new release branch that contains only the feature branch?

A.git checkout feature/update && git rebase 1m2n3o4
B.git checkout -b release 1m2n3o4 && git cherry-pick 4d5e6f7 8f9g0h1
C.git checkout -b release master && git revert 2j3k4l5
D.git checkout -b release feature/update && git merge --no-ff master
AnswerB

Starting from the initial commit, cherry-picking the two feature branch commits includes only those changes, excluding 'Add new module'.

Why this answer

Option B is correct because it creates a new release branch starting from the commit before the 'Add new module' commit (1m2n3o4), then cherry-picks only the two commits from the `feature/update` branch (4d5e6f7 and 8f9g0h1) that represent the desired changes. This ensures the release branch contains exactly the feature branch changes without including the unwanted 'Add new module' commit.

Exam trap

The trap here is that candidates may think `git revert` removes a commit from history, when in fact it only creates a new inverse commit, leaving the original commit present in the branch's history.

How to eliminate wrong answers

Option A is wrong because `git rebase 1m2n3o4` while on `feature/update` would replay the feature branch commits onto commit 1m2n3o4, but this would still include the 'Add new module' commit if it is part of the feature branch history, and does not create a new release branch. Option C is wrong because `git revert 2j3k4l5` would create a new commit that undoes the 'Add new module' commit, but the release branch would still contain that commit in its history, which violates the requirement to not include it at all. Option D is wrong because merging `master` into a branch based on `feature/update` would bring in all commits from master, including the 'Add new module' commit, which is explicitly unwanted.

437
Multi-Selecthard

A security audit identified that the /tmp directory is world-writable. Which THREE steps should be taken to secure /tmp on a Linux system? (Select THREE.)

Select 3 answers
A.Set the sticky bit on /tmp
B.Remove world-writable permission from /tmp
C.Mount /tmp with the nosuid option
D.Mount /tmp with the noexec option
E.Mount /tmp with the exec option
AnswersA, C, D

Prevents users from deleting others' files.

Why this answer

Option A is correct because setting the sticky bit on /tmp prevents users from deleting or renaming files owned by other users, even though the directory is world-writable. This is a standard security hardening measure for shared temporary directories.

Exam trap

The trap here is that candidates may think removing world-writable permissions is the correct fix, but that would break system functionality; instead, the sticky bit and mount options are the proper hardening steps without breaking compatibility.

438
MCQeasy

A Linux administrator notices that the system clock is consistently 5 minutes behind the actual time. The administrator runs 'timedatectl' and sees 'NTP service: active'. Which of the following commands should be used to force an immediate time synchronization?

A.systemctl restart ntp
B.ntpdate -s time.google.com
C.systemctl restart chronyd
D.timedatectl set-ntp false && chronyd -q && timedatectl set-ntp true
AnswerD

Disabling NTP, forcing a one-time sync with chronyd -q, then re-enabling NTP is the correct procedure.

Why this answer

Option D is correct because it first disables NTP to stop the automatic synchronization, then runs chronyd in one-shot query mode (-q) to force an immediate sync with the configured NTP servers, and finally re-enables NTP to resume normal service. This approach works with chronyd, which is the default NTP implementation on modern RHEL/CentOS 8+ and many other distributions, and directly addresses the need for an immediate synchronization without waiting for the periodic polling interval.

Exam trap

The trap here is that candidates assume 'systemctl restart chronyd' (Option C) will immediately sync the clock, but it only restarts the daemon without forcing a poll, so the 5-minute lag remains until the next scheduled update; CompTIA often tests the distinction between restarting a service and triggering an immediate action.

How to eliminate wrong answers

Option A is wrong because 'systemctl restart ntp' targets the legacy 'ntpd' service, which is not the active NTP service when chronyd is in use; the output shows 'NTP service: active' but does not specify the daemon, and on modern systems chronyd is the default, so restarting ntpd would have no effect or could conflict. Option B is wrong because 'ntpdate' is deprecated and often not installed by default; it also bypasses the running NTP service and can cause clock stepping that may disrupt applications, and it does not integrate with the active chronyd or ntpd configuration. Option C is wrong because 'systemctl restart chronyd' restarts the daemon but does not force an immediate synchronization; chronyd will still wait for its next scheduled poll (typically 64–1024 seconds), so the 5-minute lag would persist until the next automatic update.

439
Multi-Selecthard

Which THREE tools are commonly used for configuration management?

Select 3 answers
A.Chef
B.Ansible
C.Puppet
D.Kubernetes
E.Docker
AnswersA, B, C

Chef is a configuration management tool.

Why this answer

Chef is a configuration management tool that uses a Ruby-based DSL to define system configurations as 'recipes' and 'cookbooks'. It follows a pull-based model where nodes run the Chef client to fetch and apply configurations from a Chef server, ensuring desired state compliance across infrastructure.

Exam trap

CompTIA often tests the distinction between configuration management (Chef, Ansible, Puppet) and container/orchestration tools (Docker, Kubernetes), leading candidates to mistakenly select Kubernetes or Docker as configuration management tools.

440
MCQhard

A technician runs the command `sudo lvdisplay /dev/vg_root/lv_root` and sees the output in the exhibit. The server fails to mount the root filesystem during boot. Which of the following should the technician do first?

A.Run `fsck /dev/vg_root/lv_root` to check the filesystem.
B.Run `lvchange -ay /dev/vg_root/lv_root` to activate the logical volume.
C.Run `vgchange -ay` to activate the volume group.
D.Run `mount /dev/vg_root/lv_root /mnt` to mount the volume.
AnswerB

Correct: The LV status is 'NOT available'; this command activates it for use.

Why this answer

The `lvdisplay` output shows the logical volume is present but its 'LV Status' is likely 'NOT available' (not shown in the exhibit but implied by the boot failure). The root filesystem cannot mount because the logical volume is inactive. The first corrective step is to activate it with `lvchange -ay /dev/vg_root/lv_root`, which makes the LV accessible to the kernel for mounting.

Exam trap

The trap here is that candidates assume a filesystem check (fsck) is always the first step for a mount failure, but LVM-specific issues like an inactive logical volume must be resolved before any filesystem-level operations can succeed.

How to eliminate wrong answers

Option A is wrong because running `fsck` on an inactive logical volume will fail or cause corruption; the filesystem must be active and accessible before checking. Option C is wrong because `vgchange -ay` activates all volume groups, which is unnecessary and could interfere with other LVM states; the issue is isolated to a single LV, so targeting it with `lvchange` is more precise. Option D is wrong because `mount` will fail if the logical volume is inactive; the LV must be activated first before any mount attempt.

441
MCQeasy

After writing a script, the administrator cannot execute it with './script.sh'. The permissions are '-rw-rw-r--'. Which command makes the script executable?

A.chmod u+x script.sh
B.chmod +x script.sh
C.chmod g-x script.sh
D.chmod a+rwx script.sh
AnswerA

Adds execute for the owner.

Why this answer

Option A is correct because the current permissions (`-rw-rw-r--`) show that the owner lacks execute permission. The command `chmod u+x script.sh` adds execute permission for the user (owner) only, which is the minimal and most secure way to make the script executable by the administrator who owns it. This directly addresses the requirement without granting unnecessary permissions to the group or others.

Exam trap

CompTIA often tests the distinction between `chmod +x` (which adds execute for all) and `chmod u+x` (which adds execute only for the owner), expecting candidates to recognize that the minimal permission change is the correct answer.

How to eliminate wrong answers

Option B is wrong because `chmod +x script.sh` adds execute permission for all three categories (user, group, others) by default when no target is specified, which is overly permissive and violates the principle of least privilege. Option C is wrong because `chmod g-x script.sh` removes execute permission from the group, which does not help make the script executable; it actually reduces permissions. Option D is wrong because `chmod a+rwx script.sh` grants read, write, and execute permissions to all users (user, group, others), which is excessively permissive and unnecessary for the administrator's goal.

442
Drag & Dropmedium

Drag and drop the steps to configure SELinux to allow a custom web application to listen on port 8080 in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SELinux requires adding the port to the appropriate context before the service can listen.

443
MCQmedium

A user reports that the /data directory is inaccessible. The Linux administrator runs the commands shown in the exhibit. Which of the following is the most likely cause of the issue?

A.The user does not have read permissions on /data.
B.The filesystem is full and has become corrupted.
C.The device /dev/sdb1 is not present.
D.The filesystem is mounted as read-only.
AnswerB

100% usage can lead to corruption; the I/O error indicates filesystem issues.

Why this answer

The 'Input/output error' when accessing /data, combined with the 'Structure needs cleaning' message from dmesg, indicates filesystem corruption on /dev/sdb1. This is a classic symptom of a full filesystem that has become corrupted, not a simple permission or mount issue. The administrator's inability to read or write to the directory, despite the mount appearing normal, points to underlying filesystem damage.

Exam trap

The trap here is that candidates see 'Input/output error' and assume a hardware failure or missing device, but the combination of the mount showing the device as present and the dmesg message pointing to filesystem corruption is the key diagnostic clue.

How to eliminate wrong answers

Option A is wrong because the error message is 'Input/output error', not 'Permission denied', and the user's lack of read permissions would produce a different error. Option C is wrong because the mount command shows /dev/sdb1 is present and mounted on /data, so the device exists. Option D is wrong because the mount output shows 'rw' (read-write) in the mount options, and a read-only mount would produce a 'Read-only file system' error, not an I/O error.

444
MCQhard

A senior administrator is troubleshooting a shell script that fails to execute properly. The script starts with #!/bin/bash and has execute permissions. Which of the following could cause the script to fail to run when invoked as ./script.sh?

A.The shebang line is not on the first line.
B.The script contains carriage return characters (\r).
C.The script uses #!/bin/sh instead of bash.
D.The script starts with a byte order mark (BOM).
AnswerB

Can cause 'No such file or directory'.

Why this answer

Option B is correct because carriage return characters (\r) are a common issue when scripts are edited on Windows and then transferred to Linux. The shebang line #!/bin/bash expects a Unix-style line ending (LF), but \r characters cause the shell to interpret the command interpreter as '/bin/bash\r', which is not a valid executable path. This results in a 'No such file or directory' error when the script is invoked as ./script.sh, even though permissions are correct.

Exam trap

The trap here is that candidates may think the shebang line must be on the first line (Option A) is the issue, but Cisco tests the subtle Windows line-ending problem (\r) that causes the interpreter path to be invalid, which is a common real-world pitfall when scripts are edited in Windows environments and transferred to Linux.

How to eliminate wrong answers

Option A is wrong because the shebang line must be on the first line of the script; if it is not, the script will still execute but will be interpreted by the default shell (usually /bin/sh) rather than bash, which may cause different behavior but not necessarily a failure to run. Option C is wrong because using #!/bin/sh instead of #!/bin/bash does not cause the script to fail to run; it simply invokes the system's default Bourne shell, which may lack some bash-specific features but will still execute the script if it is compatible. Option D is wrong because a byte order mark (BOM) at the start of the script is a Unicode encoding artifact that can cause the shebang line to be misinterpreted, but it is less common than carriage return issues and typically results in a 'bad interpreter' error similar to \r, but the question specifically tests the more frequent Windows-to-Linux line-ending problem.

445
Multi-Selecthard

Which THREE steps should be taken when diagnosing a network connectivity issue where a host cannot reach the internet but can ping the local gateway? (Select three.)

Select 3 answers
A.Examine the routing table with route -n
B.Review firewall rules with iptables -L
C.Check ARP cache for the gateway
D.Run traceroute to a known external IP
E.Check DNS resolution with nslookup
AnswersA, B, E

Check default route configuration.

Why this answer

Option A is correct because the `route -n` command displays the kernel routing table without resolving hostnames, allowing you to verify whether a default gateway route (0.0.0.0/0) exists. If the host can ping the local gateway but not the internet, a missing or incorrect default route is a common cause, as traffic to external networks would have no path to forward.

Exam trap

The trap here is that candidates assume a successful ping to the gateway proves Layer 3 routing is fully functional, but they overlook that the host may lack a default route, which is a distinct routing table entry separate from gateway reachability.

446
MCQmedium

A system administrator is troubleshooting a service that fails to start with the error 'Unit failed to load: Invalid argument'. The service file is located in /etc/systemd/system. What is the most likely cause?

A.The service binary is missing
B.The service file has a syntax error
C.The service requires a dependency that is not installed
D.The service is masked
AnswerB

Syntax errors in the unit file cause 'Invalid argument' error.

Why this answer

The error 'Unit failed to load: Invalid argument' in systemd indicates that the unit file parser encountered a directive or value it could not interpret. This is most commonly caused by a syntax error in the service file, such as a misspelled key, an invalid setting, or a malformed line. Systemd validates the file structure against its grammar; any deviation triggers this specific error.

Exam trap

The trap here is that candidates often confuse runtime errors (like missing binaries or dependencies) with parsing errors, but the specific 'Invalid argument' message points directly to a syntax or configuration issue within the unit file itself.

How to eliminate wrong answers

Option A is wrong because a missing service binary would cause a different error, such as 'Exec format error' or 'Unit not found' when trying to execute the binary, not a parsing failure. Option C is wrong because a missing dependency typically results in 'dependency failed' or 'unit not found' errors, not an 'Invalid argument' syntax error. Option D is wrong because a masked service produces 'Unit is masked' or 'Failed to start unit: Unit is masked' errors, not a syntax-level parsing failure.

447
Multi-Selecthard

Which TWO commands are used to manage SSH key-based authentication processes? (Choose exactly two.)

Select 2 answers
A.ssh-keygen
B.ssh-add
C.ssh-copy-id
D.ssh-keyscan
E.ssh-agent
AnswersA, C

Generates public/private key pairs for SSH.

Why this answer

The `ssh-keygen` command generates the public and private key pair used for SSH key-based authentication, while `ssh-copy-id` installs the public key on a remote server's `~/.ssh/authorized_keys` file, enabling passwordless login. Together, they form the core workflow for setting up SSH key authentication.

Exam trap

CompTIA often tests the distinction between key generation/distribution commands (`ssh-keygen`, `ssh-copy-id`) and agent management commands (`ssh-agent`, `ssh-add`), leading candidates to mistakenly select agent-related options for managing authentication processes.

448
MCQeasy

An administrator runs the command `ls -l /data/file.txt` and sees the output: `-rw-r-----+ 1 root project 1024 Mar 15 10:00 file.txt`. The administrator wants to view the current ACL entries on this file. Which command should be used?

A.getfacl /data/file.txt
B.chacl /data/file.txt
C.lsacl /data/file.txt
D.aclshow /data/file.txt
AnswerA

Correct command to view ACL entries.

Why this answer

The getfacl command is used to display the ACL entries of a file or directory. Option A is correct. The other commands do not exist or are not standard (lsacl, chacl, aclshow).

449
MCQmedium

A system administrator is configuring centralized logging for a cluster of web servers. Each web server runs rsyslog and needs to forward its Apache access logs to a central log server at 192.168.1.100 over UDP port 514. The administrator adds the following line to /etc/rsyslog.conf on each web server: '*.* @192.168.1.100:514'. After restarting rsyslog, no logs appear on the central server. The administrator checks the network connectivity and finds that the central server is reachable and listening on UDP 514. Which additional configuration is most likely required on the web servers to forward the Apache logs?

A.Enable the 'imuxsock' module in rsyslog to listen on a Unix socket for Apache logs.
B.Create a configuration file in /etc/rsyslog.d/ with a more specific filter for Apache logs.
C.Configure Apache to send access logs to syslog using the 'syslog' facility in the LogFormat directive.
D.Change the forwarding protocol from UDP to TCP in both the sender and receiver.
AnswerC

By default Apache writes to files; to forward via syslog, it must use the syslog output.

Why this answer

The wildcard '*.*' forwards all logs, including Apache logs if they are sent to syslog. However, rsyslog by default only reads from its own sources; if Apache logs are written directly to a file and not via syslog, they won't be forwarded. The Apache module 'mod_log_config' can be configured to send logs to syslog using the 'syslog' facility.

Option B is correct. Option A (el8 conf includes) is a file but not for Apache. Option C adds modular configs but doesn't address Apache.

Option D (UDP vs TCP) might matter but the problem states UDP is used and listening.

450
MCQeasy

A user reports that their system fails to boot and displays a 'GRUB' prompt. Which command should be run first to attempt to load the operating system manually?

A.rescue
B.reboot
C.boot
D.exit
AnswerC

'boot' at the GRUB prompt loads the selected kernel.

Why this answer

When the system boots to a GRUB prompt, it means the bootloader has loaded but cannot find or automatically load the operating system. The `boot` command at the GRUB prompt instructs GRUB to attempt to boot the currently configured kernel and initramfs, which is the correct first step to manually load the OS.

Exam trap

The trap here is that candidates confuse the GRUB prompt with a system rescue shell and try to use system-level commands like `reboot` or `exit`, not realizing that GRUB has its own command set where `boot` is the correct action to load the OS.

How to eliminate wrong answers

Option A is wrong because `rescue` is not a valid GRUB command; it is a mode in systemd or anaconda, not used at the GRUB prompt. Option B is wrong because `reboot` is a system command, not a GRUB command; at the GRUB prompt, you would use `reboot` only after exiting GRUB or from the OS shell. Option D is wrong because `exit` in GRUB returns to the previous menu or the BIOS/UEFI boot selection, but does not attempt to load the operating system.

Page 5

Page 6 of 7

Page 7

All pages