CompTIA Linux+ XK0-005 (XK0-005) — Questions 451510

510 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A systems administrator creates a bash script that processes log files. The script uses a for loop to iterate over files in /var/log and runs a command on each. Which of the following would prevent the script from failing if no files match the pattern?

A.set -u
B.set -e
C.shopt -s failglob
D.shopt -s nullglob
AnswerD

Expands to nothing, preventing failure.

Why this answer

Option D is correct because `shopt -s nullglob` causes the shell to expand a glob pattern that matches no files into an empty string rather than leaving the pattern literal. Without this setting, if no files match the pattern in `/var/log`, the for loop receives the literal pattern string (e.g., `*.log`) and attempts to process it as a filename, which would cause the command to fail or produce unexpected results. Enabling nullglob ensures the loop body simply does not execute when no matches exist, preventing script failure.

Exam trap

The trap here is that candidates often confuse `nullglob` with `failglob` or assume that `set -e` or `set -u` can handle glob failures, when in fact only `nullglob` prevents the literal pattern string from being passed as an argument, thereby avoiding a command failure.

How to eliminate wrong answers

Option A is wrong because `set -u` treats unset variables as an error and causes the script to exit when referencing an undefined variable, but it does not affect how glob patterns are expanded when no files match. Option B is wrong because `set -e` causes the script to exit immediately if any command returns a non-zero exit status, but it does not change the behavior of glob expansion; a failed glob pattern would still be passed as a literal string, potentially causing a command failure that `set -e` would then propagate. Option C is wrong because `shopt -s failglob` causes the shell to print an error and exit if a glob pattern matches no files, which is the opposite of preventing script failure — it would actively cause the script to fail.

452
Drag & Dropmedium

Drag and drop the steps to add a new user to the system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Adding a user typically involves creating the user, setting a password, and configuring the home directory.

453
MCQeasy

Which command will run a container in detached mode with the name 'web' and map host port 8080 to container port 80, using the nginx image?

A.docker run -d --name web -p 8080:80 nginx
B.docker exec -d --name web -p 8080:80 nginx
C.docker start -d --name web -p 8080:80 nginx
D.docker run -it --name web -p 8080:80 nginx
AnswerA

Correct. This runs the nginx container in detached mode with the specified name and port mapping.

Why this answer

Option A is correct because `docker run` creates and starts a new container. The `-d` flag runs it in detached mode (background), `--name web` assigns the name 'web', `-p 8080:80` maps host port 8080 to container port 80, and `nginx` specifies the image to use. This is the standard syntax for deploying a container with port mapping and a custom name.

Exam trap

CompTIA often tests the distinction between `docker run` (create + start) and `docker start` (start existing container), and the requirement for `-d` versus `-it` to achieve detached mode, causing candidates to confuse the subcommands or flags.

How to eliminate wrong answers

Option B is wrong because `docker exec` is used to run a command inside an existing container, not to create or start a new container; it does not accept `-d` for detached mode in the same way, and `-p` is not a valid flag for `docker exec`. Option C is wrong because `docker start` is used to start an existing stopped container, not to create a new one; it does not accept `-p` for port mapping, and the `nginx` argument would be interpreted as a container name, not an image. Option D is wrong because `-it` runs the container in interactive mode with a TTY, not detached mode; the question specifically requires detached mode (`-d`).

454
Multi-Selectmedium

A technician is configuring a system to automatically mount an NFS share at boot. Which two files must be edited or created? (Choose two.)

Select 2 answers
A./etc/auto.master
B./etc/exports
C./etc/nfs.conf
D./etc/nfsmount.conf
E./etc/fstab
AnswersD, E

nfsmount.conf sets default NFS mount options.

Why this answer

Option D is correct because `/etc/nfsmount.conf` is the NFS configuration file that can be used to set default mount options for NFS shares, such as protocol version, read/write size, and timeouts. Option E is correct because `/etc/fstab` is the standard file system table that defines how block devices, remote filesystems, and swap partitions are mounted at boot, including NFS shares with the `nfs` or `nfs4` filesystem type.

Exam trap

The trap here is that candidates confuse the client-side NFS mount configuration file (`/etc/nfsmount.conf`) with the server-side configuration file (`/etc/nfs.conf`), or mistakenly think the automounter's `/etc/auto.master` is used for persistent boot-time mounts.

455
MCQhard

Refer to the exhibit. The administrator receives an email that a cron job failed. What is the most likely cause?

A.The script is not executable.
B.The script is missing a shebang line.
C.The cron daemon is not running.
D.The script has an unmatched if statement.
AnswerD

Correct: The error 'syntax error near unexpected token `fi'' suggests an if statement without a matching fi.

Why this answer

The cron job failed because the script contains an unmatched if statement, which causes a syntax error when the shell interprets the script. Cron jobs execute scripts in a non-interactive shell, and any syntax error will cause the script to exit with a non-zero status, triggering the failure email. The unmatched if statement prevents the script from completing execution, leading to the reported failure.

Exam trap

CompTIA often tests the distinction between script execution failures due to syntax errors versus permission or environment issues, and the trap here is that candidates may incorrectly attribute the failure to a missing shebang line or non-executable script, overlooking the specific syntax error message shown in the exhibit.

How to eliminate wrong answers

Option A is wrong because if the script were not executable, the cron job would fail with a 'Permission denied' error, but the cron daemon would still attempt to run it and send a failure notification; however, the exhibit shows a syntax error, not a permission issue. Option B is wrong because while a missing shebang line can cause the script to be interpreted by the default shell (often /bin/sh), which might still work, it would not directly cause an unmatched if statement error; the exhibit explicitly shows an 'unexpected end of file' error due to missing 'fi'. Option C is wrong because if the cron daemon were not running, no cron jobs would execute at all, and the administrator would not receive a failure email for a specific job; the email indicates the daemon is active and attempted the job.

456
MCQeasy

A team uses Ansible for configuration management. A playbook fails with the error 'ERROR! Syntax Error while loading YAML script'. Which of the following is the most likely cause?

A.Missing SSH key
B.Incorrect indentation in the YAML file
C.Invalid module name
D.Playbook not executable
AnswerB

YAML syntax errors are most commonly due to indentation mistakes.

Why this answer

The error 'Syntax Error while loading YAML script' indicates that Ansible's YAML parser encountered a structural problem in the playbook file. The most common cause in YAML is incorrect indentation, because YAML relies on consistent spacing (typically 2 spaces per level) to define the hierarchy of tasks, plays, and variables. A missing SSH key would produce a connection or authentication error, not a YAML syntax error.

Exam trap

The trap here is that candidates may confuse a YAML parsing error with a runtime execution error, such as an SSH key issue or an invalid module, because they all prevent the playbook from running successfully.

How to eliminate wrong answers

Option A is wrong because a missing SSH key causes an authentication failure (e.g., 'Permission denied (publickey)') during the connection phase, not a YAML syntax error during parsing. Option C is wrong because an invalid module name results in a module-specific error (e.g., 'ERROR! couldn't resolve module/action'), not a YAML syntax error. Option D is wrong because playbooks are not executed as standalone scripts; Ansible runs them via the `ansible-playbook` command, so the executable bit is irrelevant — the error would be a 'Permission denied' if the file were executed directly, not a YAML syntax error.

457
MCQmedium

A security policy requires that user passwords must expire every 90 days. Which command can enforce this policy for user 'jsmith'?

A.usermod -e 90 jsmith
B.chage -M 90 jsmith
C.passwd -x 90 jsmith
D.chfn -f 90 jsmith
AnswerB

Sets the maximum password age to 90 days.

Why this answer

The `chage -M 90 jsmith` command sets the maximum number of days a password is valid for user 'jsmith' to 90, which enforces the 90-day expiration policy. The `-M` option directly modifies the `PASS_MAX_DAYS` field in `/etc/shadow`, and `chage` is the standard tool for managing password aging on Linux systems.

Exam trap

The trap here is that candidates confuse `usermod -e` (account expiry) with `chage -M` (password expiry), or assume `passwd -x` works without the correct syntax, leading them to pick a command that either targets the wrong attribute or has an invalid option order.

How to eliminate wrong answers

Option A is wrong because `usermod -e` sets the account expiration date (in YYYY-MM-DD format), not the password aging interval; `-e 90` would be interpreted as a date offset from epoch, not a day count. Option C is wrong because `passwd -x 90` is not a valid syntax; the `passwd` command uses `-x` to set maximum password days, but it requires the username immediately after the option (e.g., `passwd -x 90 jsmith`), and even then it is less commonly used than `chage` for policy enforcement. Option D is wrong because `chfn -f 90` changes the user's full name (GECOS field), not password expiration; `-f` expects a string, not a numeric day value.

458
MCQeasy

A service fails to start and journalctl shows 'Permission denied'. What should the administrator check first?

A.Package integrity
B.DNS resolution
C.Firewall rules
D.SELinux contexts and file permissions
AnswerD

SELinux contexts are a common cause of permission denied errors for services.

Why this answer

The 'Permission denied' error in journalctl for a service failure typically indicates that the service process lacks the necessary permissions to access a file, directory, or resource. SELinux contexts and file permissions are the most common causes, as SELinux enforces mandatory access controls (MAC) that can block access even when standard Unix permissions are correct. Checking these first aligns with the troubleshooting principle of verifying access controls before other layers like network or package integrity.

Exam trap

The trap here is that candidates often jump to firewall rules or package integrity because they associate 'Permission denied' with network or installation issues, but the XK0-005 exam specifically tests SELinux and file permission troubleshooting for service startup failures.

How to eliminate wrong answers

Option A is wrong because package integrity issues (e.g., corrupted RPM database or missing files) would typically produce errors like 'File not found' or checksum mismatches, not 'Permission denied'. Option B is wrong because DNS resolution failures cause 'Name or service not known' or timeout errors, not permission-related denials. Option C is wrong because firewall rules block network traffic at the packet level, producing 'Connection refused' or 'No route to host' errors, not 'Permission denied' which is a local filesystem or security context issue.

459
MCQhard

A system administrator is tuning a server for a high-performance computing workload and needs to disable NUMA (Non-Uniform Memory Access) at boot to improve memory access latency. Which kernel boot parameter should be added to the GRUB_CMDLINE_LINUX line in /etc/default/grub?

A.maxcpus=1
B.numa=off
C.acpi=off
D.noapic
AnswerB

This parameter disables NUMA support in the kernel.

Why this answer

Option A is correct because 'numa=off' is the standard kernel parameter to disable NUMA. Option B disables ACPI, C disables APIC, and D sets the system to use only one CPU core.

460
MCQeasy

A user is unable to create new files in a directory. Which command can the administrator use to view the Access Control Lists (ACLs) associated with that directory?

A.getfacl
B.ls -l
C.setfacl
D.chmod
AnswerA

getfacl retrieves ACL entries.

Why this answer

getfacl displays ACLs. ls -l shows standard permissions, setfacl sets ACLs, chmod changes permissions. Only getfacl shows ACLs.

461
Multi-Selectmedium

A Linux administrator is configuring secure remote access to a server. Which three of the following are recommended best practices for securing SSH? (Choose three.)

Select 3 answers
A.Enable public key authentication.
B.Use password authentication only.
C.Disable root login via SSH.
D.Change the default SSH port to a non-standard port.
E.Allow only specific users or groups.
AnswersA, C, E

Key-based authentication is more secure than passwords.

Why this answer

Disabling root login (PermitRootLogin no), using public key authentication (PubkeyAuthentication yes), and restricting allowed users/groups (AllowUsers or AllowGroups) are common best practices. Changing the default port (Port 2222) is optional and considered security through obscurity, not a true security measure. Password authentication is less secure than key-based.

462
MCQmedium

A DevOps engineer is writing a unit file for a systemd service that should start after the network-online.target. Which directive should be added to the [Unit] section?

A.Requires=network-online.target
B.Wants=network-online.target
C.BindsTo=network-online.target
D.After=network-online.target
AnswerD

Correct. The After directive ensures the service starts after the specified target is reached.

Why this answer

The 'After=' directive in the [Unit] section of a systemd unit file specifies the ordering relationship, ensuring that the current service starts only after the named unit (network-online.target) has reached the 'active' state. This is the correct directive for controlling startup order without creating a dependency that would force the target to start if it is not already enabled.

Exam trap

The trap here is that candidates confuse ordering directives ('After=', 'Before=') with dependency directives ('Requires=', 'Wants=', 'BindsTo='), assuming that 'Requires=' or 'Wants=' also imply ordering, which they do not without an explicit 'After='.

How to eliminate wrong answers

Option A is wrong because 'Requires=' creates a hard dependency that will cause the service to fail if network-online.target is not started, but it does not enforce ordering; the service could start before the target unless 'After=' is also used. Option B is wrong because 'Wants=' creates a soft dependency that attempts to start network-online.target but does not enforce ordering; the service may start before the target completes. Option C is wrong because 'BindsTo=' creates a stronger dependency than 'Requires=' where the service will stop if network-online.target stops, and it also does not imply ordering; it is used for tightly coupled services, not for simple startup sequencing.

463
MCQhard

A user reports that their home directory is missing after a system reboot. The /home partition is listed in /etc/fstab with an incorrect UUID. What is the most likely outcome?

A.The system will boot normally and mount /home using the device name
B.The system will prompt the user to enter the correct UUID
C.The system will boot but fail to mount /home
D.The system will fail to boot entirely
AnswerD

Incorrect root UUID would cause boot failure; for /home, boot continues.

Why this answer

When /etc/fstab contains an incorrect UUID for the /home partition, the systemd-based boot process (or traditional init) will attempt to mount the partition using that UUID. If the UUID does not match any block device, the mount fails. Because /home is not listed with the 'nofail' option in fstab, the boot process treats this as a critical failure and drops into an emergency shell or fails to complete boot, preventing normal login.

Option D is correct because an incorrect UUID for a required filesystem causes a boot failure, not a partial mount or a prompt.

Exam trap

CompTIA often tests the misconception that a missing or incorrect UUID only affects the specific mount point, leading candidates to choose 'boot but fail to mount /home' (Option C), when in fact the default behavior is to halt the boot process entirely for required filesystems.

How to eliminate wrong answers

Option A is wrong because the system does not fall back to mounting by device name; fstab entries with UUID= take precedence, and if the UUID is invalid, the mount fails outright. Option B is wrong because Linux does not prompt for a UUID during boot; the boot process either succeeds or fails based on fstab, with no interactive correction mechanism. Option C is wrong because while the system may boot partially, the missing /home mount is considered a critical failure (unless 'nofail' is set), causing the boot to halt or drop to emergency mode, not simply continue without mounting.

464
MCQeasy

A bash script uses a for loop to iterate over files in a directory. Which of the following correctly assigns each filename to the variable FILE?

A.for FILE in $(ls *.txt); do
B.for FILE in *.txt; do
C.for FILE in 'ls *.txt'; do
D.for FILE = *.txt; do
AnswerB

Uses glob expansion correctly, handling all filenames safely.

Why this answer

Option B is correct because the shell expands the wildcard pattern `*.txt` into a list of matching filenames before the `for` loop executes, and each filename is assigned to the variable `FILE` in turn. This approach is safe and efficient because it avoids parsing the output of `ls`, which can break with filenames containing spaces or special characters.

Exam trap

The trap here is that candidates often choose `$(ls *.txt)` (Option A) because they think they need to explicitly list files with `ls`, not realizing that the shell's built-in globbing is safer and more efficient, and that `ls` output parsing is fragile.

How to eliminate wrong answers

Option A is wrong because `$(ls *.txt)` uses command substitution to run `ls`, which parses its output and can break on filenames with spaces, newlines, or glob characters; it also forks an unnecessary subshell. Option C is wrong because `'ls *.txt'` is a literal string (single quotes prevent expansion), so the loop would iterate over the single string `ls *.txt` instead of actual filenames. Option D is wrong because the syntax `for FILE = *.txt` uses an equals sign instead of the required `in` keyword, which is a syntax error in bash.

465
MCQhard

A company is implementing a security policy that requires all files created in a shared directory /data to be owned by the group 'engineers' and have group read/write permissions, regardless of the user's umask. Which approach should be used?

A.Set the setgid bit only on /data
B.Set the sticky bit on /data
C.Configure ACL default permissions only on /data
D.Set the setgid bit and configure ACL default permissions on /data
AnswerD

Setgid forces group inheritance, and ACL defaults set the desired permissions on new files.

Why this answer

Option D is correct because setting the setgid bit ensures new files inherit the group, and configuring ACL default entries sets the default permissions for new files. A is for deletion prevention, B alone doesn't set files' group, C alone doesn't set group inheritance.

466
MCQeasy

A Linux server with the IP address 192.168.1.100 is unable to communicate with other hosts on the same subnet 192.168.1.0/24. The administrator can ping the loopback address, but pinging 192.168.1.1 (the default gateway) fails. The output of `ip a` shows the eth0 interface has the correct IP and netmask. Which troubleshooting step should be performed next?

A.Check the ARP cache with arp -a.
B.Replace the network cable.
C.Restart the network service.
D.Check the routing table with ip route.
AnswerD

The routing table will show if a default gateway is configured; missing gateway causes failure to reach local gateway.

Why this answer

Since the server has the correct IP and netmask on eth0 but cannot ping the default gateway (192.168.1.1), the issue likely lies in the routing configuration. The `ip route` command displays the kernel routing table, including the default gateway entry; if the default route is missing or incorrect, traffic cannot reach the gateway. Checking the routing table is the logical next step before assuming physical or ARP-level problems.

Exam trap

CompTIA often tests the misconception that a correct IP and netmask guarantee connectivity, leading candidates to jump to ARP or physical-layer checks, when the real issue is a missing or incorrect default route in the routing table.

How to eliminate wrong answers

Option A is wrong because checking the ARP cache (`arp -a`) would only be useful if the server had a valid route to the gateway but the MAC address resolution failed; here, the ping fails entirely, indicating a routing or connectivity issue, not an ARP resolution problem. Option B is wrong because replacing the network cable is a physical-layer troubleshooting step that should be performed only after verifying that the interface is up and has a link (e.g., via `ip link` or `ethtool`); the question states the interface has the correct IP, suggesting the link is likely up. Option C is wrong because restarting the network service is a disruptive, shotgun approach that may temporarily reset configurations but does not diagnose the root cause; it should be reserved for cases where configuration changes have been made or the service is misbehaving, not as a first diagnostic step.

467
Matchingmedium

Match each Linux kernel parameter category to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General kernel behavior

Virtual memory management

Network settings

Filesystem parameters

Device-specific settings

Why these pairings

Sysctl parameters are organized under these categories.

468
Multi-Selectmedium

An administrator wants to ensure that a web service starts after the database service has fully initialized. Which TWO methods can be used to achieve this ordering dependency in systemd?

Select 2 answers
A.Add Requires=db.service in the [Unit] section
B.Add After=db.service in the [Unit] section of web.service
C.Add BindsTo=db.service in the [Unit] section
D.Add Wants=db.service in the [Unit] section
E.Add PartOf=db.service in the [Unit] section
AnswersA, B

Makes db.service a required dependency; together with After, it ensures ordering.

Why this answer

Option A is correct because `Requires=db.service` in the `[Unit]` section declares a strong dependency: if `db.service` fails to start, `web.service` will not be started. Option B is correct because `After=db.service` in the `[Unit]` section of `web.service` ensures that `web.service` starts only after `db.service` has reached the 'active' state, enforcing the required ordering. Together, these two directives guarantee both dependency and sequencing.

Exam trap

The trap here is that candidates often pick only `After=` (option B) thinking it alone enforces the dependency, forgetting that `After=` only orders startup and does not prevent the web service from starting if the database fails — the exam expects the combination of `Requires=` and `After=` to fully satisfy the 'starts after and depends on' requirement.

469
Multi-Selecthard

A Linux server is experiencing intermittent connectivity issues. The administrator reviews the system logs and finds the following messages: 'NETDEV WATCHDOG: eth0: transmit queue 0 timed out'. Which THREE actions are likely to resolve this issue? (Choose three.)

Select 3 answers
A.Disable NIC offloading features using 'ethtool -K eth0 tx off sg off'.
B.Update the network interface card (NIC) driver to the latest version.
C.Increase the transmit queue length using 'ifconfig eth0 txqueuelen 10000'.
D.Change the MTU on the interface to 9000.
E.Replace the NIC with a known good one.
AnswersA, B, E

Offloading can cause driver bugs; disabling it may stabilize the interface.

Why this answer

Option A is correct because the 'NETDEV WATCHDOG: eth0: transmit queue 0 timed out' error often indicates that the NIC's hardware offloading features (such as TCP segmentation offload, scatter-gather) are causing the driver to hang or fail to complete transmissions. Disabling these offloads with 'ethtool -K eth0 tx off sg off' forces the CPU to handle packet segmentation and reduces the load on the NIC, which can resolve the timeout.

Exam trap

The trap here is that candidates may confuse transmit queue timeout with a simple buffer exhaustion issue and incorrectly choose to increase the transmit queue length (option C), when the real cause is a driver or hardware fault that requires disabling offloads, updating the driver, or replacing the NIC.

470
MCQeasy

A user cannot write to a directory that has permissions 755. The user is not the owner but belongs to the group. Which command would allow the user to write?

A.chmod 770 /directory
B.chmod 755 /directory
C.chmod 777 /directory
D.chmod 700 /directory
AnswerA

770 adds write permission for the group, allowing the user to write.

Why this answer

The directory currently has permissions 755, meaning the owner has rwx (7), the group has r-x (5), and others have r-x (5). Since the user belongs to the group but is not the owner, they need group write permission. The chmod 770 command sets the group permission to rwx (7), granting the user write access while preserving owner and group ownership semantics.

Exam trap

The trap here is that candidates may choose chmod 777 thinking it is the only way to grant write access, overlooking that the user is already in the group and only group write permission is needed.

How to eliminate wrong answers

Option B is wrong because chmod 755 sets group permission to r-x (5), which does not include write permission, so the user still cannot write. Option C is wrong because chmod 777 grants write permission to everyone (owner, group, and others), which is overly permissive and violates the principle of least privilege; it would work but is not the minimal correct solution. Option D is wrong because chmod 700 sets group permission to --- (0), removing all group access, which would prevent the user from even reading or executing the directory.

471
MCQeasy

A security audit reveals that the /etc/shadow file has permissions 777. Which command should be used to correct this vulnerability?

A.chmod 660 /etc/shadow
B.chmod 600 /etc/shadow
C.chmod 644 /etc/shadow
D.chmod 640 /etc/shadow
AnswerB

Only root can read/write.

Why this answer

The /etc/shadow file stores hashed user passwords and must be readable only by root to prevent unauthorized access. Permissions 777 allow any user to read, write, and execute the file, which is a critical security vulnerability. The correct command is `chmod 600 /etc/shadow`, which sets read and write permissions for the owner (root) only, denying all access to group and others.

Exam trap

The trap here is that candidates often confuse the required permissions for /etc/shadow with those for /etc/passwd (which is 644), leading them to choose 644 or 640 instead of the more restrictive 600.

How to eliminate wrong answers

Option A is wrong because 660 grants read and write to both owner and group, which would allow members of the group (often 'shadow') to read password hashes, violating the principle of least privilege. Option C is wrong because 644 grants read access to everyone, exposing password hashes to all users on the system. Option D is wrong because 640 grants read access to the group, which is still too permissive for a file containing sensitive password data.

472
MCQhard

An administrator needs to ensure that /var/log/secure is only readable by members of the 'adm' group and is not accessible by any other user. Additionally, new files created in /var/log should inherit the group ownership 'adm'. Which set of commands achieves this?

A.setfacl -m u::rwx,g::rwx,o::--- /var/log/secure; chmod g+s /var/log
B.chgrp adm /var/log; chmod g+s /var/log; setfacl -m g:adm:rx /var/log/secure
C.chown :adm /var/log/secure; chmod 640 /var/log/secure
D.usermod -aG adm $(whoami); chmod 640 /var/log/secure
AnswerB

Sets group ownership, sgid on directory, and ACLs to make /var/log/secure readable by adm group only.

Why this answer

Option B correctly sets the group ownership of /var/log to 'adm' with `chgrp adm /var/log`, enables the setgid bit on the directory with `chmod g+s /var/log` so new files inherit the 'adm' group, and uses `setfacl -m g:adm:rx /var/log/secure` to grant only the 'adm' group read and execute access to the secure log file, while removing permissions for others via the default ACL mask.

Exam trap

CompTIA often tests the distinction between setting group ownership on a file versus a directory, and the requirement to use the setgid bit for inheritance, which candidates frequently overlook by only changing permissions on the file itself.

How to eliminate wrong answers

Option A is wrong because `setfacl -m u::rwx,g::rwx,o::---` sets permissions for the file owner and group owner (not the 'adm' group) and does not change group ownership or set the setgid bit on the directory; it also grants execute to the group, which is unnecessary for a log file. Option C is wrong because `chown :adm /var/log/secure` changes only the group of the file, but `chmod 640` gives read to the owner and group, and does not restrict access exclusively to the 'adm' group (the file's group is 'adm', but other users have no access, which is correct for the file, but it fails to ensure new files in /var/log inherit the 'adm' group because it does not set the setgid bit on /var/log). Option D is wrong because `usermod -aG adm $(whoami)` adds the current user to the 'adm' group but does not change the group ownership of /var/log/secure or /var/log, and `chmod 640` does not enforce inheritance for new files; it also does not restrict access to only the 'adm' group if the file's group is not 'adm'.

473
MCQeasy

A junior administrator is tasked with setting up a file server using NFS on a Linux server. The /etc/exports file currently contains: /srv/nfs *(rw,sync,no_subtree_check). The administrator wants to restrict access to only the 192.168.10.0/24 network and require clients to use a privileged port (less than 1024) for added security. Additionally, the administrator wants to prevent root users on the client from having root access to the NFS share. Which exports configuration meets these requirements?

A./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,no_all_squash)
B./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,insecure,root_squash)
C./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,secure,root_squash)
D./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,secure,no_root_squash)
AnswerC

secure restricts to privileged ports, root_squash maps root to nobody.

Why this answer

Option C is correct because it restricts access to the 192.168.10.0/24 network, uses the 'secure' option to require client connections from a privileged port (less than 1024), and applies 'root_squash' to map root users on the client to the anonymous 'nobody' user, preventing root-level access to the NFS share.

Exam trap

The trap here is that candidates often confuse 'secure' with 'insecure' — the 'secure' option requires privileged ports, while 'insecure' allows any port, and many mistakenly think 'insecure' is needed for security or that 'no_root_squash' is the default safe behavior.

How to eliminate wrong answers

Option A is wrong because 'no_all_squash' does not prevent root access; it actually preserves the UID mapping, including root, which is the opposite of what is required. Option B is wrong because 'insecure' allows clients to connect from non-privileged ports (1024 or higher), violating the requirement to use a privileged port. Option D is wrong because 'no_root_squash' allows root users on the client to retain root access to the share, directly contradicting the requirement to prevent that.

474
MCQeasy

A systems administrator needs to automate the execution of a backup script every day at 2:00 AM using a systemd service. Which unit type should the administrator create?

A.A .service unit
B.A .path unit
C.A .mount unit
D.A .timer unit
AnswerD

A timer unit triggers a service unit on a schedule.

Why this answer

A .timer unit is the correct choice because systemd timers are designed to schedule and trigger the execution of other units (such as services) at specific times or intervals. By creating a .timer unit that activates at 2:00 AM daily and a corresponding .service unit for the backup script, the administrator can automate the backup using systemd's built-in scheduling mechanism, which is more reliable and integrated than cron for systemd-managed systems.

Exam trap

The trap here is that candidates often confuse .timer units with .service units, mistakenly thinking a .service unit alone can handle scheduling, but systemd requires a separate timer unit to define the schedule and trigger the service.

How to eliminate wrong answers

Option A is wrong because a .service unit defines how to start, stop, and manage a process, but it does not include scheduling logic; it must be triggered by another unit (like a .timer) to run at a specific time. Option B is wrong because a .path unit monitors file system changes (e.g., file creation or modification) and activates a service when those events occur, not for time-based scheduling. Option C is wrong because a .mount unit controls the mounting of file systems and has no capability to schedule periodic execution of scripts.

475
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule using iptables to allow SSH in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall configuration typically involves adding allow rules before setting default drop and saving.

476
MCQmedium

A server's root filesystem is 100% full according to df -h. Which command should the administrator use to locate large files?

A.ls -la /
B.fdisk -l
C.du -sh /*
D.find / -size +100M
AnswerC

Shows sizes of top-level directories.

Why this answer

The `du -sh /*` command calculates disk usage for each top-level directory and file under `/`, summarizing the total in human-readable format. This directly identifies which directories or files consume the most space, allowing the administrator to pinpoint the cause of the 100% full root filesystem.

Exam trap

CompTIA often tests the distinction between listing files (`ls`) and measuring disk usage (`du`), trapping candidates who think `ls -la` shows file sizes that reflect actual disk consumption, ignoring that `ls` reports logical size while `du` reports physical blocks allocated.

How to eliminate wrong answers

Option A is wrong because `ls -la /` lists the names and metadata of files and directories in the root, but does not show their disk usage or size recursively, making it impossible to locate large files efficiently. Option B is wrong because `fdisk -l` displays partition table information (e.g., device names, sizes, types) and does not report file-level disk usage or locate large files. Option D is wrong because `find / -size +100M` searches for files larger than 100 MB, but it may miss large files that are exactly 100 MB or smaller, and it does not aggregate usage by directory, which is less efficient for identifying the primary space consumer on a full filesystem.

477
MCQmedium

A system administrator is troubleshooting a server running Ubuntu 20.04 that cannot establish outbound SSH connections. The server can ping external IP addresses and resolve hostnames. The administrator tries `ssh user@remotehost` and gets 'Connection timed out'. The firewall (ufw) is active. Which step should be taken?

A.Check the SSH client configuration in /etc/ssh/ssh_config.
B.Restart the networking service.
C.Allow output traffic on port 22 with ufw allow out 22/tcp.
D.Disable the firewall with ufw disable.
AnswerC

Explicitly allowing outbound SSH traffic resolves the timeout while maintaining security.

Why this answer

The server can ping external IPs and resolve hostnames, so networking and DNS are working. The issue is that outbound SSH traffic on port 22 is being blocked by the active UFW firewall. The correct step is to allow outbound TCP traffic on port 22 using `ufw allow out 22/tcp`, which permits the client to initiate SSH connections to remote hosts.

Exam trap

The trap here is that candidates assume SSH issues are always server-side (e.g., checking SSH server config or restarting services) and overlook that the local firewall's outbound policy can block client-initiated connections even when inbound rules are correctly configured.

How to eliminate wrong answers

Option A is wrong because `/etc/ssh/ssh_config` controls client-side SSH settings (like preferred ciphers or host key checking), not firewall rules; a misconfigured client would produce a different error (e.g., 'Permission denied' or 'No route to host'), not a timeout. Option B is wrong because restarting the networking service would not resolve a firewall block; the server already has functional network connectivity (ping and DNS work), so the issue is at the packet filter level. Option D is wrong because disabling the entire firewall is an overly broad and insecure solution; the correct approach is to add a specific outbound allow rule for port 22/tcp rather than removing all firewall protection.

478
MCQmedium

A DevOps engineer needs to ensure that a containerized web application always restarts automatically if the container exits unexpectedly. Which Docker run option should be used?

A.--restart=on-failure
B.--restart=unless-stopped
C.--restart=no
D.--restart=always
AnswerD

Always restarts regardless of exit status.

Why this answer

The `--restart=always` policy ensures that the container restarts regardless of the exit code or reason for termination, including unexpected crashes. This is the correct choice for a containerized web application that must maintain high availability by automatically recovering from any unexpected exit.

Exam trap

CompTIA often tests the subtle distinction between `--restart=always` and `--restart=unless-stopped`, where candidates mistakenly choose `unless-stopped` thinking it provides the same automatic restart but without the risk of restarting after a manual stop, missing that the requirement explicitly says 'always restarts automatically' regardless of how the container exits.

How to eliminate wrong answers

Option A is wrong because `--restart=on-failure` only restarts the container if it exits with a non-zero exit code, which may not cover all unexpected exit scenarios (e.g., a signal-based kill). Option B is wrong because `--restart=unless-stopped` will not restart the container if it was explicitly stopped by the user, which could leave the application down after manual intervention. Option C is wrong because `--restart=no` is the default policy that never automatically restarts the container, failing to meet the requirement for automatic recovery.

479
MCQhard

A security audit reveals that a server's /etc/shadow file is readable by all users. Which command would correctly fix the permissions?

A.chmod 644 /etc/shadow
B.chmod 600 /etc/shadow
C.chmod 640 /etc/shadow
D.chmod 640 /etc/shadow && chown root:shadow
AnswerB

This restricts read and write access to root only.

Why this answer

Option A is correct because 'chmod 600 /etc/shadow' sets the file to be readable and writable only by the owner (root), which is the standard permission. Option B (640) allows group read access. Option C (644) allows world read.

Option D includes a chown that is unnecessary.

480
MCQmedium

A database server is running slow. The administrator uses iostat and notices high await times on the disk. Which of the following best explains the implication of high await?

A.The CPU is waiting too long for memory access.
B.Disk I/O requests are taking a long time to complete.
C.The disk is almost full, causing fragmentation.
D.The network filesystem is experiencing latency.
AnswerB

Await includes queue time and service time; high values mean disk is slow or overloaded.

Why this answer

In iostat, 'await' measures the average time (in milliseconds) for I/O requests to be served by the disk, including time spent in the queue and the actual service time. A high await value indicates that disk I/O requests are taking a long time to complete, which directly explains the database server's slowness due to disk latency.

Exam trap

The trap here is that candidates confuse 'await' with CPU wait time (iowait) or assume it directly indicates disk fullness, when in fact await is a pure I/O completion latency metric that can be high due to queueing, slow media, or controller issues.

How to eliminate wrong answers

Option A is wrong because high await in iostat is a disk metric, not a memory metric; CPU waiting for memory access is indicated by high 'wait' or 'st' in CPU stats, not await. Option C is wrong because a nearly full disk can cause fragmentation, but fragmentation primarily increases seek time and is not directly measured by await; await reflects overall request completion time, which can be high due to many factors beyond fragmentation. Option D is wrong because network filesystem latency would be captured by network-specific metrics (e.g., nfsiostat, netstat) or by iostat if the disk is a remote block device, but await on a local disk does not imply network latency.

481
MCQhard

A containerized application is consuming excessive memory on a Linux host running Podman. Which command sets a memory limit of 512 megabytes when running a container?

A.podman run --memory=512m myimage
B.podman run --limit-memory 512 myimage
C.podman run --mem=512m myimage
D.podman run --memory-limit=512MB myimage
AnswerA

--memory=512m correctly sets a memory limit of 512 megabytes.

Why this answer

Option A is correct because Podman uses the `--memory` flag (identical to Docker's syntax) to set a hard memory limit on a container. The value `512m` specifies 512 megabytes. This directly restricts the container's memory usage via cgroups, preventing it from consuming excessive host memory.

Exam trap

CompTIA often tests the exact flag syntax and unit format, so the trap here is that candidates may confuse Podman's `--memory` with Docker's `--memory` (they are identical) or invent plausible-sounding flags like `--limit-memory` or `--mem`, or use incorrect unit capitalization like `MB` instead of `m`.

How to eliminate wrong answers

Option B is wrong because `--limit-memory` is not a valid Podman flag; the correct flag is `--memory`. Option C is wrong because `--mem` is not a valid Podman flag; the correct abbreviation is `--memory` (or `-m`). Option D is wrong because `--memory-limit` is not a valid Podman flag, and the value `512MB` uses an incorrect unit format (Podman expects lowercase 'm' for megabytes, e.g., `512m`).

482
MCQmedium

Which command will display the disk usage of each file and directory in the current directory?

A.df -h
B.ls -lh
C.du -sh *
D.fdisk -l
AnswerC

du -sh * displays the total size of each file/directory in human-readable format.

Why this answer

Option C is correct because `du -sh *` calculates and displays the disk usage of each file and directory in the current directory. The `-s` flag summarizes each item, `-h` provides human-readable sizes (e.g., KB, MB), and the `*` wildcard expands to all non-hidden entries in the current directory, making it the precise command for this task.

Exam trap

CompTIA often tests the distinction between `df` (filesystem-level) and `du` (directory/file-level) disk usage, and the trap here is that candidates mistakenly choose `ls -lh` thinking it shows disk usage, when it only shows logical file size and does not account for blocks or directory contents.

How to eliminate wrong answers

Option A is wrong because `df -h` reports filesystem-level disk space usage (total, used, available) for mounted filesystems, not per-file or per-directory usage. Option B is wrong because `ls -lh` lists file sizes and metadata but does not calculate actual disk usage (it shows logical file size, not blocks consumed, and cannot handle directories recursively). Option D is wrong because `fdisk -l` is a partition table manipulation tool that lists disk partitions and their geometry, not file or directory disk usage.

483
MCQeasy

Which tool is used for encrypting files with public-key cryptography on Linux systems?

A.bcrypt
B.LUKS
C.OpenSSL
D.GnuPG
AnswerD

Implements the OpenPGP standard for encrypting and signing data.

Why this answer

GnuPG (GNU Privacy Guard) is the correct tool because it implements the OpenPGP standard (RFC 4880) for encrypting and signing files using public-key cryptography. It allows users to generate a key pair, encrypt a file with the recipient's public key, and decrypt it with the corresponding private key, making it the standard Linux utility for asymmetric file encryption.

Exam trap

The trap here is that candidates confuse OpenSSL's ability to perform asymmetric operations (e.g., `openssl rsautl`) with it being the standard tool for public-key file encryption, while GnuPG is the dedicated utility for OpenPGP-compliant file encryption on Linux.

How to eliminate wrong answers

Option A is wrong because bcrypt is a password-hashing function based on the Blowfish cipher, designed for securely storing passwords, not for encrypting files with public-key cryptography. Option B is wrong because LUKS (Linux Unified Key Setup) is a disk encryption specification that encrypts entire block devices using symmetric keys, not public-key cryptography for individual files. Option C is wrong because OpenSSL is a cryptographic library that supports symmetric and asymmetric encryption, but it is primarily a toolkit for SSL/TLS protocols and command-line encryption of data using symmetric ciphers (e.g., `openssl enc`), not a dedicated public-key file encryption tool like GnuPG.

484
Multi-Selecteasy

Which TWO commands can be used to display the current kernel version on a Linux system?

Select 2 answers
A.modinfo
B.uname -r
C.cat /proc/version
D.lsmod
E.dmesg
AnswersB, C

Shows kernel release.

Why this answer

The `uname -r` command displays the kernel release version, which is the standard way to quickly check the current kernel version. The `cat /proc/version` command reads the /proc/version file, which contains a string that includes the kernel version, compiler information, and build date, making it another reliable method to view the kernel version.

Exam trap

CompTIA often tests the distinction between commands that display kernel version (`uname -r`, `/proc/version`) versus commands that show kernel module information (`lsmod`, `modinfo`) or boot logs (`dmesg`), leading candidates to confuse related but incorrect options.

485
Multi-Selecteasy

Which TWO commands can be used to view a list of all running processes with their PIDs? (Choose two.)

Select 2 answers
A.ps
B.pidof
C.top
D.ls
E.pstree
AnswersA, C

ps -ef displays all processes with PIDs.

Why this answer

ps and top both display running processes with PIDs. ps -ef or ps aux shows all processes. top shows an interactive view. ls lists files, pstree shows tree without PIDs by default, pidof finds PID of a specific process.

486
Multi-Selectmedium

Which TWO statements about container security are correct when using Docker? (Choose two.)

Select 2 answers
A.SELinux is automatically enabled inside containers.
B.Containers have their own kernel, isolated from the host.
C.Using --cap-drop=ALL removes all capabilities, making the container more secure.
D.By default, containers run with a reduced set of Linux capabilities.
E.Using --network=host increases container isolation.
AnswersC, D

Dropping all capabilities and adding only needed ones is a security best practice.

Why this answer

Option C is correct because using `--cap-drop=ALL` removes all Linux capabilities from the container, which eliminates any privileged operations the container could perform. This forces the container to run with the absolute minimum privileges, significantly reducing the attack surface and making it more secure.

Exam trap

CompTIA often tests the misconception that containers have their own kernel or that SELinux is automatically active, while the real focus is on Linux capabilities and the shared kernel model.

487
MCQhard

A custom udev rule for a new USB device is not being applied. The rule file is correctly placed in /etc/udev/rules.d/ with .rules extension. What is the most likely cause?

A.The rule file is not executable
B.The rule uses a wrong attribute or value
C.The device is not recognized by the kernel
D.The rule file is in a subdirectory
AnswerB

Use 'udevadm info' to get correct attributes for matching.

Why this answer

The most likely cause is that the rule uses a wrong attribute or value. Udev rules are matched against device attributes (e.g., vendor ID, product ID, subsystem) exposed by the kernel via sysfs. If the rule specifies an incorrect attribute name, a typo in a value, or a mismatch with the actual device properties, the rule will not trigger.

Since the file is correctly placed and named, the failure is almost always due to a mismatch in the matching criteria.

Exam trap

The trap here is that candidates often assume the rule file must be executable or that the device is not recognized, but the XK0-005 exam tests the understanding that udev rule matching is attribute-driven and that incorrect attribute values are the most common cause of non-application.

How to eliminate wrong answers

Option A is wrong because udev rule files do not need the executable permission; they are read by udev as configuration files, not executed as scripts. Option C is wrong because if the device were not recognized by the kernel, it would not appear in sysfs or generate a uevent, but the question states the rule is not being applied, implying the device is present but the rule fails to match. Option D is wrong because udev does not scan subdirectories; placing the rule file in a subdirectory would cause it to be ignored entirely, but the question explicitly states the file is correctly placed in /etc/udev/rules.d/.

488
MCQmedium

A cron job runs a script that produces output, but the administrator does not receive the expected email notification. Which is the most likely cause?

A.The script uses absolute paths for all commands.
B.MAILTO variable is not set in the crontab.
C.The PATH environment variable is not set.
D.The script is not executable.
AnswerB

Cron only sends output to the address specified in MAILTO; if not set, output is lost.

Why this answer

The MAILTO variable in a crontab specifies the email address to which cron sends the output (stdout/stderr) of a job. If MAILTO is not set, cron defaults to mailing output to the owner of the crontab (the user who created it). However, if the administrator expects notifications at a different address, the missing MAILTO variable would prevent that specific email from being sent.

This is the most direct cause of not receiving the expected email notification.

Exam trap

CompTIA often tests the distinction between variables that affect script execution (PATH) versus those that control cron's mail behavior (MAILTO), leading candidates to mistakenly choose PATH or executable permissions when the issue is specifically about email delivery.

How to eliminate wrong answers

Option A is wrong because using absolute paths for all commands does not affect email delivery; it actually helps ensure the script runs correctly regardless of the cron environment. Option C is wrong because the PATH environment variable affects command resolution within the script, not the sending of email notifications by cron. Option D is wrong because if the script were not executable, it would fail to run entirely, producing an error that would still be mailed to the crontab owner (or the MAILTO address if set), so the lack of email notification is not explained by this.

489
MCQmedium

An Ansible playbook fails with a syntax error. Which command validates the playbook syntax without running it?

A.ansible-lint playbook.yml
B.ansible-playbook --check
C.ansible-playbook --validate
D.ansible-playbook --syntax-check
AnswerD

This command parses the playbook and reports syntax errors without executing any tasks.

Why this answer

The `--syntax-check` flag is a built-in option of `ansible-playbook` that parses the YAML file and validates its syntax without executing any tasks. This is the correct tool for catching syntax errors in a playbook before running it.

Exam trap

The trap here is that candidates may confuse `--syntax-check` with `--check` (dry run) or assume `ansible-lint` is the syntax validator, but `--syntax-check` is the only command that validates syntax without any execution.

How to eliminate wrong answers

Option A is wrong because `ansible-lint` is a separate tool that checks for best practices, style, and potential issues, but it does not perform a strict syntax validation of the playbook. Option B is wrong because `--check` performs a dry run that executes the playbook in check mode, which still runs the playbook logic and can fail on syntax errors, not just validate syntax. Option C is wrong because `--validate` is not a valid flag for `ansible-playbook`; the correct flag for syntax validation is `--syntax-check`.

490
MCQhard

Based on the exhibit, which file has an incorrect SELinux context for serving web content via Apache?

A.Neither
B.style.css
C.Both
D.index.html
AnswerD

index.html has context user_home_t, which prevents Apache from serving it; the correct context is httpd_sys_content_t.

Why this answer

Option A is correct. index.html has user_home_t, which is not the proper context for web content; it should be httpd_sys_content_t. style.css has the correct context. Therefore, both are not incorrect, and neither is not correct.

491
Multi-Selectmedium

Which three are valid systemd unit types?

Select 3 answers
A.process
B.socket
C.service
D.timer
E.job
AnswersB, C, D

socket is a unit type for IPC or network sockets.

Why this answer

Options A, C, and D are correct. service, socket, and timer are standard systemd unit types. job and process are not valid unit types.

492
MCQhard

A server has a volume group 'vg_data' with a single logical volume 'lv_data' of 100GB mounted at /data. The filesystem on lv_data is XFS. The administrator needs to extend it to 150GB. A new 60GB disk /dev/sdc has been added and partitioned as LVM. The administrator runs `pvcreate /dev/sdc1`, then `vgextend vg_data /dev/sdc1`, then `lvextend -L +50G /dev/vg_data/lv_data`. The administrator runs `df -h /data` and sees that the filesystem still shows 100GB. Which command should be run next?

A.lvreduce -L -50G /dev/vg_data/lv_data
B.fsck /dev/vg_data/lv_data
C.xfs_growfs /data
D.resize2fs /dev/vg_data/lv_data
AnswerC

xfs_growfs grows an XFS filesystem to fill the available space.

Why this answer

For XFS filesystems, after extending the logical volume, the filesystem must be grown using xfs_growfs with the mount point as argument. resize2fs is for ext2/3/4. Option C checks the filesystem, but it's not needed. Option D would shrink, which is incorrect.

493
MCQmedium

In the exhibit, what does 'Tasks: 11 (limit: 512)' indicate?

A.The process is using 512 MB of memory.
B.The service has been running for 512 seconds.
C.The cgroup pids controller is limiting the number of processes/threads.
D.The number of threads is limited to 512.
AnswerC

The limit is enforced by the pids cgroup controller.

Why this answer

The 'Tasks:' line in systemd status shows the current number of tasks (processes/threads) and the limit imposed by the cgroup pids controller. This is a resource control feature of systemd.

494
MCQhard

A company's security policy requires that all user passwords must expire every 90 days. The administrator runs 'chage -M 90 jdoe' for user jdoe. Which additional step ensures that the password expiration policy is enforced for all new users?

A.Set PASS_MAX_DAYS 90 in /etc/login.defs
B.Add 'password required pam_unix.so remember=5' to /etc/pam.d/system-auth
C.Set EXPIRE=90 in /etc/default/useradd
D.Modify /etc/shadow to set max days for each user
AnswerA

This sets the default maximum password age for new users.

Why this answer

Option A is correct because /etc/login.defs contains default values used by useradd and other tools when creating new users. Setting PASS_MAX_DAYS 90 in this file ensures that every new user account created will automatically have a 90-day password expiration, enforcing the policy globally without manual intervention.

Exam trap

The trap here is that candidates confuse the purpose of /etc/login.defs (defaults for new users) with /etc/shadow (current user settings) or think that modifying a single user's policy with chage will propagate to all users.

How to eliminate wrong answers

Option B is wrong because the pam_unix.so remember=5 setting controls password history (preventing reuse of the last 5 passwords), not the maximum password age. Option C is wrong because /etc/default/useradd does not contain an EXPIRE parameter; the correct parameter for account expiration is EXPIRE (which sets an absolute expiry date), but there is no PASS_MAX_DAYS equivalent in that file. Option D is wrong because modifying /etc/shadow manually for each user is not scalable and does not enforce the policy for future new users; it only applies to existing accounts.

495
MCQmedium

A Linux engineer is troubleshooting a cron job that does not execute as expected. The crontab entry reads: '*/5 * * * * /usr/local/bin/backup.sh'. The script runs manually when executed as root. Which of the following is the most likely cause?

A.The cron daemon is not running.
B.The script file does not have execute permissions.
C.The system clock is incorrect.
D.The script requires environment variables that are not set in cron's shell.
AnswerD

Common issue: cron has limited PATH and env.

Why this answer

D is correct because cron jobs run in a minimal shell environment (typically /bin/sh) with a very limited set of environment variables. The script /usr/local/bin/backup.sh may rely on variables like PATH, HOME, or custom variables that are not set in cron's shell, causing it to fail even though it runs fine manually as root. This is a classic cron issue where the interactive shell's environment differs from cron's non-interactive environment.

Exam trap

CompTIA often tests the misconception that a script failing in cron is due to permissions or the cron daemon status, when the real issue is the stripped-down environment that lacks variables the script depends on.

How to eliminate wrong answers

Option A is wrong because if the cron daemon were not running, no cron jobs would execute at all, but the question states only this specific job fails, and the script runs manually. Option B is wrong because the script runs manually when executed as root, which implies it has execute permissions; if permissions were missing, the manual execution would also fail. Option C is wrong because an incorrect system clock would affect all cron jobs based on timing, but the job is scheduled with '*/5 * * * *' and would still attempt to run; the issue is specific to the script's execution environment, not the timing.

496
MCQeasy

A developer wants to run a container with a specific command that overrides the default entrypoint. Which Docker command should be used?

A.docker run myimage /bin/bash
B.docker exec myimage /bin/bash
C.docker run --entrypoint /bin/bash myimage
D.docker start myimage /bin/bash
AnswerC

Overrides ENTRYPOINT.

Why this answer

Option C is correct because the `--entrypoint` flag in `docker run` allows you to override the default entrypoint defined in the Docker image. By specifying `--entrypoint /bin/bash`, the container will start with `/bin/bash` as its entrypoint, ignoring any `ENTRYPOINT` or `CMD` instructions in the Dockerfile. This is the standard Docker syntax for replacing the entrypoint at runtime.

Exam trap

The trap here is that candidates often confuse `docker run` with `docker exec` or assume that appending a command after the image name (as in option A) overrides the entrypoint, when in fact it only overrides the CMD unless the entrypoint is explicitly changed with `--entrypoint`.

How to eliminate wrong answers

Option A is wrong because `docker run myimage /bin/bash` appends `/bin/bash` as a command argument to the image's default entrypoint (if one exists), or overrides the default CMD, but it does not override the entrypoint itself; if the image has an ENTRYPOINT, the `/bin/bash` argument is passed to that entrypoint, not executed directly. Option B is wrong because `docker exec` is used to run a command in an already running container, not to start a new container with a different entrypoint. Option D is wrong because `docker start` only restarts an existing stopped container and does not accept a command argument; it cannot override the entrypoint or run a new command.

497
Multi-Selectmedium

A system administrator needs to configure a cron job to run a script every Monday at 3:00 AM. Which two cron expressions are correct? (Select TWO).

Select 2 answers
A.0 3 * * 0
B.0 3 1 * 1
C.0 3 * * 1
D.0 3 * * 1-5
E.0 3 * * Mon
AnswersC, E

Correct: minute 0, hour 3, any day, any month, Monday.

Why this answer

Option C is correct because the cron expression `0 3 * * 1` schedules the script to run at minute 0, hour 3 (3:00 AM), every day of the month (`*`), every month (`*`), and on Monday (day-of-week 1, where 0=Sunday, 1=Monday). Option E is correct because cron also accepts three-letter abbreviations for days of the week, so `Mon` is equivalent to `1`.

Exam trap

CompTIA often tests the misconception that day-of-week `0` is Monday (it is Sunday) and that using a specific day-of-month value like `1` combined with a day-of-week value still runs every Monday (it actually runs only when both conditions are true, but cron uses OR logic, so it would run on the 1st of any month OR any Monday, not just Mondays).

498
MCQmedium

A security audit reveals that the /etc/shadow file has permissions 0644 and is owned by root:shadow. The auditor states that this is a security risk because any local user can read password hashes. The administrator wants to fix the permissions to ensure that only root and the shadow group can read the file, and no one else can read it. Additionally, the administrator wants to set the immutable attribute on the file to prevent accidental modification. Which set of commands achieves the desired state?

A.chmod 640 /etc/shadow; chattr +i /etc/shadow
B.chmod 640 /etc/shadow; chattr +a /etc/shadow
C.chmod 640 /etc/shadow; chmod +i /etc/shadow
D.chmod 600 /etc/shadow; chattr +i /etc/shadow
AnswerA

Sets permissions to owner rw, group r, others none; then sets immutable attribute.

Why this answer

Option A is correct because chmod 640 sets the file permissions to read/write for root (owner) and read-only for the shadow group, while removing all access for others. chattr +i sets the immutable attribute, which prevents any modifications (including deletion, renaming, or content changes) even by root until the attribute is removed. This satisfies the requirement that only root and the shadow group can read the file, and no one else can read it, while also protecting against accidental modification.

Exam trap

CompTIA often tests the distinction between chmod (file permissions) and chattr (extended attributes), and the trap here is that candidates may confuse the immutable attribute (+i) with the append-only attribute (+a) or mistakenly use chmod to set it.

How to eliminate wrong answers

Option B is wrong because chattr +a sets the append-only attribute, which only allows data to be appended to the file (e.g., for log files), but does not prevent modification or deletion of existing content, so it does not fully protect against accidental modification. Option C is wrong because chmod +i is not a valid command; the immutable attribute is set via chattr, not chmod. Option D is wrong because chmod 600 sets permissions to read/write only for root, removing read access for the shadow group, which violates the requirement that the shadow group should still be able to read the file.

499
MCQmedium

An administrator needs to run a script '/usr/local/bin/cleanup.sh' every day at 2:30 AM. Which crontab entry is correct?

A.2 30 * * * /usr/local/bin/cleanup.sh
B.*/30 2 * * * /usr/local/bin/cleanup.sh
C.30 * * * * /usr/local/bin/cleanup.sh
D.30 2 * * * /usr/local/bin/cleanup.sh
AnswerD

Correct syntax for 2:30 AM daily.

Why this answer

The correct crontab syntax is `minute hour day month weekday command`. Option D specifies minute 30, hour 2, and asterisks for all other fields, which means the script runs at 2:30 AM every day. This matches the requirement exactly.

Exam trap

CompTIA often tests the order of minute and hour fields in crontab entries, and the trap here is that candidates may swap them (placing hour first) or use `*/30` thinking it means 'at 30 minutes past the hour' rather than 'every 30 minutes'.

How to eliminate wrong answers

Option A is wrong because it places the hour (2) in the minute field and the minute (30) in the hour field, causing the script to run at 30 minutes past every hour on the 2nd day of the month. Option B is wrong because `*/30` in the minute field means 'every 30 minutes' and `2` in the hour field means 'only during hour 2', so the script runs at 2:00 AM, 2:30 AM, and 2:00 AM again (due to the 30-minute interval), not just once at 2:30 AM. Option C is wrong because it sets minute 30 and hour as `*` (every hour), so the script runs at 30 minutes past every hour, i.e., 24 times per day.

500
Multi-Selecthard

Which THREE of the following are valid ways to define environment variables in a Docker container? (Choose three.)

Select 4 answers
A.Passing with docker run -e VAR=value
B.Including in a docker-compose.yml under services: environment:
C.Using the ARG instruction in Dockerfile
D.Using the ENV instruction in Dockerfile
E.Using --env-file option with docker run
AnswersA, B, D, E

Overrides or sets variable at runtime.

Why this answer

Option A is correct because the `docker run -e VAR=value` syntax directly sets an environment variable inside the container at runtime. This overrides any ENV instruction in the Dockerfile for that specific run, giving the operator flexibility without modifying the image.

Exam trap

CompTIA often tests the distinction between build-time (`ARG`) and runtime (`ENV`, `-e`, `--env-file`) variable definitions, and candidates mistakenly think `ARG` persists into the running container.

501
MCQmedium

A systems administrator needs to ensure that a custom service runs with a specific priority on a Linux server. Which command should the administrator use to achieve this?

A.renice -10 -p 1234
B.ionice -c 2 -n 0 -p 1234
C.nice -n -10 /usr/local/bin/myservice
D.chrt -r 99 /usr/local/bin/myservice
AnswerC

nice runs a command with a modified scheduling priority.

Why this answer

Option C is correct because the `nice` command adjusts the CPU scheduling priority of a process at launch time. Using `nice -n -10` sets a higher priority (lower nice value) for the new service, ensuring it runs with the specified priority from the start. This directly meets the requirement to run a custom service with a specific priority.

Exam trap

The trap here is that candidates confuse `nice` (for CPU priority at launch) with `renice` (for adjusting an already running process) or `ionice` (for I/O priority), leading them to select an option that does not set the priority at service start.

How to eliminate wrong answers

Option A is wrong because `renice` changes the priority of an already running process (by PID), not at launch time; the question asks to ensure the service runs with a specific priority, implying it should be set when the service starts. Option B is wrong because `ionice` sets I/O scheduling priority, not CPU priority; the question asks for a specific priority (likely CPU priority), and `ionice` controls disk I/O bandwidth, not CPU scheduling. Option D is wrong because `chrt -r 99` sets a real-time scheduling policy (SCHED_RR) with maximum priority, which is for real-time processes and can cause system instability if misused; the question does not specify real-time requirements, and `nice` is the standard tool for adjusting CPU priority in a non-real-time context.

502
MCQmedium

A Linux administrator is troubleshooting a server that intermittently becomes unresponsive. The administrator suspects a memory leak. Which command should be used to monitor memory usage over time and identify the consuming process?

A.free -h
B.top
C.ss -tuln
D.df -h
AnswerB

Displays real-time process list with memory usage.

Why this answer

The `top` command provides a real-time, dynamic view of system processes, including memory usage (RES, VIRT, %MEM) and can be sorted by memory consumption. It updates continuously, making it ideal for monitoring memory usage over time and identifying the specific process responsible for a suspected memory leak.

Exam trap

The trap here is that candidates confuse system-wide memory reporting (`free -h`) with per-process monitoring (`top`), or mistake disk usage commands (`df -h`) or network tools (`ss`) for memory diagnostics.

How to eliminate wrong answers

Option A is wrong because `free -h` shows total, used, and available memory in human-readable format, but it does not display per-process memory consumption or allow monitoring over time. Option C is wrong because `ss -tuln` lists listening and connected sockets (TCP/UDP) with numeric addresses; it is a network socket statistics tool, not a memory monitoring command. Option D is wrong because `df -h` reports filesystem disk space usage, not memory (RAM) usage, and cannot identify processes consuming memory.

503
MCQeasy

A process has become unresponsive and is in a zombie state. Which action should the administrator take to remove the zombie process?

A.kill -18 <PID>
B.kill -9 <PID>
C.Wait for the init process to clean it up; no action needed
D.Kill the parent process of the zombie
AnswerD

When the parent process dies, the zombie is inherited by init, which reaps it immediately.

Why this answer

Option D is correct. Zombie processes cannot be killed; they must be reaped by their parent. If the parent is killed, init reaps the zombie.

Option A has no effect. Option B sends a continue signal. Option C is not immediately effective.

504
MCQeasy

A system administrator needs to find out which process is using a particular file. Which command should they use?

A.fuser /path/to/file
B.lsof /path/to/file
C.ps aux | grep file
D.stat /path/to/file
AnswerB

lsof lists all open files and the processes that opened them.

Why this answer

The `lsof` command (list open files) is the correct tool because it displays information about files opened by processes, including the specific file path. When given a file path, `lsof` lists the PID and process name that currently have that file open, directly answering the administrator's need.

Exam trap

The trap here is that candidates may confuse `fuser` with `lsof` because both can identify processes using a file, but `lsof` provides more comprehensive output and is the standard tool for detailed process-to-file mapping in the XK0-005 exam.

How to eliminate wrong answers

Option A is wrong because `fuser` identifies processes using a file or socket, but it does not provide the detailed process information (like command name) that `lsof` does; `fuser` is more suited for identifying PIDs to kill processes. Option C is wrong because `ps aux | grep file` searches for the string 'file' in the process list, which may match process names or arguments containing 'file' but does not reliably identify which process has a specific file open; it relies on grep pattern matching, not kernel-level file descriptor tracking. Option D is wrong because `stat` displays file metadata (size, permissions, timestamps) and does not show which processes are using the file.

505
MCQmedium

A system administrator notices that the root filesystem is at 95% capacity. Which command should be used to identify the directories consuming the most space?

A.df -h
B.du -sh /*
C.fdisk -l
D.ls -la /
AnswerB

Shows size of each top-level directory.

Why this answer

B is correct because `du -sh /*` calculates disk usage for each top-level directory under root, showing human-readable sizes. This directly identifies which directories consume the most space, allowing the administrator to pinpoint the source of the 95% capacity issue.

Exam trap

The trap here is that candidates often confuse `df -h` (filesystem-level overview) with `du -sh` (directory-level detail), mistakenly thinking `df` can pinpoint which directories are consuming space.

How to eliminate wrong answers

Option A is wrong because `df -h` shows filesystem-level disk usage (capacity, used, available) but does not drill down into directories to identify which ones are consuming space. Option C is wrong because `fdisk -l` lists partition tables and disk geometry, not directory-level disk usage. Option D is wrong because `ls -la /` lists file names, permissions, and metadata but does not calculate or display the actual disk space consumed by each directory.

506
Multi-Selecthard

Which TWO tools are specifically designed to detect rootkits on a Linux system?

Select 2 answers
A.lsof
B.rkhunter
C.netstat
D.clamav
E.chkrootkit
AnswersB, E

Rootkit hunter tool.

Why this answer

B is correct because rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits by comparing file hashes, checking for hidden processes, and analyzing system binaries for known rootkit signatures. It is specifically designed to detect rootkits on Linux systems.

Exam trap

The trap here is that candidates may confuse general system monitoring tools (lsof, netstat) or general antivirus (ClamAV) with specialized rootkit detection tools, but only rkhunter and chkrootkit are explicitly designed for that purpose.

507
MCQmedium

Refer to the exhibit. What is the total amount of RAM installed on the system?

A.7.7G
B.7.5G
C.8.0G
D.0.1G
AnswerA

The total column shows 7.7G.

Why this answer

Option B is correct because the 'total' column for Mem shows 7.7G. Options A, C, D are incorrect: 7.5G is used, 8.0G is not shown, 0.1G is free.

508
MCQmedium

Refer to the exhibit. A web application running under Apache cannot write to /var/log/app.log. The file has permissions 664 and is owned by apache. What is the correct action to allow writes while maintaining SELinux policies?

A.Change the ownership to root.
B.Change the SELinux context of the file to httpd_log_t.
C.Set the httpd_can_network_connect boolean.
D.Disable SELinux for the httpd daemon.
AnswerB

Allows httpd_t to write to that file type.

Why this answer

The file /var/log/app.log has permissions 664 and is owned by apache, so the web server should be able to write to it. However, SELinux is blocking the write because the file's SELinux context does not match the type expected for files that Apache (httpd) is allowed to write to. Changing the SELinux context to httpd_log_t tells SELinux that this file is a log file that httpd can write to, which resolves the denial while keeping SELinux enforcing.

Exam trap

The trap here is that candidates see the file is owned by apache with 664 permissions and assume the issue is file ownership or permissions, overlooking that SELinux enforces its own access controls independent of standard Linux permissions.

How to eliminate wrong answers

Option A is wrong because changing ownership to root would actually prevent the apache user from writing to the file (since root owns it and the file has 664 permissions, the apache user is in the 'others' category and can only read). Option C is wrong because the httpd_can_network_connect boolean controls whether httpd can initiate outbound network connections, not file write permissions. Option D is wrong because disabling SELinux for the httpd daemon would weaken security unnecessarily; the correct approach is to apply the proper SELinux file context rather than bypassing the policy entirely.

509
MCQmedium

A system administrator wants to limit the CPU and memory usage of a specific service to prevent it from affecting other processes. Which Linux feature should be used?

A.ulimit
B.renice
C.cgroups
D.nice
AnswerC

cgroups can limit CPU, memory, I/O for process groups.

Why this answer

cgroups (control groups) allow resource limiting per process group. ulimit sets per-process limits, nice/renice adjust priority but do not enforce hard limits. cgroups are the proper tool for service resource control.

510
Multi-Selecteasy

Which TWO of the following are valid methods for debugging a Bash script? (Choose TWO.)

Select 2 answers
A.Add 'set -r' to restrict shell
B.Run the script with 'bash -x script.sh'
C.Add 'set -x' at the start of the script
D.Run the script with 'bash -d script.sh'
E.Add 'set -n' to check syntax
AnswersB, C

Traces each command before execution.

Why this answer

Using 'bash -x script.sh' prints commands and arguments. Adding 'set -x' inside the script enables tracing. Option B is invalid option.

Option D is for checking syntax only. Option E runs script in restricted mode, not debug.

Page 6

Page 7 of 7

All pages