CCNA Troubleshooting Questions

51 of 126 questions · Page 2/2 · Troubleshooting · Answers revealed

76
Multi-Selecthard

Which TWO are standard methods to boot into rescue mode in a systemd-based Linux distribution?

Select 2 answers
A.Run systemctl rescue
B.Add 'emergency' to kernel command line
C.Append init=/bin/bash to kernel command line
D.Run grub2-mkconfig
E.Set default target to rescue.target and reboot
AnswersA, E

Immediately switches the system to rescue.target.

Why this answer

Option A is correct because `systemctl rescue` directly activates the `rescue.target`, which is the standard systemd mechanism to boot into a single-user, minimal rescue environment. This target mounts essential filesystems and starts basic services, providing a shell for troubleshooting without a full multi-user boot.

Exam trap

The trap here is that candidates confuse 'rescue mode' with 'emergency mode' or legacy `init=/bin/bash` methods, failing to recognize that systemd defines `rescue.target` as the standard, service-aware rescue environment.

77
MCQeasy

A user reports that they receive 'Permission denied' when trying to run a script located in their home directory. The script has permissions -rw-rw-r-- and is owned by the user. Which command should the user run to resolve the issue?

A.chmod g-w script.sh
B.sudo chown user:user script.sh
C.chmod u+x script.sh
D.chmod a+x script.sh
AnswerC

Adds execute permission for the owner, allowing the script to run.

Why this answer

The script has permissions -rw-rw-r--, meaning the owner (user) has read and write but not execute permission. To run it as a script, the execute bit must be set for the owner. The command chmod u+x script.sh adds execute permission for the user, allowing them to run the script directly.

Exam trap

The trap here is that candidates may think 'Permission denied' always means ownership or group issues, leading them to choose chown or group permission changes, when in fact the missing execute bit is the specific cause for script execution failures.

How to eliminate wrong answers

Option A is wrong because chmod g-w removes write permission from the group, which does not add execute permission and would not resolve the 'Permission denied' error. Option B is wrong because sudo chown user:user script.sh changes the owner and group to the user, but the script is already owned by the user, so this does nothing to add execute permission. Option D is wrong because chmod a+x adds execute permission for all (user, group, others), which would work but is overly permissive and not the minimal fix; the question asks which command the user should run, and the most appropriate and secure answer is to add execute only for the owner.

78
MCQmedium

A user is trying to log in to a Linux server via SSH but receives 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'. The user's public key is in ~/.ssh/authorized_keys with proper permissions (600) and owned by the user. The server's sshd_config has 'PubkeyAuthentication yes' and 'PasswordAuthentication no'. What is the most likely additional cause?

A.The server's firewall is blocking port 22.
B.The user's home directory has incorrect permissions (e.g., group-writable).
C.SELinux is blocking the key authentication.
D.The SSH server is not running.
AnswerB

SSH enforces strict permissions on home directory; if group-writable, the key authentication is refused.

Why this answer

Option B is correct because SSH server's `StrictModes` (enabled by default) checks that the user's home directory is not group-writable or world-writable. If the home directory has group-write permission (e.g., 775), SSH refuses to trust `~/.ssh/authorized_keys` even if the file itself has 600 permissions. This is a security measure to prevent other group members from modifying the authorized_keys file indirectly.

Exam trap

CompTIA often tests the subtlety that SSH's `StrictModes` checks parent directory permissions, not just the key file, leading candidates to overlook home directory permissions when the key file itself appears correct.

How to eliminate wrong answers

Option A is wrong because a firewall blocking port 22 would cause a connection timeout or 'Connection refused' error, not the specific 'Permission denied (publickey,...)' message. Option C is wrong because SELinux blocking key authentication would typically produce AVC denial messages in audit logs and a different error (e.g., 'Permission denied (publickey)' without the GSSAPI methods), and the default SELinux policy allows SSH key-based login. Option D is wrong because if the SSH server were not running, the client would receive 'Connection refused' immediately, not an SSH authentication failure message.

79
MCQmedium

Refer to the exhibit. A user reports that the /var directory is not accessible. The system administrator checks the logical volumes and notices that the 'var' logical volume is not activated. Which command should be used to activate it?

A.lvextend -L+10g vg0/var
B.lvchange -ay vg0/var
C.lvscan
D.lvcreate -a y vg0/var
AnswerB

The -ay option activates the logical volume.

Why this answer

The `lvchange -ay vg0/var` command activates the specified logical volume by setting its activation flag to 'y' (yes). This is the correct way to bring an inactive LVM logical volume online so that it can be mounted and accessed.

Exam trap

CompTIA often tests the distinction between commands that modify LVM objects (like `lvextend`, `lvcreate`) versus commands that manage state (like `lvchange`), leading candidates to confuse activation with resizing or creation.

How to eliminate wrong answers

Option A is wrong because `lvextend` is used to increase the size of a logical volume, not to change its activation state. Option C is wrong because `lvscan` only scans and displays the status of all logical volumes; it does not modify their activation state. Option D is wrong because `lvcreate` is used to create a new logical volume, and the `-a y` flag would attempt to create a new volume named 'var' in volume group 'vg0' rather than activating an existing one.

80
MCQhard

A system administrator is investigating why a particular process is not responding. They run strace on the process but get no output. What could be the most likely reason?

A.The process is already being traced by another strace instance.
B.The administrator does not have permission to trace that process.
C.The process is a kernel thread.
D.The process is a zombie process.
AnswerB

Non-root users need CAP_SYS_PTRACE or same UID. If not, strace attaches but gets no events, or fails silently depending on configuration.

Why this answer

The most likely reason strace produces no output is that the administrator lacks the necessary permissions to trace the process. By default, strace uses the ptrace system call, which requires either root privileges or the same user ID as the target process, and the process must not have the `dumpable` attribute set to 0 (e.g., via prctl(PR_SET_DUMPABLE, 0)). Without proper permissions, strace fails silently or returns an error like 'Operation not permitted' depending on the output configuration.

Exam trap

CompTIA often tests the misconception that strace always produces output or that permission issues result in a clear error message, when in fact strace may produce no output if stderr is not captured or if the process is non-dumpable.

How to eliminate wrong answers

Option A is wrong because if the process were already being traced by another strace instance, strace would typically report an error such as 'ptrace: Operation not permitted' or 'ptrace: Device or resource busy', not produce no output. Option C is wrong because kernel threads are not user-space processes and cannot be traced with strace; attempting to attach would result in an immediate error, not silent no output. Option D is wrong because a zombie process has already terminated and has no executable code to trace; strace would fail to attach with an error like 'No such process' or 'ESRCH'.

81
MCQhard

Refer to the exhibit. A remote user is unable to SSH to the server. Based on the journalctl output, what is the most likely cause?

A.The user is entering the wrong password
B.The SSH service is not running
C.The user's IP address is in the hosts.deny file
D.The SSH port is blocked by a firewall
AnswerA

Failed password attempt is logged.

Why this answer

The journalctl output shows 'Failed password for user' followed by 'Connection closed by authenticating user', which indicates that the SSH authentication process was attempted but failed due to an incorrect password. This log entry is generated by the SSH daemon (sshd) when a password authentication attempt fails, and the connection is subsequently closed. No other errors (e.g., connection refused, timeout, or denied by hosts.deny) are present, making incorrect password the most likely cause.

Exam trap

CompTIA often tests the distinction between authentication failures (password/keys) and connectivity failures (service down, firewall, hosts.deny) — the trap here is that candidates see 'Connection closed' and assume a firewall or hosts.deny block, but the 'Failed password' line clearly pinpoints the authentication phase.

How to eliminate wrong answers

Option B is wrong because if the SSH service were not running, the journalctl output would show 'Connection refused' or 'sshd[pid]: fatal: Cannot bind any address' errors, not a failed password attempt. Option C is wrong because if the user's IP were in hosts.deny, the log would show 'Connection closed by [IP]' with a 'refused connect' or 'denied by tcp_wrappers' message, not a password failure. Option D is wrong because a firewall blocking the SSH port would prevent any TCP connection to port 22, resulting in a 'Connection timed out' or 'No route to host' error from the client, not a failed password log on the server.

82
MCQmedium

A newly configured DNS server is unable to resolve any queries from clients. The server is running and network connectivity is verified. What should the administrator check first?

A.Check /etc/resolv.conf on clients
B.Check if DNS service is bound to the loopback address
C.Check if the DNS service is listening on UDP port 53
D.Reboot the DNS server
AnswerC

If the service is not listening, queries cannot be answered.

Why this answer

The most common reason a DNS server fails to resolve queries despite being running and having network connectivity is that the DNS service is not listening on UDP port 53, which is the default port for DNS queries per RFC 1035. Checking this with a command like `ss -ulpn | grep :53` or `netstat -uan | grep :53` directly verifies whether the service is actually accepting incoming queries. This is the first logical step before investigating client-side configurations or rebooting.

Exam trap

The trap here is that candidates often jump to checking client-side resolv.conf or rebooting the server, overlooking the simple verification of whether the DNS service is actually listening on the correct port and protocol (UDP 53) as the first logical troubleshooting step.

How to eliminate wrong answers

Option A is wrong because /etc/resolv.conf on clients defines which DNS servers to query, but the issue is that the server itself cannot resolve queries, not that clients are misconfigured. Option B is wrong because checking if the DNS service is bound to the loopback address (127.0.0.1) would only matter if the server were meant to serve only localhost; the problem is about external queries failing, and binding to loopback would prevent external access, but the more fundamental check is whether the service is listening at all on the correct port. Option D is wrong because rebooting the server is a brute-force, non-diagnostic step that should only be considered after verifying service configuration and port availability; it does not identify the root cause.

83
MCQhard

A Linux administrator is troubleshooting network connectivity. The server can ping its own IP address but cannot ping the default gateway. The output of 'ip route show' is: 'default via 10.0.0.1 dev eth0 proto static metric 100'. The output of 'ping -c 1 10.0.0.1' fails with 'Destination Host Unreachable'. Which of the following is the MOST likely cause?

A.The eth0 interface is down.
B.The gateway is down or not responding.
C.The default gateway is not set.
D.The subnet mask on eth0 is incorrect, causing the gateway to be considered on a different network.
AnswerD

A wrong subnet mask can make the gateway appear on a different subnet, leading to 'unreachable'.

Why this answer

The server can ping its own IP address, confirming that the local network stack and the eth0 interface are operational. However, the 'Destination Host Unreachable' error when pinging the default gateway (10.0.0.1) indicates that the host does not have a valid route to that destination. Since the default route exists, the most likely cause is an incorrect subnet mask on eth0, which causes the kernel to treat the gateway as being on a different network, thus failing to send ARP requests or forward packets to it.

Exam trap

The trap here is that candidates often assume 'Destination Host Unreachable' always means the gateway is down, but in Linux this error specifically indicates the local host cannot find a layer-2 path to the destination, typically due to a subnet mask mismatch or missing ARP entry.

How to eliminate wrong answers

Option A is wrong because if eth0 were down, the server would not be able to ping its own IP address (127.0.0.1 or the interface IP) successfully, and 'ip route show' would not display a route via eth0. Option B is wrong because the error 'Destination Host Unreachable' is generated by the local host's kernel, not by the remote gateway; if the gateway were down or not responding, the error would be 'Request Timed Out' after ARP resolution succeeds. Option C is wrong because the output of 'ip route show' explicitly shows a default route via 10.0.0.1, so the default gateway is set.

84
MCQeasy

A Linux service fails to start. Which command should the administrator use to examine recent system logs for error messages related to the service?

A.journalctl -xe
B.systemctl list-units
C.tail -f /var/log/messages
D.dmesg -T
AnswerA

Shows recent journal entries with explanations.

Why this answer

The `journalctl -xe` command is correct because it displays the systemd journal with the `-x` flag adding explanatory context to log entries and the `-e` flag jumping to the end of the log, showing the most recent messages. This is the standard way to examine recent system logs for error messages related to a failing service in a systemd-based Linux distribution.

Exam trap

The trap here is that candidates may choose `tail -f /var/log/messages` out of habit from older SysVinit systems, not realizing that systemd-based distributions (which the XK0-005 exam focuses on) use journald as the default logging system, making `journalctl` the correct tool for service-specific log examination.

How to eliminate wrong answers

Option B is wrong because `systemctl list-units` only lists active units and their states, not log messages or error details. Option C is wrong because `tail -f /var/log/messages` follows the traditional syslog file, but many modern distributions (e.g., RHEL 7+, Ubuntu 15.04+) use journald as the primary logging system, so this file may not contain the most recent or complete service logs. Option D is wrong because `dmesg -T` displays kernel ring buffer messages with human-readable timestamps, which are primarily for kernel and hardware-related events, not user-space service errors.

85
MCQmedium

Refer to the exhibit. Users report they cannot SSH to the server. Based on the logs, what is the most likely cause?

A.Firewall is blocking port 22.
B.Host keys are missing or corrupted.
C.The SSH service is not running.
D.SSH configuration has incorrect permissions.
AnswerB

The error explicitly states 'Could not load host key' for multiple key files, leading to fatal error.

86
MCQmedium

A cron job that runs a backup script at 2 AM has not been executing. The syslog shows no errors from cron. What is the most likely reason the job is not running?

A.The system time zone is incorrect
B.The filesystem is full
C.The cron daemon (crond) is not running
D.The script has incorrect permissions
AnswerC

Cron jobs require the daemon to be active.

Why this answer

The most likely reason is that the cron daemon (crond) is not running. Cron jobs are executed by the cron daemon, which must be active in the background to read the crontab files and launch scheduled tasks. If crond is stopped or not started, no cron jobs will run, and syslog may not show cron-related errors because the daemon is not logging activity.

Exam trap

The trap here is that candidates assume cron errors must appear in syslog if a job fails, but if the daemon itself is not running, there is no process to generate logs, making the absence of errors a key clue.

How to eliminate wrong answers

Option A is wrong because an incorrect system time zone would cause the job to run at the wrong local time, not prevent execution entirely; cron uses the system's configured time zone. Option B is wrong because a full filesystem would typically cause the script to fail with disk write errors, not prevent the cron daemon from attempting to execute the job. Option D is wrong because incorrect script permissions would cause the script to fail when executed, but cron would still attempt to run it and log an error in syslog or mail to the user.

87
Multi-Selectmedium

Which THREE are valid methods to view logs in a systemd-based system?

Select 3 answers
A.cat /var/log/messages
B.journalctl
C.journalctl -u sshd
D.systemctl status sshd
E.dmesg
AnswersB, C, E

Displays the systemd journal.

Why this answer

B is correct because `journalctl` is the primary command for querying the systemd journal, which is the default logging system on systemd-based distributions. It provides structured, binary logs with advanced filtering, and is the direct equivalent of viewing logs via the journal.

Exam trap

The trap here is that candidates confuse `systemctl status` (which shows a brief log snippet) with a full log viewing method, or they assume legacy syslog files like `/var/log/messages` are always present and authoritative on systemd-based systems.

88
MCQhard

Refer to the exhibit. A backup script fails every 5 minutes. Which is the most likely cause?

A.The backup script lacks write permission to the destination directory or file.
B.The mount point /mnt/backup is not accessible.
C.The cron job is running too frequently, causing a race condition.
D.The backup script is not executable.
AnswerA

The log explicitly states 'Permission denied writing to /mnt/backup/backup.tar.gz'.

89
Matchingmedium

Match each Linux access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Traditional file permissions (owner/group/other)

Fine-grained permissions for users/groups

Mandatory access control with policies

Path-based mandatory access control

Default permission mask for new files

Why these pairings

Linux supports multiple access control models.

90
Multi-Selecthard

A server crashed with a kernel panic. After reboot, the administrator wants to analyze the crash dump. Which THREE actions should be taken to ensure a valid core dump is captured and accessible? (Choose THREE.)

Select 3 answers
A.Configure a dump target in /etc/kdump.conf.
B.Enable and start the kdump service.
C.Set crashkernel=auto in the boot loader.
D.Install kernel-debuginfo packages.
E.Ensure /var/crash has a vmcore file.
AnswersA, B, C

The dump target (e.g., a partition or NFS mount) must be defined to write the core dump.

Why this answer

Option A is correct because /etc/kdump.conf specifies where the crash dump should be saved (e.g., to a local disk, NFS, or SSH target). Without a configured dump target, the kdump mechanism does not know where to write the vmcore file, making the dump inaccessible after a kernel panic.

Exam trap

The trap here is that candidates confuse post-crash verification (checking for a vmcore file) with pre-crash configuration steps, or they mistakenly think debuginfo packages are required for capturing the dump rather than for later analysis.

91
Multi-Selecthard

Which THREE of the following are valid methods to troubleshoot a service that fails to start?

Select 3 answers
A.Run the service executable manually from the command line to see error output.
B.Review the service logs using journalctl.
C.Check if the service's required dependencies are installed and running.
D.Run df -h to check disk space.
E.Reload the systemd daemon with systemctl daemon-reload.
AnswersA, B, C

Manual execution often gives direct error messages.

Why this answer

Option A is correct because running the service executable manually from the command line often reveals stderr output, error codes, or missing configuration details that are suppressed when the service is started by systemd. This direct execution bypasses the service manager's logging and can show immediate, unfiltered error messages that help pinpoint the failure reason.

Exam trap

The trap here is that candidates often confuse general system health commands (like `df -h`) with service-specific troubleshooting methods, or they think `systemctl daemon-reload` is a diagnostic step when it only reloads configuration without providing error details.

92
Multi-Selectmedium

A systems administrator is troubleshooting a server that fails to boot and displays the error: 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which TWO of the following are most likely causes? (Choose two.)

Select 2 answers
A.Missing or misconfigured root filesystem in /etc/fstab
B.Faulty RAM
C.Corrupted initramfs image
D.Overwritten MBR
E.Incorrect boot loader configuration pointing to wrong kernel
AnswersA, C

Correct: If the root filesystem is missing or misconfigured, the kernel cannot mount it.

Why this answer

Option A is correct because the error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate or mount the root filesystem. A missing or misconfigured root filesystem entry in /etc/fstab (e.g., wrong device name, wrong UUID, or missing entry) prevents the kernel from mounting the root partition, leading to a kernel panic. The 'unknown-block(0,0)' specifically means the kernel cannot resolve the block device for the root filesystem.

Exam trap

The trap here is that candidates often confuse a boot loader misconfiguration (Option E) with a root filesystem issue, but the kernel must successfully load before a VFS error can occur, so the problem lies after boot loader execution.

93
MCQhard

A file server running RHEL 8 uses NFS to export directories. Clients report that they cannot mount an NFS share. The server's firewall is configured but NFS-related services are enabled. The administrator checks `exportfs -v` and sees the export is listed. Which service must be added to the firewall to allow NFS?

A.rpc-bind
B.nfs
C.samba
D.mountd
AnswerB

The nfs service is essential; adding it allows the NFS server port (2049).

Why this answer

Option B is correct because NFS on RHEL 8 requires the 'nfs' service to be added to the firewall to allow incoming NFS traffic. The 'nfs' service in firewalld opens TCP and UDP ports 2049, which is the standard port for NFSv4. Even though NFS-related services are enabled, the firewall must explicitly permit this port for clients to mount the share.

Exam trap

CompTIA often tests the misconception that 'mountd' is a valid firewalld service name, when in fact it must be configured as a custom port or covered by the 'nfs' service, leading candidates to select option D incorrectly.

How to eliminate wrong answers

Option A is wrong because 'rpc-bind' opens port 111 for RPC portmapper, which is needed for NFSv3 but not for NFSv4; the question does not specify NFS version, and RHEL 8 defaults to NFSv4, making 'nfs' the required service. Option C is wrong because 'samba' is used for SMB/CIFS file sharing, not NFS, and adding it would not allow NFS mounts. Option D is wrong because 'mountd' is not a standard firewalld service; the NFS mount protocol (rpc.mountd) uses a dynamically assigned port and is typically handled by adding the 'nfs' service or explicitly opening the port range, but 'mountd' as a service name is not valid in firewalld.

94
Multi-Selecthard

A network administrator needs to diagnose connectivity issues from a Linux server to a remote host. Which of the following tools can provide information about the path and latency? (Choose three.)

Select 3 answers
A.iproute
B.netstat
C.mtr
D.traceroute
E.ping
AnswersC, D, E

Combines ping and traceroute functionality.

Why this answer

C (mtr) is correct because it combines the functionality of traceroute and ping into a single diagnostic tool, continuously probing each hop along the path to a remote host and reporting both the route and real-time latency statistics. This makes it ideal for identifying where packet loss or high latency occurs along the network path.

Exam trap

The trap here is that candidates may think ping alone is sufficient for diagnosing path issues, but ping only tests end-to-end connectivity and latency to the final destination, not the performance of each intermediate hop, which is why mtr and traceroute are needed alongside ping.

95
Multi-Selecteasy

A Linux system fails to boot with the error 'No bootable device found'. Which two troubleshooting steps should be taken? (Select TWO).

Select 2 answers
A.Check the SATA cable connections
B.Reinstall the kernel
C.Run fsck on the root filesystem
D.Verify the GRUB configuration
E.Check the boot order in BIOS/UEFI
AnswersD, E

Corrupted or missing GRUB can cause 'No bootable device' error.

Why this answer

The error 'No bootable device found' indicates that the system's BIOS/UEFI cannot locate a valid bootloader or operating system on any available storage device. Verifying the boot order in BIOS/UEFI (Option E) ensures that the correct disk is set as the first boot device, which is a common cause of this error. Checking the GRUB configuration (Option D) is also critical because if GRUB is missing, corrupted, or misconfigured, the system will not find a bootable kernel, even if the disk is correctly detected.

Exam trap

The trap here is that candidates often confuse filesystem corruption (fsck) or kernel issues with bootloader problems, but the 'No bootable device found' error specifically points to the firmware's inability to locate a bootable partition or bootloader, not to filesystem or kernel corruption.

96
MCQeasy

A user attempts to run a command using sudo but receives 'user is not in the sudoers file. This incident will be reported.' Which file should be edited to grant the user sudo access?

A.Edit /etc/passwd directly
B.Edit /etc/group to add user to the wheel group
C.Edit /etc/shadow
D.Use visudo to edit /etc/sudoers
AnswerD

The proper way to grant sudo access.

Why this answer

The correct answer is D because the sudoers file, typically located at /etc/sudoers, controls which users and groups are permitted to run commands with sudo. The visudo command must be used to edit this file safely, as it performs syntax checking to prevent lockouts due to misconfiguration. Directly editing /etc/sudoers with a regular text editor can lead to syntax errors that break sudo functionality.

Exam trap

The trap here is that candidates may think adding a user to the wheel group (Option B) is sufficient, but without a corresponding entry in the sudoers file (e.g., '%wheel ALL=(ALL) ALL'), the group membership alone does not grant sudo privileges.

How to eliminate wrong answers

Option A is wrong because /etc/passwd stores user account information (like UID, home directory, shell) but does not contain sudo privileges; editing it would not grant sudo access. Option B is wrong because simply adding a user to the wheel group does not automatically grant sudo access unless the sudoers file contains an entry like '%wheel ALL=(ALL) ALL'; the group membership alone is insufficient. Option C is wrong because /etc/shadow stores encrypted password hashes and password aging information, not sudo permissions; editing it would not affect sudo access.

97
MCQhard

A Linux server experiences a kernel panic after a recent driver update. The system is still operational but unstable. Which command should be used to gather detailed information about the kernel modules currently loaded?

A.modinfo
B.lsmod
C.dmesg
D.modprobe -l
AnswerB

Lists all loaded kernel modules.

Why this answer

B is correct because `lsmod` lists all currently loaded kernel modules by reading the `/proc/modules` file, showing their size, usage count, and dependencies. In a kernel panic scenario after a driver update, this command quickly reveals which modules are active, helping identify the problematic driver without further destabilizing the system.

Exam trap

The trap here is that candidates confuse `lsmod` (runtime loaded modules) with `modinfo` (module metadata) or `dmesg` (kernel logs), or mistakenly think `modprobe -l` lists loaded modules when it actually lists available modules (and is deprecated).

How to eliminate wrong answers

Option A is wrong because `modinfo` displays detailed metadata about a specific kernel module (e.g., author, description, parameters), but it does not list currently loaded modules; it requires the module name as an argument and reads the module file, not runtime state. Option C is wrong because `dmesg` prints the kernel ring buffer messages, which can show panic logs and driver errors, but it does not list currently loaded modules; it is useful for post-mortem analysis but not for a real-time inventory of loaded modules. Option D is wrong because `modprobe -l` is not a valid option in modern Linux; `modprobe` is used to load or unload modules, and listing available modules is done with `modprobe -l` only in older versions (deprecated), but it lists all installable modules, not those currently loaded.

98
MCQhard

Refer to the exhibit. An administrator can SSH to the server but cannot ping 10.0.0.1. What is the most likely cause?

A.The destination host 10.0.0.1 is not responding to ping due to a firewall or ICMP being disabled on that host.
B.The ping is being blocked by the nftables output chain, which is not configured.
C.ICMP is blocked by the nftables input chain policy drop.
D.The destination host 10.0.0.1 does not have a route back.
AnswerA

The 'Destination Port Unreachable' message indicates the remote host received the ping but sent back an ICMP unreachable, likely because ping is disabled or filtered on that host.

99
Matchingmedium

Match each Linux filesystem to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose Linux filesystem

High-performance, scalable filesystem

Copy-on-write with snapshots

Temporary filesystem in RAM

Advanced filesystem with volume management

Why these pairings

These filesystems are commonly used in Linux environments.

100
Multi-Selectmedium

A system administrator is troubleshooting a network issue where a server cannot reach external websites. The server can ping the default gateway and internal hosts. Which TWO commands should the administrator use to further diagnose the problem? (Choose TWO.)

Select 2 answers
A.nslookup google.com
B.route -n
C.ping 127.0.0.1
D.ifconfig eth0
E.traceroute 8.8.8.8
AnswersA, E

Tests DNS resolution; if it fails, that could be the reason for not reaching external sites by name.

Why this answer

The server can reach internal hosts and the default gateway, which rules out Layer 2/3 connectivity issues within the local network. However, it cannot reach external websites, suggesting a DNS resolution failure or a routing problem beyond the gateway. 'nslookup google.com' (A) tests DNS resolution by querying the configured DNS server for the IP address of google.com; if it fails, the issue is with DNS. 'traceroute 8.8.8.8' (E) traces the path to a known external IP (Google's public DNS), bypassing DNS, to determine if packets are being dropped or misrouted after the gateway.

Exam trap

The trap here is that candidates often choose 'route -n' (B) thinking it will show a missing default route, but since the server can ping the gateway, the default route is present; the real issue is either DNS or a routing problem beyond the first hop, which 'traceroute' (E) specifically addresses.

101
Multi-Selectmedium

Which TWO commands can be used to display the amount of free and used memory on a Linux system?

Select 2 answers
A.df -h
B.du -sh
C.free -h
D.cat /proc/meminfo
E.iostat
AnswersC, D

free displays memory usage in human-readable format.

Why this answer

The `free -h` command displays the total, used, and free physical memory (RAM) and swap space in a human-readable format. The `cat /proc/meminfo` command reads the kernel's memory statistics directly from the virtual filesystem, providing detailed information about memory usage, including free, available, buffered, and cached memory. Both commands are standard tools for inspecting memory utilization on a Linux system.

Exam trap

CompTIA often tests the distinction between disk space commands (`df`, `du`) and memory commands (`free`, `/proc/meminfo`), trapping candidates who confuse filesystem usage with RAM usage.

102
MCQhard

A system administrator installs a new application that is failing to write to its configuration file in /etc. SELinux is enforcing. Which command would show the relevant SELinux denials?

A.sealert
B.ausearch -m avc -ts recent
C.getenforce
D.audit2why
AnswerB

Correct: Searches audit log for SELinux denials.

Why this answer

The `ausearch -m avc -ts recent` command queries the audit log for AVC (Access Vector Cache) denial messages, which are the specific SELinux denials logged when a process is blocked from accessing a resource. This is the direct way to view recent SELinux denials in an enforcing mode environment, as it filters audit records by message type (AVC) and time range (recent).

Exam trap

CompTIA often tests the distinction between commands that show denials (ausearch) versus commands that interpret or explain denials (audit2why, sealert), leading candidates to pick a tool that requires the denial data as input rather than one that retrieves it directly.

How to eliminate wrong answers

Option A is wrong because `sealert` is a GUI tool that analyzes SELinux denial messages and provides human-readable explanations, but it does not directly show the raw denials from the audit log; it requires the denials to already be present in the audit log or to be run with a specific file. Option C is wrong because `getenforce` only displays the current SELinux mode (Enforcing, Permissive, or Disabled) and does not show any denial logs. Option D is wrong because `audit2why` interprets AVC denial messages from audit logs and explains why access was denied, but it does not show the denials themselves; it requires input from `ausearch` or a log file to function.

103
MCQmedium

Refer to the exhibit. The system log is not updating. What is the cause?

A.The syslog file size exceeded 1GB and was rotated.
B.The syslog file permissions are incorrect.
C.The root filesystem is almost full, leaving no space for log growth.
D.rsyslogd was restarted and lost its configuration.
AnswerC

df shows 95% usage on / and rsyslogd error states 'No space left on device'.

104
MCQmedium

A server is experiencing frequent kernel panics. The administrator wants to capture the crash dump for analysis. Which kernel parameter must be set to enable crash dumps?

A.panic=10
B.kdump_enabled=1
C.irqpoll
D.crashkernel=auto
AnswerD

This parameter allocates memory for the crash kernel so that a dump can be captured.

Why this answer

The `crashkernel=auto` kernel parameter is required to reserve a portion of system memory for the kdump mechanism, which captures a crash dump when a kernel panic occurs. Without this reserved memory, the crash dump cannot be written to disk because the kernel has no safe memory region to operate the dump capture kernel. This parameter is set in the bootloader configuration (e.g., GRUB) and is specific to the kdump service on Linux systems.

Exam trap

The trap here is that candidates confuse the kdump service configuration (e.g., enabling kdump via systemctl) with the required kernel boot parameter `crashkernel`, leading them to select `kdump_enabled=1` as if it were a kernel parameter.

How to eliminate wrong answers

Option A is wrong because `panic=10` sets a timeout in seconds after which the system automatically reboots on a kernel panic, but it does not enable crash dump capture. Option B is wrong because `kdump_enabled=1` is not a valid kernel parameter; the kdump service is controlled via systemd or init scripts, not a kernel boot parameter. Option C is wrong because `irqpoll` is a kernel parameter used to work around interrupt problems by polling IRQs, and it has no role in crash dump capture.

105
MCQeasy

A user reports that a Linux workstation fails to boot and displays 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which of the following is the most likely cause?

A.A filesystem listed in /etc/fstab has errors.
B.A memory module is faulty.
C.The boot loader is missing or corrupted.
D.The root filesystem device is incorrectly specified in the kernel command line.
AnswerD

The error 'unable to mount root fs' often means the root= parameter points to a nonexistent or wrong device.

Why this answer

The error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates that the kernel cannot locate the root filesystem device. The most likely cause is that the root filesystem device is incorrectly specified in the kernel command line (e.g., via a bootloader parameter like root=), preventing the kernel from finding the correct block device to mount as root.

Exam trap

The trap here is that candidates often confuse a boot loader issue (which prevents kernel loading) with a kernel command line misconfiguration (which allows the kernel to load but fail to mount root), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because filesystem errors in /etc/fstab would typically cause a failure during the mount of additional filesystems after the root is already mounted, not a kernel panic at boot before the root filesystem is accessed. Option B is wrong because a faulty memory module usually causes random crashes, kernel panics with memory-related errors, or system instability, not a specific VFS root mount failure with unknown-block(0,0). Option C is wrong because a missing or corrupted boot loader would prevent the kernel from being loaded at all, resulting in a blank screen or a 'boot device not found' error, not a kernel panic after the kernel has started executing.

106
MCQhard

An application is being denied access to a file due to SELinux. Which command can be used to temporarily set the SELinux context of the file to match the expected type for the application?

A.chcon -t httpd_sys_content_t /var/www/html/index.html
B.setenforce 0
C.restorecon -v /var/www/html/index.html
D.semanage fcontext -a -t httpd_sys_content_t /var/www/html
AnswerA

Changes SELinux context to the specified type.

Why this answer

Option A is correct because the `chcon` command is used to temporarily change the SELinux context of a file without modifying the SELinux policy. By specifying `-t httpd_sys_content_t`, the file's type is set to the expected type for Apache (httpd) to access it, resolving the denial immediately. This change is not persistent across file system relabeling, making it ideal for temporary troubleshooting.

Exam trap

The trap here is that candidates confuse `chcon` (temporary, immediate change) with `restorecon` (reverts to policy default) or `semanage fcontext` (persistent policy rule that requires an extra step to apply), leading them to pick an option that either disables SELinux or does not immediately fix the file context.

How to eliminate wrong answers

Option B is wrong because `setenforce 0` disables SELinux entirely (sets it to permissive mode), which is a drastic measure that bypasses all SELinux protections rather than fixing the specific file context issue. Option C is wrong because `restorecon -v` restores the file's SELinux context to the default policy-defined type, which would only help if the current context is incorrect and the default matches the expected type; it does not set a custom type like `httpd_sys_content_t`. Option D is wrong because `semanage fcontext -a -t httpd_sys_content_t /var/www/html` adds a persistent rule to the SELinux policy for the file, but it does not immediately apply the context to the file; a subsequent `restorecon` or `touch` is required to activate the change, so it is not a temporary fix.

107
MCQeasy

A Linux administrator notices that the system clock is consistently 5 minutes behind the actual time. The administrator runs 'timedatectl' and sees 'NTP service: active'. Which of the following commands should be used to force an immediate time synchronization?

A.systemctl restart ntp
B.ntpdate -s time.google.com
C.systemctl restart chronyd
D.timedatectl set-ntp false && chronyd -q && timedatectl set-ntp true
AnswerD

Disabling NTP, forcing a one-time sync with chronyd -q, then re-enabling NTP is the correct procedure.

Why this answer

Option D is correct because it first disables NTP to stop the automatic synchronization, then runs chronyd in one-shot query mode (-q) to force an immediate sync with the configured NTP servers, and finally re-enables NTP to resume normal service. This approach works with chronyd, which is the default NTP implementation on modern RHEL/CentOS 8+ and many other distributions, and directly addresses the need for an immediate synchronization without waiting for the periodic polling interval.

Exam trap

The trap here is that candidates assume 'systemctl restart chronyd' (Option C) will immediately sync the clock, but it only restarts the daemon without forcing a poll, so the 5-minute lag remains until the next scheduled update; CompTIA often tests the distinction between restarting a service and triggering an immediate action.

How to eliminate wrong answers

Option A is wrong because 'systemctl restart ntp' targets the legacy 'ntpd' service, which is not the active NTP service when chronyd is in use; the output shows 'NTP service: active' but does not specify the daemon, and on modern systems chronyd is the default, so restarting ntpd would have no effect or could conflict. Option B is wrong because 'ntpdate' is deprecated and often not installed by default; it also bypasses the running NTP service and can cause clock stepping that may disrupt applications, and it does not integrate with the active chronyd or ntpd configuration. Option C is wrong because 'systemctl restart chronyd' restarts the daemon but does not force an immediate synchronization; chronyd will still wait for its next scheduled poll (typically 64–1024 seconds), so the 5-minute lag would persist until the next automatic update.

108
MCQhard

A technician runs the command `sudo lvdisplay /dev/vg_root/lv_root` and sees the output in the exhibit. The server fails to mount the root filesystem during boot. Which of the following should the technician do first?

A.Run `fsck /dev/vg_root/lv_root` to check the filesystem.
B.Run `lvchange -ay /dev/vg_root/lv_root` to activate the logical volume.
C.Run `vgchange -ay` to activate the volume group.
D.Run `mount /dev/vg_root/lv_root /mnt` to mount the volume.
AnswerB

Correct: The LV status is 'NOT available'; this command activates it for use.

Why this answer

The `lvdisplay` output shows the logical volume is present but its 'LV Status' is likely 'NOT available' (not shown in the exhibit but implied by the boot failure). The root filesystem cannot mount because the logical volume is inactive. The first corrective step is to activate it with `lvchange -ay /dev/vg_root/lv_root`, which makes the LV accessible to the kernel for mounting.

Exam trap

The trap here is that candidates assume a filesystem check (fsck) is always the first step for a mount failure, but LVM-specific issues like an inactive logical volume must be resolved before any filesystem-level operations can succeed.

How to eliminate wrong answers

Option A is wrong because running `fsck` on an inactive logical volume will fail or cause corruption; the filesystem must be active and accessible before checking. Option C is wrong because `vgchange -ay` activates all volume groups, which is unnecessary and could interfere with other LVM states; the issue is isolated to a single LV, so targeting it with `lvchange` is more precise. Option D is wrong because `mount` will fail if the logical volume is inactive; the LV must be activated first before any mount attempt.

109
Drag & Dropmedium

Drag and drop the steps to configure SELinux to allow a custom web application to listen on port 8080 in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SELinux requires adding the port to the appropriate context before the service can listen.

110
MCQmedium

A user reports that the /data directory is inaccessible. The Linux administrator runs the commands shown in the exhibit. Which of the following is the most likely cause of the issue?

A.The user does not have read permissions on /data.
B.The filesystem is full and has become corrupted.
C.The device /dev/sdb1 is not present.
D.The filesystem is mounted as read-only.
AnswerB

100% usage can lead to corruption; the I/O error indicates filesystem issues.

Why this answer

The 'Input/output error' when accessing /data, combined with the 'Structure needs cleaning' message from dmesg, indicates filesystem corruption on /dev/sdb1. This is a classic symptom of a full filesystem that has become corrupted, not a simple permission or mount issue. The administrator's inability to read or write to the directory, despite the mount appearing normal, points to underlying filesystem damage.

Exam trap

The trap here is that candidates see 'Input/output error' and assume a hardware failure or missing device, but the combination of the mount showing the device as present and the dmesg message pointing to filesystem corruption is the key diagnostic clue.

How to eliminate wrong answers

Option A is wrong because the error message is 'Input/output error', not 'Permission denied', and the user's lack of read permissions would produce a different error. Option C is wrong because the mount command shows /dev/sdb1 is present and mounted on /data, so the device exists. Option D is wrong because the mount output shows 'rw' (read-write) in the mount options, and a read-only mount would produce a 'Read-only file system' error, not an I/O error.

111
Multi-Selecthard

Which THREE steps should be taken when diagnosing a network connectivity issue where a host cannot reach the internet but can ping the local gateway? (Select three.)

Select 3 answers
A.Examine the routing table with route -n
B.Review firewall rules with iptables -L
C.Check ARP cache for the gateway
D.Run traceroute to a known external IP
E.Check DNS resolution with nslookup
AnswersA, B, E

Check default route configuration.

Why this answer

Option A is correct because the `route -n` command displays the kernel routing table without resolving hostnames, allowing you to verify whether a default gateway route (0.0.0.0/0) exists. If the host can ping the local gateway but not the internet, a missing or incorrect default route is a common cause, as traffic to external networks would have no path to forward.

Exam trap

The trap here is that candidates assume a successful ping to the gateway proves Layer 3 routing is fully functional, but they overlook that the host may lack a default route, which is a distinct routing table entry separate from gateway reachability.

112
MCQmedium

A system administrator is troubleshooting a service that fails to start with the error 'Unit failed to load: Invalid argument'. The service file is located in /etc/systemd/system. What is the most likely cause?

A.The service binary is missing
B.The service file has a syntax error
C.The service requires a dependency that is not installed
D.The service is masked
AnswerB

Syntax errors in the unit file cause 'Invalid argument' error.

Why this answer

The error 'Unit failed to load: Invalid argument' in systemd indicates that the unit file parser encountered a directive or value it could not interpret. This is most commonly caused by a syntax error in the service file, such as a misspelled key, an invalid setting, or a malformed line. Systemd validates the file structure against its grammar; any deviation triggers this specific error.

Exam trap

The trap here is that candidates often confuse runtime errors (like missing binaries or dependencies) with parsing errors, but the specific 'Invalid argument' message points directly to a syntax or configuration issue within the unit file itself.

How to eliminate wrong answers

Option A is wrong because a missing service binary would cause a different error, such as 'Exec format error' or 'Unit not found' when trying to execute the binary, not a parsing failure. Option C is wrong because a missing dependency typically results in 'dependency failed' or 'unit not found' errors, not an 'Invalid argument' syntax error. Option D is wrong because a masked service produces 'Unit is masked' or 'Failed to start unit: Unit is masked' errors, not a syntax-level parsing failure.

113
MCQeasy

A user reports that their system fails to boot and displays a 'GRUB' prompt. Which command should be run first to attempt to load the operating system manually?

A.rescue
B.reboot
C.boot
D.exit
AnswerC

'boot' at the GRUB prompt loads the selected kernel.

Why this answer

When the system boots to a GRUB prompt, it means the bootloader has loaded but cannot find or automatically load the operating system. The `boot` command at the GRUB prompt instructs GRUB to attempt to boot the currently configured kernel and initramfs, which is the correct first step to manually load the OS.

Exam trap

The trap here is that candidates confuse the GRUB prompt with a system rescue shell and try to use system-level commands like `reboot` or `exit`, not realizing that GRUB has its own command set where `boot` is the correct action to load the OS.

How to eliminate wrong answers

Option A is wrong because `rescue` is not a valid GRUB command; it is a mode in systemd or anaconda, not used at the GRUB prompt. Option B is wrong because `reboot` is a system command, not a GRUB command; at the GRUB prompt, you would use `reboot` only after exiting GRUB or from the OS shell. Option D is wrong because `exit` in GRUB returns to the previous menu or the BIOS/UEFI boot selection, but does not attempt to load the operating system.

114
Drag & Dropmedium

Drag and drop the steps to add a new user to the system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Adding a user typically involves creating the user, setting a password, and configuring the home directory.

115
MCQeasy

A service fails to start and journalctl shows 'Permission denied'. What should the administrator check first?

A.Package integrity
B.DNS resolution
C.Firewall rules
D.SELinux contexts and file permissions
AnswerD

SELinux contexts are a common cause of permission denied errors for services.

Why this answer

The 'Permission denied' error in journalctl for a service failure typically indicates that the service process lacks the necessary permissions to access a file, directory, or resource. SELinux contexts and file permissions are the most common causes, as SELinux enforces mandatory access controls (MAC) that can block access even when standard Unix permissions are correct. Checking these first aligns with the troubleshooting principle of verifying access controls before other layers like network or package integrity.

Exam trap

The trap here is that candidates often jump to firewall rules or package integrity because they associate 'Permission denied' with network or installation issues, but the XK0-005 exam specifically tests SELinux and file permission troubleshooting for service startup failures.

How to eliminate wrong answers

Option A is wrong because package integrity issues (e.g., corrupted RPM database or missing files) would typically produce errors like 'File not found' or checksum mismatches, not 'Permission denied'. Option B is wrong because DNS resolution failures cause 'Name or service not known' or timeout errors, not permission-related denials. Option C is wrong because firewall rules block network traffic at the packet level, producing 'Connection refused' or 'No route to host' errors, not 'Permission denied' which is a local filesystem or security context issue.

116
MCQhard

A user reports that their home directory is missing after a system reboot. The /home partition is listed in /etc/fstab with an incorrect UUID. What is the most likely outcome?

A.The system will boot normally and mount /home using the device name
B.The system will prompt the user to enter the correct UUID
C.The system will boot but fail to mount /home
D.The system will fail to boot entirely
AnswerD

Incorrect root UUID would cause boot failure; for /home, boot continues.

Why this answer

When /etc/fstab contains an incorrect UUID for the /home partition, the systemd-based boot process (or traditional init) will attempt to mount the partition using that UUID. If the UUID does not match any block device, the mount fails. Because /home is not listed with the 'nofail' option in fstab, the boot process treats this as a critical failure and drops into an emergency shell or fails to complete boot, preventing normal login.

Option D is correct because an incorrect UUID for a required filesystem causes a boot failure, not a partial mount or a prompt.

Exam trap

CompTIA often tests the misconception that a missing or incorrect UUID only affects the specific mount point, leading candidates to choose 'boot but fail to mount /home' (Option C), when in fact the default behavior is to halt the boot process entirely for required filesystems.

How to eliminate wrong answers

Option A is wrong because the system does not fall back to mounting by device name; fstab entries with UUID= take precedence, and if the UUID is invalid, the mount fails outright. Option B is wrong because Linux does not prompt for a UUID during boot; the boot process either succeeds or fails based on fstab, with no interactive correction mechanism. Option C is wrong because while the system may boot partially, the missing /home mount is considered a critical failure (unless 'nofail' is set), causing the boot to halt or drop to emergency mode, not simply continue without mounting.

117
MCQeasy

A Linux server with the IP address 192.168.1.100 is unable to communicate with other hosts on the same subnet 192.168.1.0/24. The administrator can ping the loopback address, but pinging 192.168.1.1 (the default gateway) fails. The output of `ip a` shows the eth0 interface has the correct IP and netmask. Which troubleshooting step should be performed next?

A.Check the ARP cache with arp -a.
B.Replace the network cable.
C.Restart the network service.
D.Check the routing table with ip route.
AnswerD

The routing table will show if a default gateway is configured; missing gateway causes failure to reach local gateway.

Why this answer

Since the server has the correct IP and netmask on eth0 but cannot ping the default gateway (192.168.1.1), the issue likely lies in the routing configuration. The `ip route` command displays the kernel routing table, including the default gateway entry; if the default route is missing or incorrect, traffic cannot reach the gateway. Checking the routing table is the logical next step before assuming physical or ARP-level problems.

Exam trap

CompTIA often tests the misconception that a correct IP and netmask guarantee connectivity, leading candidates to jump to ARP or physical-layer checks, when the real issue is a missing or incorrect default route in the routing table.

How to eliminate wrong answers

Option A is wrong because checking the ARP cache (`arp -a`) would only be useful if the server had a valid route to the gateway but the MAC address resolution failed; here, the ping fails entirely, indicating a routing or connectivity issue, not an ARP resolution problem. Option B is wrong because replacing the network cable is a physical-layer troubleshooting step that should be performed only after verifying that the interface is up and has a link (e.g., via `ip link` or `ethtool`); the question states the interface has the correct IP, suggesting the link is likely up. Option C is wrong because restarting the network service is a disruptive, shotgun approach that may temporarily reset configurations but does not diagnose the root cause; it should be reserved for cases where configuration changes have been made or the service is misbehaving, not as a first diagnostic step.

118
Multi-Selecthard

A Linux server is experiencing intermittent connectivity issues. The administrator reviews the system logs and finds the following messages: 'NETDEV WATCHDOG: eth0: transmit queue 0 timed out'. Which THREE actions are likely to resolve this issue? (Choose three.)

Select 3 answers
A.Disable NIC offloading features using 'ethtool -K eth0 tx off sg off'.
B.Update the network interface card (NIC) driver to the latest version.
C.Increase the transmit queue length using 'ifconfig eth0 txqueuelen 10000'.
D.Change the MTU on the interface to 9000.
E.Replace the NIC with a known good one.
AnswersA, B, E

Offloading can cause driver bugs; disabling it may stabilize the interface.

Why this answer

Option A is correct because the 'NETDEV WATCHDOG: eth0: transmit queue 0 timed out' error often indicates that the NIC's hardware offloading features (such as TCP segmentation offload, scatter-gather) are causing the driver to hang or fail to complete transmissions. Disabling these offloads with 'ethtool -K eth0 tx off sg off' forces the CPU to handle packet segmentation and reduces the load on the NIC, which can resolve the timeout.

Exam trap

The trap here is that candidates may confuse transmit queue timeout with a simple buffer exhaustion issue and incorrectly choose to increase the transmit queue length (option C), when the real cause is a driver or hardware fault that requires disabling offloads, updating the driver, or replacing the NIC.

119
MCQeasy

A user cannot write to a directory that has permissions 755. The user is not the owner but belongs to the group. Which command would allow the user to write?

A.chmod 770 /directory
B.chmod 755 /directory
C.chmod 777 /directory
D.chmod 700 /directory
AnswerA

770 adds write permission for the group, allowing the user to write.

Why this answer

The directory currently has permissions 755, meaning the owner has rwx (7), the group has r-x (5), and others have r-x (5). Since the user belongs to the group but is not the owner, they need group write permission. The chmod 770 command sets the group permission to rwx (7), granting the user write access while preserving owner and group ownership semantics.

Exam trap

The trap here is that candidates may choose chmod 777 thinking it is the only way to grant write access, overlooking that the user is already in the group and only group write permission is needed.

How to eliminate wrong answers

Option B is wrong because chmod 755 sets group permission to r-x (5), which does not include write permission, so the user still cannot write. Option C is wrong because chmod 777 grants write permission to everyone (owner, group, and others), which is overly permissive and violates the principle of least privilege; it would work but is not the minimal correct solution. Option D is wrong because chmod 700 sets group permission to --- (0), removing all group access, which would prevent the user from even reading or executing the directory.

120
MCQmedium

A server's root filesystem is 100% full according to df -h. Which command should the administrator use to locate large files?

A.ls -la /
B.fdisk -l
C.du -sh /*
D.find / -size +100M
AnswerC

Shows sizes of top-level directories.

Why this answer

The `du -sh /*` command calculates disk usage for each top-level directory and file under `/`, summarizing the total in human-readable format. This directly identifies which directories or files consume the most space, allowing the administrator to pinpoint the cause of the 100% full root filesystem.

Exam trap

CompTIA often tests the distinction between listing files (`ls`) and measuring disk usage (`du`), trapping candidates who think `ls -la` shows file sizes that reflect actual disk consumption, ignoring that `ls` reports logical size while `du` reports physical blocks allocated.

How to eliminate wrong answers

Option A is wrong because `ls -la /` lists the names and metadata of files and directories in the root, but does not show their disk usage or size recursively, making it impossible to locate large files efficiently. Option B is wrong because `fdisk -l` displays partition table information (e.g., device names, sizes, types) and does not report file-level disk usage or locate large files. Option D is wrong because `find / -size +100M` searches for files larger than 100 MB, but it may miss large files that are exactly 100 MB or smaller, and it does not aggregate usage by directory, which is less efficient for identifying the primary space consumer on a full filesystem.

121
MCQmedium

A system administrator is troubleshooting a server running Ubuntu 20.04 that cannot establish outbound SSH connections. The server can ping external IP addresses and resolve hostnames. The administrator tries `ssh user@remotehost` and gets 'Connection timed out'. The firewall (ufw) is active. Which step should be taken?

A.Check the SSH client configuration in /etc/ssh/ssh_config.
B.Restart the networking service.
C.Allow output traffic on port 22 with ufw allow out 22/tcp.
D.Disable the firewall with ufw disable.
AnswerC

Explicitly allowing outbound SSH traffic resolves the timeout while maintaining security.

Why this answer

The server can ping external IPs and resolve hostnames, so networking and DNS are working. The issue is that outbound SSH traffic on port 22 is being blocked by the active UFW firewall. The correct step is to allow outbound TCP traffic on port 22 using `ufw allow out 22/tcp`, which permits the client to initiate SSH connections to remote hosts.

Exam trap

The trap here is that candidates assume SSH issues are always server-side (e.g., checking SSH server config or restarting services) and overlook that the local firewall's outbound policy can block client-initiated connections even when inbound rules are correctly configured.

How to eliminate wrong answers

Option A is wrong because `/etc/ssh/ssh_config` controls client-side SSH settings (like preferred ciphers or host key checking), not firewall rules; a misconfigured client would produce a different error (e.g., 'Permission denied' or 'No route to host'), not a timeout. Option B is wrong because restarting the networking service would not resolve a firewall block; the server already has functional network connectivity (ping and DNS work), so the issue is at the packet filter level. Option D is wrong because disabling the entire firewall is an overly broad and insecure solution; the correct approach is to add a specific outbound allow rule for port 22/tcp rather than removing all firewall protection.

122
MCQmedium

A database server is running slow. The administrator uses iostat and notices high await times on the disk. Which of the following best explains the implication of high await?

A.The CPU is waiting too long for memory access.
B.Disk I/O requests are taking a long time to complete.
C.The disk is almost full, causing fragmentation.
D.The network filesystem is experiencing latency.
AnswerB

Await includes queue time and service time; high values mean disk is slow or overloaded.

Why this answer

In iostat, 'await' measures the average time (in milliseconds) for I/O requests to be served by the disk, including time spent in the queue and the actual service time. A high await value indicates that disk I/O requests are taking a long time to complete, which directly explains the database server's slowness due to disk latency.

Exam trap

The trap here is that candidates confuse 'await' with CPU wait time (iowait) or assume it directly indicates disk fullness, when in fact await is a pure I/O completion latency metric that can be high due to queueing, slow media, or controller issues.

How to eliminate wrong answers

Option A is wrong because high await in iostat is a disk metric, not a memory metric; CPU waiting for memory access is indicated by high 'wait' or 'st' in CPU stats, not await. Option C is wrong because a nearly full disk can cause fragmentation, but fragmentation primarily increases seek time and is not directly measured by await; await reflects overall request completion time, which can be high due to many factors beyond fragmentation. Option D is wrong because network filesystem latency would be captured by network-specific metrics (e.g., nfsiostat, netstat) or by iostat if the disk is a remote block device, but await on a local disk does not imply network latency.

123
Multi-Selecteasy

Which TWO commands can be used to display the current kernel version on a Linux system?

Select 2 answers
A.modinfo
B.uname -r
C.cat /proc/version
D.lsmod
E.dmesg
AnswersB, C

Shows kernel release.

Why this answer

The `uname -r` command displays the kernel release version, which is the standard way to quickly check the current kernel version. The `cat /proc/version` command reads the /proc/version file, which contains a string that includes the kernel version, compiler information, and build date, making it another reliable method to view the kernel version.

Exam trap

CompTIA often tests the distinction between commands that display kernel version (`uname -r`, `/proc/version`) versus commands that show kernel module information (`lsmod`, `modinfo`) or boot logs (`dmesg`), leading candidates to confuse related but incorrect options.

124
MCQhard

A custom udev rule for a new USB device is not being applied. The rule file is correctly placed in /etc/udev/rules.d/ with .rules extension. What is the most likely cause?

A.The rule file is not executable
B.The rule uses a wrong attribute or value
C.The device is not recognized by the kernel
D.The rule file is in a subdirectory
AnswerB

Use 'udevadm info' to get correct attributes for matching.

Why this answer

The most likely cause is that the rule uses a wrong attribute or value. Udev rules are matched against device attributes (e.g., vendor ID, product ID, subsystem) exposed by the kernel via sysfs. If the rule specifies an incorrect attribute name, a typo in a value, or a mismatch with the actual device properties, the rule will not trigger.

Since the file is correctly placed and named, the failure is almost always due to a mismatch in the matching criteria.

Exam trap

The trap here is that candidates often assume the rule file must be executable or that the device is not recognized, but the XK0-005 exam tests the understanding that udev rule matching is attribute-driven and that incorrect attribute values are the most common cause of non-application.

How to eliminate wrong answers

Option A is wrong because udev rule files do not need the executable permission; they are read by udev as configuration files, not executed as scripts. Option C is wrong because if the device were not recognized by the kernel, it would not appear in sysfs or generate a uevent, but the question states the rule is not being applied, implying the device is present but the rule fails to match. Option D is wrong because udev does not scan subdirectories; placing the rule file in a subdirectory would cause it to be ignored entirely, but the question explicitly states the file is correctly placed in /etc/udev/rules.d/.

125
MCQeasy

A system administrator needs to find out which process is using a particular file. Which command should they use?

A.fuser /path/to/file
B.lsof /path/to/file
C.ps aux | grep file
D.stat /path/to/file
AnswerB

lsof lists all open files and the processes that opened them.

Why this answer

The `lsof` command (list open files) is the correct tool because it displays information about files opened by processes, including the specific file path. When given a file path, `lsof` lists the PID and process name that currently have that file open, directly answering the administrator's need.

Exam trap

The trap here is that candidates may confuse `fuser` with `lsof` because both can identify processes using a file, but `lsof` provides more comprehensive output and is the standard tool for detailed process-to-file mapping in the XK0-005 exam.

How to eliminate wrong answers

Option A is wrong because `fuser` identifies processes using a file or socket, but it does not provide the detailed process information (like command name) that `lsof` does; `fuser` is more suited for identifying PIDs to kill processes. Option C is wrong because `ps aux | grep file` searches for the string 'file' in the process list, which may match process names or arguments containing 'file' but does not reliably identify which process has a specific file open; it relies on grep pattern matching, not kernel-level file descriptor tracking. Option D is wrong because `stat` displays file metadata (size, permissions, timestamps) and does not show which processes are using the file.

126
MCQmedium

A system administrator notices that the root filesystem is at 95% capacity. Which command should be used to identify the directories consuming the most space?

A.df -h
B.du -sh /*
C.fdisk -l
D.ls -la /
AnswerB

Shows size of each top-level directory.

Why this answer

B is correct because `du -sh /*` calculates disk usage for each top-level directory under root, showing human-readable sizes. This directly identifies which directories consume the most space, allowing the administrator to pinpoint the source of the 95% capacity issue.

Exam trap

The trap here is that candidates often confuse `df -h` (filesystem-level overview) with `du -sh` (directory-level detail), mistakenly thinking `df` can pinpoint which directories are consuming space.

How to eliminate wrong answers

Option A is wrong because `df -h` shows filesystem-level disk usage (capacity, used, available) but does not drill down into directories to identify which ones are consuming space. Option C is wrong because `fdisk -l` lists partition tables and disk geometry, not directory-level disk usage. Option D is wrong because `ls -la /` lists file names, permissions, and metadata but does not calculate or display the actual disk space consumed by each directory.

← PreviousPage 2 of 2 · 126 questions total

Ready to test yourself?

Try a timed practice session using only Troubleshooting questions.