Sample questions
CompTIA Linux+ XK0-005 practice questions
Drag and drop the steps to mount a new filesystem in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to troubleshoot a network connectivity issue using common commands in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to create and apply a systemd service unit in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a cron job that runs a script daily in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to recover a forgotten root password in single-user mode in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure SELinux to allow a custom web application to listen on port 8080 in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A system administrator wants to create a new user and set a password in a single command as part of a provisioning script. Which command accomplishes this?
Trap 1: passwd user1 password
passwd does not accept password as argument.
Trap 2: useradd -m -p password user1
-p expects encrypted password.
Trap 3: usermod -p password user1
usermod does not set password.
- A
passwd user1 password
Why wrong: passwd does not accept password as argument.
- B
echo 'user1:password' | chpasswd
correctly reads from stdin.
- C
useradd -m -p password user1
Why wrong: -p expects encrypted password.
- D
usermod -p password user1
Why wrong: usermod does not set password.
A developer wants to run a container with a specific command that overrides the default entrypoint. Which Docker command should be used?
Trap 1: docker run myimage /bin/bash
Only overrides CMD, not ENTRYPOINT.
Trap 2: docker exec myimage /bin/bash
Runs in existing container.
Trap 3: docker start myimage /bin/bash
start does not accept command.
- A
docker run myimage /bin/bash
Why wrong: Only overrides CMD, not ENTRYPOINT.
- B
docker exec myimage /bin/bash
Why wrong: Runs in existing container.
- C
docker run --entrypoint /bin/bash myimage
Overrides ENTRYPOINT.
- D
docker start myimage /bin/bash
Why wrong: start does not accept command.
A cloud engineer needs to automate the deployment of a new virtual machine with a specific configuration using Ansible. Which file format is typically used for Ansible playbooks?
Trap 1: JSON
Not typical for playbooks.
Trap 2: XML
Not used.
Trap 3: INI
Used for inventory.
- A
JSON
Why wrong: Not typical for playbooks.
- B
YAML
Standard for playbooks.
- C
XML
Why wrong: Not used.
- D
INI
Why wrong: Used for inventory.
A systems administrator wants to build a custom Docker image from a Dockerfile located in the current directory. Which command should be used?
Trap 1: docker create .
Creates container.
Trap 2: docker commit .
Creates from container.
Trap 3: docker image build .
Alternative, but docker build is standard.
- A
docker create .
Why wrong: Creates container.
- B
docker commit .
Why wrong: Creates from container.
- C
docker build .
Builds from Dockerfile.
- D
docker image build .
Why wrong: Alternative, but docker build is standard.
A development team uses Git for version control and wants to automate the testing of every commit pushed to the repository. They have a Jenkins server running on a Linux machine. The team wants to automatically trigger a Jenkins pipeline job whenever a push is made to the main branch of their Git repository. The Jenkins server is behind a firewall and cannot be accessed from the internet. The Git repository is hosted on a private GitHub repository. Which of the following is the best approach to trigger the Jenkins job automatically?
Trap 1: Have developers manually click 'Build Now' in Jenkins after each…
Not automated.
Trap 2: Configure a GitHub webhook to send a POST request to the Jenkins…
Jenkins is not reachable from internet.
Trap 3: Set up a cron job on the Git server to execute a script that…
Git server is external and not under admin control.
- A
Have developers manually click 'Build Now' in Jenkins after each push.
Why wrong: Not automated.
- B
Configure Jenkins to poll the Git repository every minute for changes.
Works behind firewall.
- C
Configure a GitHub webhook to send a POST request to the Jenkins server.
Why wrong: Jenkins is not reachable from internet.
- D
Set up a cron job on the Git server to execute a script that triggers Jenkins.
Why wrong: Git server is external and not under admin control.
An administrator is troubleshooting a web server that is running under SELinux enforcing mode. The web content is located in a non-standard directory /webfiles. Using the standard SELinux context 'httpd_sys_content_t', the files are still inaccessible. Which command will properly set the context recursively and persist across relabels?
Trap 1: chcon -R -t httpd_sys_content_t /webfiles
chcon changes context immediately but does not persist across file system relabels (e.g., after restorecon -R /).
Trap 2: setenforce 0
This disables SELinux enforcement, which is not a proper solution and reduces security.
Trap 3: restorecon -Rv /webfiles
restorecon only resets context to the default; if no default rule exists for /webfiles, it does nothing.
- A
semanage fcontext -a -t httpd_sys_content_t '/webfiles(/.*)?' ; restorecon -Rv /webfiles
semanage adds the context rule to the policy, and restorecon applies it recursively. This persists across relabels.
- B
chcon -R -t httpd_sys_content_t /webfiles
Why wrong: chcon changes context immediately but does not persist across file system relabels (e.g., after restorecon -R /).
- C
setenforce 0
Why wrong: This disables SELinux enforcement, which is not a proper solution and reduces security.
- D
restorecon -Rv /webfiles
Why wrong: restorecon only resets context to the default; if no default rule exists for /webfiles, it does nothing.
A Linux administrator needs to check which process is using the most memory on a system. The administrator wants to view dynamically updating list of processes sorted by memory usage. Which command should the administrator use?
Trap 1: ps aux --sort=-%mem
ps gives a one-time snapshot, not real-time updates.
Trap 2: htop -s MEM
htop is not always installed by default and the option -s is not standard for sorting; top is more universal.
Trap 3: vmstat 1 5
vmstat provides system-wide virtual memory statistics, not per process.
- A
ps aux --sort=-%mem
Why wrong: ps gives a one-time snapshot, not real-time updates.
- B
top -o %MEM
top with -o sorts by the specified field and updates dynamically.
- C
htop -s MEM
Why wrong: htop is not always installed by default and the option -s is not standard for sorting; top is more universal.
- D
vmstat 1 5
Why wrong: vmstat provides system-wide virtual memory statistics, not per process.
An AppArmor profile for a web server is in complain mode. After testing, the administrator wants to enforce the profile. Which command accomplishes this?
Trap 1: apparmor_parser -r /etc/apparmor.d/usr.sbin.httpd
Reloads profile but does not change mode.
Trap 2: aa-complain /etc/apparmor.d/usr.sbin.httpd
aa-complain sets to complain mode.
Trap 3: aa-status /etc/apparmor.d/usr.sbin.httpd
aa-status shows status, does not change mode.
- A
apparmor_parser -r /etc/apparmor.d/usr.sbin.httpd
Why wrong: Reloads profile but does not change mode.
- B
aa-enforce /etc/apparmor.d/usr.sbin.httpd
Correct command.
- C
aa-complain /etc/apparmor.d/usr.sbin.httpd
Why wrong: aa-complain sets to complain mode.
- D
aa-status /etc/apparmor.d/usr.sbin.httpd
Why wrong: aa-status shows status, does not change mode.
An administrator notices that a non-root user 'alice' can run commands as root without being in the sudoers file. Which group membership could allow this?
Trap 1: admin
admin group is rarely used for sudo; wheel is more common.
Trap 2: root
Being in root group does not grant sudo by default.
Trap 3: sudo
Some distributions use a 'sudo' group, but wheel is standard in many.
- A
admin
Why wrong: admin group is rarely used for sudo; wheel is more common.
- B
wheel
Members of wheel group often have sudo privileges.
- C
root
Why wrong: Being in root group does not grant sudo by default.
- D
sudo
Why wrong: Some distributions use a 'sudo' group, but wheel is standard in many.
An administrator wants to generate a self-signed certificate and private key for testing. Which command creates both in one step?
Trap 1: openssl genrsa -out key.pem 2048
Only generates a key, not a certificate.
Trap 2: openssl req -new -x509 -days 365 -key key.pem -out cert.pem
Requires an existing key.
Trap 3: openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
Requires a CSR.
- A
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Generates key and certificate in one command.
- B
openssl genrsa -out key.pem 2048
Why wrong: Only generates a key, not a certificate.
- C
openssl req -new -x509 -days 365 -key key.pem -out cert.pem
Why wrong: Requires an existing key.
- D
openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
Why wrong: Requires a CSR.
An administrator needs to prevent a specific user 'bob' from logging in via SSH while allowing other users. Which configuration directive should be added to /etc/ssh/sshd_config?
Trap 1: PermitRootLogin no
This affects root only.
Trap 2: DenyUsers bob
DenyUsers is a valid directive but not as common in exam context; AllowUsers is more typical.
Trap 3: AllowUsers bob
This would allow bob, not deny him.
- A
AllowUsers alice charlie
By listing other users, bob is implicitly denied.
- B
PermitRootLogin no
Why wrong: This affects root only.
- C
DenyUsers bob
Why wrong: DenyUsers is a valid directive but not as common in exam context; AllowUsers is more typical.
- D
AllowUsers bob
Why wrong: This would allow bob, not deny him.
A Linux administrator needs to implement password complexity rules requiring at least one uppercase letter, one digit, and a minimum length of 10 characters. Which two PAM configuration entries would be used? (Choose TWO.)
Trap 1: password required pam_pwhistory.so use_authtok
Enforces password history, not complexity.
Trap 2: password required pam_unix.so
Handles password update but does not enforce complexity.
Trap 3: auth required pam_faillock.so
Manages account lockout, not complexity.
- A
password required pam_pwhistory.so use_authtok
Why wrong: Enforces password history, not complexity.
- B
password required pam_unix.so
Why wrong: Handles password update but does not enforce complexity.
- C
password requisite pam_pwquality.so minlen=10 ucredit=1 dcredit=1
Enforces minimum length and requires uppercase and digit.
- D
auth required pam_faillock.so
Why wrong: Manages account lockout, not complexity.
- E
password requisite pam_pwquality.so enforce_for_root
Why wrong: Enforces for root, but missing complexity parameters.
An administrator needs to add a script to be executed daily. The script is placed at /etc/cron.daily/myscript. After placing the script, it does not run. Based on the exhibit, what is the most likely issue?
Exhibit
Refer to the exhibit. ``` $ ls -l /etc/cron.daily/ total 8 -rwxr-xr-x 1 root root 245 Mar 10 10:00 logrotate -rwxr-xr-x 1 root root 123 Mar 10 10:00 syscheck ```
Trap 1: The script is owned by the wrong user
It should be owned by root, like the others.
Trap 2: The cron daemon is not running
If cron were not running, none of the daily scripts would run.
Trap 3: The script is not listed in /etc/crontab
cron.daily scripts are run automatically; no entry needed.
- A
The script is owned by the wrong user
Why wrong: It should be owned by root, like the others.
- B
The cron daemon is not running
Why wrong: If cron were not running, none of the daily scripts would run.
- C
The script is not executable
Scripts must have execute permission to be run by run-parts.
- D
The script is not listed in /etc/crontab
Why wrong: cron.daily scripts are run automatically; no entry needed.
- E
Anacron is not installed
Why wrong: Anacron is for systems that are not running 24/7, but cron.daily would still run.
A server with multiple disks is configured with RAID 5 for performance and redundancy. The administrator notices that write performance is lower than expected. Which RAID level would provide better write performance while still offering fault tolerance with the same number of disks (minimum 4)?
Trap 1: RAID 0
RAID 0 offers no fault tolerance; any disk failure causes data loss.
Trap 2: RAID 6
RAID 6 uses dual parity, resulting in lower write performance than RAID 5 due to additional parity calculations.
Trap 3: RAID 1
RAID 1 provides fault tolerance but writes are slower than RAID 10 because data must be written to all mirrors synchronously.
- A
RAID 0
Why wrong: RAID 0 offers no fault tolerance; any disk failure causes data loss.
- B
RAID 6
Why wrong: RAID 6 uses dual parity, resulting in lower write performance than RAID 5 due to additional parity calculations.
- C
RAID 10
RAID 10 combines striping and mirroring, providing high write performance and fault tolerance.
- D
RAID 1
Why wrong: RAID 1 provides fault tolerance but writes are slower than RAID 10 because data must be written to all mirrors synchronously.
A user reports that they cannot reach a website. The administrator wants to check the path that packets take to the destination server. Which command should be used?
Trap 1: ip addr
ip addr shows IP addresses on the local host.
Trap 2: ss
ss shows socket statistics, not routing path.
Trap 3: ping
ping only tests connectivity, not the path.
- A
ip addr
Why wrong: ip addr shows IP addresses on the local host.
- B
ss
Why wrong: ss shows socket statistics, not routing path.
- C
traceroute
traceroute shows the hop-by-hop path to the destination.
- D
ping
Why wrong: ping only tests connectivity, not the path.
Which TWO conditions must be met for a user to successfully delete a file owned by a different user in a directory? (Choose two.)
Trap 1: The user has write permission on the file
File permissions are not considered for deletion of the file.
Trap 2: The user is the owner of the file
Ownership of the file is not required.
Trap 3: The user is a member of the group that owns the directory
Group membership is only relevant if the directory's group permissions allow.
- A
The user has write permission on the file
Why wrong: File permissions are not considered for deletion of the file.
- B
The user has write permission on the directory
Write permission on the directory is required to delete entries.
- C
The user has execute permission on the directory
Execute permission is needed to access the directory.
- D
The user is the owner of the file
Why wrong: Ownership of the file is not required.
- E
The user is a member of the group that owns the directory
Why wrong: Group membership is only relevant if the directory's group permissions allow.
A security audit reveals that a service is running with an incorrect SELinux context. Which two commands can be used to relabel the file or directory to the correct context? (Choose TWO.)
Trap 1: setenforce 0
Disables enforcement, does not change context.
Trap 2: fixfiles relabel
Relabels entire filesystem, not targeted.
Trap 3: ls -Z
Displays context, does not change it.
- A
setenforce 0
Why wrong: Disables enforcement, does not change context.
- B
restorecon -R /path/to/file
Restores default SELinux context.
- C
chcon -t httpd_sys_content_t /path/to/file
Manually sets the context type.
- D
fixfiles relabel
Why wrong: Relabels entire filesystem, not targeted.
- E
ls -Z
Why wrong: Displays context, does not change it.
An administrator needs to generate a self-signed certificate and private key for an internal web server. Which OpenSSL command creates both in one step?
Trap 1: openssl ca -in req.pem -out cert.pem
Requires CA setup.
Trap 2: openssl genrsa -out key.pem 2048 && openssl req -new -x509 -key…
Works but two steps; question asks for one step.
Trap 3: openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
Requires existing CSR and key.
- A
openssl ca -in req.pem -out cert.pem
Why wrong: Requires CA setup.
- B
openssl genrsa -out key.pem 2048 && openssl req -new -x509 -key key.pem -out cert.pem -days 365
Why wrong: Works but two steps; question asks for one step.
- C
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Correct: -x509 for self-signed, -newkey generates key, -keyout and -out output files.
- D
openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
Why wrong: Requires existing CSR and key.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.