Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 376450

511 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQeasy

The DHCP client lease file shows a lease for 192.168.1.100. If the client fails to contact the original DHCP server by the rebind time (12:00), what will occur?

A.The client will continue to use the address until the expire time without any further attempts.
B.The client will immediately release the address.
C.The client will rebind with a new IP address from any server.
D.The client will attempt to contact any DHCP server to extend the lease.
AnswerD

After rebind, the client broadcasts to any DHCP server for a lease extension.

Why this answer

When a DHCP client reaches the rebind time (T2, default 87.5% of lease duration) without contacting the original server, it enters the REBINDING state. In this state, the client broadcasts a DHCPREQUEST to any available DHCP server to extend the lease. Option D correctly describes this behavior, as defined in RFC 2131.

Exam trap

The trap here is confusing the rebind time (T2) with the expire time (T3), leading candidates to think the client releases or stops using the address immediately, when in fact it broadcasts to any server for a lease extension.

How to eliminate wrong answers

Option A is wrong because the client does not passively wait until expiration; it actively attempts to rebind with any server after the rebind time. Option B is wrong because the client only releases the address at the expire time (T3), not at the rebind time. Option C is wrong because the client does not request a new IP address; it requests an extension of its current lease (same IP) from any responding server.

377
MCQeasy

A new user needs access to a Samba share. The administrator adds the user to the system with `adduser alice` and then sets up a Samba password. Which command is used to set the Samba password?

A.passwd -a alice
B.smbpasswd -a alice
C.pdbedit -a -u alice
D.net ads user add alice
AnswerB

-a adds a new Samba user and prompts for a password.

Why this answer

The correct command is `smbpasswd -a alice`. This command adds a new user to the Samba password database and sets their initial Samba password. The `-a` flag specifically indicates that the user should be added to the local Samba user database (smbpasswd file or tdbsam), which is required before the user can authenticate to Samba shares.

Exam trap

The trap here is that candidates confuse the Linux system password command (`passwd`) with the Samba-specific password command (`smbpasswd`), or mistakenly think `pdbedit` is the primary tool for setting a password interactively, when in fact `pdbedit` is more for managing the database entries and `smbpasswd` is the standard interactive tool for setting passwords.

How to eliminate wrong answers

Option A is wrong because `passwd -a alice` is not a valid command; `passwd` is used to change local Linux system passwords, not Samba passwords, and the `-a` flag does not exist for `passwd`. Option C is wrong because `pdbedit -a -u alice` is used to add or modify a user in the Samba password database, but it does not set the password interactively; it requires a separate `-t` option or a password hash, and is typically used for bulk or scripted operations, not for initial password assignment. Option D is wrong because `net ads user add alice` is used to add a user to an Active Directory domain, not to set a Samba password for a local Samba user; it is part of the `net ads` tool for domain integration.

378
MCQmedium

A company's security policy requires that all members of the 'developers' group be able to run the command 'systemctl restart httpd' as root using sudo, without being prompted for a password. Which sudoers entry achieves this?

A.%developers ALL=(root) /usr/bin/systemctl restart httpd
B.%developers ALL=(root) NOPASSWD: /usr/bin/systemctl restart httpd
C.developers ALL=(root) NOPASSWD: /usr/bin/systemctl restart httpd
D.%developers ALL=(root) NOPASSWD: {/usr/bin/systemctl restart httpd}
E.%developers ALL=(0) NOPASSWD: /usr/bin/systemctl restart httpd
AnswerB

Correct syntax: group, hosts, runas, NOPASSWD, command.

Why this answer

Option C is correct. The syntax '%group ALL=(root) NOPASSWD: command' grants passwordless sudo to all group members. Option A has incorrect syntax (missing NOPASSWD), B uses a numeric UID but does not specify passwordless, D uses a wrong group name, and E is syntactically incorrect with curly braces.

379
MCQeasy

What is the purpose of the 'idmap config * : backend = tdb2' line?

A.It sets the default identity mapping backend to tdb2.
B.It specifies the security mode as user.
C.It defines the default domain for Samba.
D.It enables the winbind cache.
AnswerA

The backend for the * (default) domain is set to tdb2.

Why this answer

The 'idmap config * : backend = tdb2' line in Samba's smb.conf configures the default identity mapping backend for all domains not explicitly specified. The asterisk (*) acts as a wildcard representing any domain, and 'tdb2' is a high-performance, clustered-aware database backend that stores mappings between Windows SIDs and Unix UIDs/GIDs. This ensures that when a user or group from an unspecified domain is encountered, Samba uses tdb2 to manage the ID mapping, making option A correct.

Exam trap

The trap here is that candidates often confuse the wildcard '*' in idmap config with a domain-specific setting, thinking it applies only to a domain named '*', or they mistakenly associate it with security modes or domain definitions, rather than recognizing it as the default backend for all unspecified domains.

How to eliminate wrong answers

Option B is wrong because 'idmap config' lines are unrelated to security modes; the security mode (e.g., user, ads, domain) is set via the 'security' parameter in the [global] section, not through identity mapping configuration. Option C is wrong because defining the default domain for Samba is done with the 'workgroup' parameter or 'realm' for Active Directory, not with an idmap configuration line. Option D is wrong because enabling the winbind cache is controlled by parameters like 'winbind cache time' or 'winbind enum users/groups', not by the idmap backend setting.

380
Multi-Selecteasy

Which two of the following are valid methods to authenticate with OpenVPN? (Select two.)

Select 2 answers
A.LDAP
B.RADIUS
C.NIS
D.Static key
E.TLS/SSL certificates
AnswersD, E

Static key authentication uses a pre-shared key between client and server.

Why this answer

OpenVPN supports static key and TLS/SSL certificates as native authentication methods. LDAP and RADIUS can be used via plugins but are not native. NIS is not supported.

381
MCQhard

An AppArmor profile for a database server is too restrictive and denies legitimate queries. The administrator wants to learn the required accesses by running the application in complain mode. Which command puts the profile into complain mode?

A.aa-complain /etc/apparmor.d/usr.sbin.mysqld
B.aa-disable /etc/apparmor.d/usr.sbin.mysqld
C.aa-enforce /etc/apparmor.d/usr.sbin.mysqld
D.aa-log /etc/apparmor.d/usr.sbin.mysqld
AnswerA

Puts the profile in complain mode, logging violations without blocking.

Why this answer

Option A is correct because 'aa-complain /path/to/profile' sets the profile to complain mode. Option B is wrong because 'aa-enforce' sets enforce mode. Option C is wrong because 'aa-disable' disables the profile.

Option D is wrong because 'aa-log' is not a standard AppArmor command.

382
MCQmedium

An administrator wants to compile a new kernel module that is not yet in the tree. What file should be referenced to ensure the module is built with the same configuration as the current kernel?

A./proc/config.gz
B./boot/config-5.10.0-9-amd64
C./boot/System.map-5.10.0-9-amd64
D./boot/initrd.img-5.10.0-9-amd64
AnswerB

The config file stores all kernel configuration options used to build the kernel.

Why this answer

Option B is correct because /boot/config-5.10.0-9-amd64 contains the exact kernel configuration used to build the currently running kernel. When compiling a new kernel module, referencing this file (typically via 'make oldconfig' or copying it to the source tree as .config) ensures the module is built with the same set of options, such as enabled features, drivers, and module parameters, preventing incompatibilities.

Exam trap

The trap here is that candidates confuse /proc/config.gz with a reliable configuration source, not realizing it is optional and may be absent, while /boot/config-* is the standard, always-present file on Debian-based systems.

How to eliminate wrong answers

Option A is wrong because /proc/config.gz is a compressed representation of the current kernel's configuration, but it is only available if the kernel was built with CONFIG_IKCONFIG_PROC enabled; it is not a guaranteed file on all systems and is not the standard reference file for building modules. Option C is wrong because /boot/System.map-5.10.0-9-amd64 contains kernel symbol addresses used for debugging and resolving kernel oopses, not the kernel build configuration. Option D is wrong because /boot/initrd.img-5.10.0-9-amd64 is an initial ramdisk image used during boot to load necessary drivers and mount the root filesystem, and it has no role in providing kernel build configuration.

383
MCQeasy

Which of the following is a valid NTP configuration file directive to specify a broadcast client?

A.peer
B.server
C.broadcast
D.broadcastclient
AnswerD

Correct directive for broadcast client.

Why this answer

Option D is correct because the `broadcastclient` directive in an NTP configuration file instructs the NTP daemon to listen for NTP broadcast messages on the local network. This is the standard way to configure a client to synchronize time from a broadcast server without specifying individual server addresses.

Exam trap

The trap here is that candidates confuse the server-side `broadcast` directive with the client-side `broadcastclient` directive, assuming the same keyword applies to both roles.

How to eliminate wrong answers

Option A is wrong because `peer` configures symmetric active association for mutual time synchronization between two NTP servers, not for a client listening to broadcasts. Option B is wrong because `server` specifies a unicast NTP server address for direct client-server polling, not a broadcast client mode. Option C is wrong because `broadcast` is used on the server side to enable sending NTP broadcast packets, not on the client side to receive them.

384
MCQmedium

Based on the iptables output, what is the expected behavior for incoming SSH connections on eth0?

A.SSH connections are only allowed if they are part of an established connection.
B.SSH connections from any source to port 22 on eth0 are allowed if they are new.
C.SSH connections are dropped because the default policy is DROP.
D.SSH connections are only allowed from the loopback interface.
AnswerB

The rule matches new SSH connections on eth0.

Why this answer

The iptables output shows a rule on the INPUT chain for eth0 that accepts TCP packets destined for port 22 (SSH) with the state NEW. This means that any incoming SSH connection attempt (SYN packet) that is not part of an existing connection is explicitly allowed. The default policy for the INPUT chain is ACCEPT (not shown as DROP), so even without this rule, SSH would be allowed, but the rule ensures it is explicitly permitted for new connections.

Exam trap

The trap here is that candidates may assume the default policy is DROP (a common security practice) and overlook the explicit ACCEPT rule for NEW SSH connections, or they may confuse the NEW state with ESTABLISHED, thinking that only existing connections are allowed.

How to eliminate wrong answers

Option A is wrong because the rule specifically matches the NEW state, not ESTABLISHED; established connections are handled by a separate rule (not shown) or the default policy. Option C is wrong because the default policy is ACCEPT (as indicated by the chain policy being ACCEPT in the output), not DROP, so SSH connections are not dropped by default. Option D is wrong because the rule applies to eth0, not the loopback interface (lo); there is no restriction to loopback, and SSH on eth0 is explicitly allowed.

385
MCQeasy

A Linux administrator notices that a newly added disk /dev/sdc is not recognized by the system. Which command should be used to rescan the SCSI bus without rebooting?

A.echo 'scan' > /proc/scsi/scsi
B.blockdev --rereadpt /dev/sdc
C.service scsi restart
D.echo '- - -' > /sys/class/scsi_host/host0/scan
AnswerD

Writing '- - -' performs a full SCSI bus rescan without reboot.

Why this answer

Option B is correct because writing '- - -' to the scan file triggers a bus rescan. Option A writes 'scan' to /proc/scsi/scsi, which is obsolete. Option C reads the partition table.

Option D attempts to restart a non-existent SCSI service.

386
MCQmedium

An administrator wants to allow user 'john' to execute any command as root without a password. Which sudoers entry is correct?

A.john ALL=(ALL) NOPASSWD:ALL
B.john ALL=(ALL) NOPASSWD:/bin/ls
C.john ALL=(ALL) ALL
D.john ALL=(ALL) PASSWD:ALL
AnswerA

This allows john to run any command as any user without a password.

Why this answer

The correct entry is 'john ALL=(ALL) NOPASSWD:ALL', which allows john to run any command as any user without a password. Option A requires a password. Option C restricts to a specific command.

Option D requires a password.

387
MCQeasy

The administrator wants to create a RAID 1 array using /dev/sdb1 and /dev/sdc1, then create a filesystem and mount it at /mnt/raid1. Which command sequence should be used first?

A.mkfs.ext4 /dev/md0
B.mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1
C.pvcreate /dev/sdb1 /dev/sdc1
D.fdisk /dev/sdb && fdisk /dev/sdc
AnswerB

Creates RAID 1 array from two partitions.

Why this answer

Option B is correct because the first step in creating a RAID 1 array is to assemble the underlying block devices into a RAID device using mdadm. The command `mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1` initializes the RAID metadata and creates the array at /dev/md0. Only after the array is created can a filesystem be built on it and then mounted.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking they can format the array before it exists, or they mistakenly apply LVM or partitioning commands when the devices are already prepared as partitions.

How to eliminate wrong answers

Option A is wrong because mkfs.ext4 attempts to create a filesystem on /dev/md0, but the RAID device does not exist yet; the array must be created first. Option C is wrong because pvcreate is used to prepare physical volumes for LVM, not for creating a RAID array; it would be appropriate only if the goal were to use LVM on top of RAID. Option D is wrong because fdisk is used for partitioning disks, but the question states that /dev/sdb1 and /dev/sdc1 are already partitions; repartitioning them is unnecessary and would destroy existing data or partition tables.

388
MCQhard

An administrator is designing a high-availability storage solution using DRBD. The requirement is to have two nodes with synchronous replication and automatic failover in case of primary node failure. Which configuration best achieves this?

A.Export the DRBD block device via NFS and use a load balancer.
B.Primary/Secondary DRBD resource with manual failover using drbdadm.
C.DRBD with Heartbeat to automatically promote the secondary on primary failure.
D.DRBD in Primary/Primary mode managed by Pacemaker cluster stack.
AnswerD

Allows both nodes active and automatic failover via Pacemaker.

Why this answer

Option D is correct because DRBD in Primary/Primary mode, managed by the Pacemaker cluster stack, provides synchronous replication and automatic failover. Pacemaker monitors node health and can promote the secondary node to primary automatically upon primary failure, meeting the high-availability requirement without manual intervention.

Exam trap

The trap here is that candidates often assume Heartbeat is sufficient for automatic failover, but Pacemaker is the modern, recommended cluster stack that supports Primary/Primary DRBD and provides proper fencing and resource management.

How to eliminate wrong answers

Option A is wrong because exporting DRBD via NFS and using a load balancer does not provide automatic failover of the DRBD resource itself; NFS adds a single point of failure and the load balancer cannot handle DRBD state transitions. Option B is wrong because manual failover using drbdadm requires human intervention, which violates the automatic failover requirement. Option C is wrong because Heartbeat alone is a legacy cluster manager that lacks the advanced resource management and fencing capabilities of Pacemaker; while it can promote the secondary, it does not support Primary/Primary mode and is not the recommended stack for modern DRBD high-availability setups.

389
MCQmedium

Which directive in ntp.conf enables the NTP server to respond to queries from clients?

A.broadcast
B.peer
C.restrict
D.server
AnswerC

Controls client access via restrict rules.

Why this answer

The `restrict` directive in ntp.conf controls access to the NTP server, including whether it responds to client queries. By default, NTP servers restrict all access; adding a `restrict` line with the `nomodify` and `notrap` flags (or no restrictive flags) allows clients to query the server. Option C is correct because `restrict` is the directive that explicitly permits or denies NTP queries from clients.

Exam trap

The trap here is that candidates confuse `server` (which configures the local daemon as a client to an upstream server) with the directive that controls whether the local daemon responds to clients, when in fact `restrict` is the access control mechanism.

How to eliminate wrong answers

Option A is wrong because `broadcast` configures the NTP server to send broadcast or multicast packets to clients, not to respond to client queries; it is a one-way announcement mode. Option B is wrong because `peer` configures symmetric active association with another NTP server for mutual synchronization, not to respond to client queries. Option D is wrong because `server` configures the local NTP daemon to synchronize to an upstream NTP server, not to respond to client queries.

390
Multi-Selecteasy

A system administrator needs to create a RAID 10 array using four disks: /dev/sdb, /dev/sdc, /dev/sdd, /dev/sde. Which TWO commands correctly achieve this?

Select 2 answers
A.mdadm --create /dev/md0 --level=10 --raid-devices=4 /dev/sdb /dev/sdc /dev/sdd /dev/sde
B.mdadm --create /dev/md0 --level=1 --raid-devices=4 /dev/sdb /dev/sdc /dev/sdd /dev/sde
C.mdadm --create /dev/md0 --level=raid10 --raid-devices=4 /dev/sdb /dev/sdc /dev/sdd /dev/sde
D.mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc --add /dev/md1
E.mdadm --create /dev/md0 --level=10 --raid-devices=2 /dev/sdb /dev/sdc
AnswersA, C

Correct: Numeric level 10 with 4 devices creates RAID 10.

Why this answer

Options A and D both correctly create a RAID 10 array with the required four devices. Option A uses the numeric level '10', while option D uses the name 'raid10'. Option B creates a RAID 1 (mirroring) array, not RAID 10.

Option C has an invalid syntax (using --add incorrectly). Option E only specifies two devices, which is insufficient for RAID 10.

391
MCQmedium

An organization runs a critical application on a Linux server that stores its data on a 500GB LVM logical volume named /dev/vg_data/lv_app. The application must remain operational with minimal disruption, so unmounting the volume is not acceptable. The administrator needs to create a full backup of the logical volume to an external 1TB USB drive attached via eSATA. The backup must capture a point-in-time consistent state of the filesystem. The logical volume is formatted with XFS. Which of the following procedures best achieves this goal while minimizing downtime?

A.Unmount the logical volume, use tar to create an archive on the USB drive, then remount the volume.
B.Use dd to clone the logical volume directly to the USB drive while the volume is mounted.
C.Create an LVM snapshot volume and then use cp -a to copy the snapshot volume's contents directly without mounting.
D.Create an LVM snapshot volume of /dev/vg_data/lv_app, mount the snapshot to a temporary directory, and use rsync to copy the data to the USB drive.
AnswerD

The snapshot is consistent, mounting it does not affect the live volume, and rsync ensures accurate copying.

Why this answer

Option C is correct because creating an LVM snapshot provides a point-in-time consistent view of the volume, mounting the snapshot avoids downtime, and rsync is a reliable tool for copying data while preserving metadata. Option A (dd) risks inconsistency because the volume is mounted. Option B requires unmounting, causing unacceptable downtime.

Option D (cp) is less reliable for preserving all attributes and does not leverage the snapshot's benefits properly.

392
MCQmedium

A company has a server with two network interfaces: eth0 (public IP) and eth1 (private IP). The administrator wants to allow SSH from the public network only. Which iptables rule set achieves this?

A.iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -i eth1 -p tcp --dport 22 -j DROP
B.iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
C.iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j DROP
AnswerA

This allows SSH on eth0 and drops on eth1.

Why this answer

Option A is correct because it explicitly allows SSH (TCP port 22) traffic arriving on the public interface (eth0) and then drops SSH traffic on the private interface (eth1). This ensures SSH is only accessible from the public network while blocking it on the private network. The order of rules matters: the ACCEPT rule for eth0 must come before any default DROP policy or later rules that might affect it.

Exam trap

The trap here is that candidates often forget that iptables rules are evaluated in order, so placing a broad DROP rule before a specific ACCEPT rule will cause the DROP to match first, inadvertently blocking the intended traffic.

How to eliminate wrong answers

Option B is wrong because it only adds an ACCEPT rule for SSH on eth0, leaving the default policy (typically ACCEPT) to allow SSH on eth1 as well, thus not restricting SSH to the public network only. Option C is wrong because the first rule drops all SSH traffic regardless of interface, and the second rule attempts to accept SSH on eth0, but due to iptables' first-match order, the DROP rule will match first for all SSH packets (including those on eth0), effectively blocking SSH everywhere. Option D is wrong because it drops all SSH traffic on all interfaces, completely blocking SSH access from both public and private networks.

393
Multi-Selecthard

Which THREE statements about Samba's 'net' command are true? (Choose three.)

Select 3 answers
A.net ads join joins the server to an Active Directory domain
B.net conf drop drops all database connections
C.net usershare add creates a user-defined share
D.net rpc info displays domain information from a Windows NT4-style domain
E.net share lists shares on the local Samba server
AnswersA, C, D

Correct usage for AD join.

Why this answer

Option A is correct because 'net ads join' is the Samba command used to join a Linux server to an Active Directory domain, leveraging the Kerberos and LDAP protocols to authenticate and register the server as a domain member. This is a core function for integrating Samba with modern Windows domains.

Exam trap

LPI often tests the distinction between 'net share' (remote share listing via RPC) and 'net usershare list' (local user-defined shares), leading candidates to incorrectly assume 'net share' works locally.

394
MCQhard

After rebooting, the bridge br0 does not forward traffic between eth0 and eth1. Which configuration is most likely missing?

A.bridge_stp on
B.bridge_fd 0
C.bridge_maxwait 10
D.up ip link set br0 up
AnswerB

Setting the forwarding delay to 0 disables the STP listening/learning phases, allowing immediate forwarding.

Why this answer

The bridge br0 is not forwarding traffic because the default bridge forward delay (bridge_fd) is too long, causing the bridge to remain in a blocking state while waiting for STP convergence. Setting bridge_fd 0 disables the forward delay, allowing the bridge to start forwarding immediately after boot. This is essential when STP is not needed or when the bridge must be operational without delay.

Exam trap

The trap here is that candidates often assume the bridge is down or needs STP enabled, but the real issue is the forward delay timer blocking traffic immediately after boot, which is a subtle but common misconfiguration in Linux bridging.

How to eliminate wrong answers

Option A is wrong because bridge_stp on enables Spanning Tree Protocol, which actually introduces a forward delay (default 15 seconds) and would not cause the bridge to fail forwarding; it would only delay it. Option C is wrong because bridge_maxwait is not a standard bridge configuration parameter; the correct parameter for maximum wait time is maxwait, but it controls the delay before the bridge starts, not the forward delay. Option D is wrong because up ip link set br0 up is a command to bring the interface up, but the bridge is already up after reboot; the issue is that the bridge is not forwarding due to the forward delay, not that it is down.

395
MCQmedium

A security analyst wants to capture only TCP packets with the SYN flag set to identify connection attempts. Which tcpdump filter expression accomplishes this?

A.tcp[tcpflags] & tcp-syn != 0
B.tcp[13] & 2 != 0
C.tcp[13] & 0x02 != 0
D.Both B and C are correct.
AnswerD

Both expressions correctly filter for the SYN flag.

Why this answer

Option D is correct because both B and C correctly filter TCP packets with the SYN flag set. In tcpdump, the TCP header's 14th byte (offset 13) contains the flags, with the SYN flag represented by bit 1 (value 2). Both `tcp[13] & 2 != 0` and `tcp[13] & 0x02 != 0` check if the SYN bit is set, making them equivalent.

Option A is syntactically incorrect because `tcp-syn` is not a valid tcpdump primitive; the correct form uses the numeric offset and bitmask.

Exam trap

The trap here is that candidates often assume `tcp-syn` is a valid tcpdump filter keyword (like `icmp` or `arp`), but tcpdump does not define symbolic names for individual TCP flags, requiring the use of raw byte offsets and bitmasks instead.

How to eliminate wrong answers

Option A is wrong because `tcp[tcpflags] & tcp-syn != 0` uses an invalid reference: `tcpflags` is not a defined tcpdump keyword, and `tcp-syn` is not a recognized constant, so this expression will cause a syntax error or fail to parse. Option B is wrong because it is actually correct — `tcp[13] & 2 != 0` correctly checks the SYN flag (bit 1) at byte offset 13. Option C is wrong because it is also correct — `tcp[13] & 0x02 != 0` is the hexadecimal equivalent of option B and works identically.

Therefore, only options B and C are correct, making D the right choice.

396
MCQmedium

Refer to the exhibit. A security audit reveals that the server is not blocking SSH connections from unauthorized networks. What is the most likely cause?

A.The FORWARD chain is DROP, blocking all forwarded traffic.
B.The SSH rule uses --dport 22 but missing source IP restriction, allowing all sources.
C.The default policy for INPUT is DROP, which should block all, but SSH works due to the ESTABLISHED,RELATED rule.
D.The SSH rule does not restrict source IP, so it allows all incoming SSH connections.
AnswerD

Without a source IP limitation, the rule permits SSH from any IP address.

Why this answer

The SSH rule (-A INPUT -p tcp --dport 22 -j ACCEPT) does not restrict the source IP, so it allows SSH from any IP. The default policy is DROP, but the SSH rule overrides for all sources. Other options are incorrect.

397
MCQmedium

A Linux router needs to forward DHCP broadcasts from clients on subnet 192.168.1.0/24 (eth0) to a DHCP server at 10.0.0.5. Which command starts a DHCP relay agent?

A.dhcrelay -i eth0 10.0.0.5
B.dhcpd -cf /etc/dhcp/dhcpd.conf
C.iptables -A INPUT -i eth0 -p udp --dport 67 -j REDIRECT
D.dnsmasq -i eth0
AnswerA

Standard DHCP relay agent command.

Why this answer

The correct command is `dhcrelay -i eth0 10.0.0.5`. This starts the DHCP relay agent (ISC DHCP relay) on interface eth0, listening for DHCP broadcast packets (UDP port 67) from clients on subnet 192.168.1.0/24 and forwarding them as unicast to the DHCP server at 10.0.0.5. The relay agent also relays the server's unicast replies back to the client, enabling DHCP service across subnets without a local DHCP server.

Exam trap

The trap here is that candidates often confuse the DHCP relay agent command with the DHCP server command (`dhcpd`) or assume a firewall rule (`iptables`) can perform relaying, but only `dhcrelay` correctly implements the RFC 1542 relay function by forwarding broadcasts to a specified remote server.

How to eliminate wrong answers

Option B is wrong because `dhcpd -cf /etc/dhcp/dhcpd.conf` starts a DHCP server, not a relay agent; it would attempt to serve addresses locally rather than forward broadcasts to a remote server. Option C is wrong because `iptables -A INPUT -i eth0 -p udp --dport 67 -j REDIRECT` redirects incoming DHCP requests to a local process, but it does not forward them to a remote server and violates the intended relay functionality (REDIRECT is for local socket redirection, not forwarding). Option D is wrong because `dnsmasq -i eth0` starts a combined DNS/DHCP server, not a dedicated relay agent; while dnsmasq can act as a relay with specific options (e.g., `--dhcp-relay`), the plain `-i eth0` flag only binds the service to that interface and does not enable relay mode.

398
MCQmedium

A company requires two-factor authentication for SSH logins. Which PAM module can be used to implement this if the system uses a time-based one-time password (TOTP)?

A.pam_radius.so
B.pam_ldap.so
C.pam_krb5.so
D.pam_google_authenticator.so
AnswerD

This module provides TOTP-based two-factor authentication.

Why this answer

PAM module pam_google_authenticator.so implements TOTP-based two-factor authentication. pam_radius.so can be used for RADIUS, but not natively TOTP. pam_ldap.so and pam_krb5.so are for directory services.

399
Multi-Selecteasy

Which TWO of the following actions are recommended to improve SSH server security?

Select 2 answers
A.PermitEmptyPasswords no
B.PasswordAuthentication no
C.AllowUsers *.example.com
D.PermitRootLogin yes
E.UsePAM yes
AnswersA, B

Preventing empty passwords eliminates a major vulnerability where an account could have no password set.

Why this answer

Disabling password authentication (Option C) and denying empty passwords (Option E) significantly reduce the risk of unauthorized access.

400
MCQhard

A company has multiple internet connections and wants to route traffic from specific subnets to specific providers. They are using policy-based routing with ip rule and ip route. After adding the rules, the administrator finds that the traffic is not matching the intended routing table. Which command should be used to verify that the rules are being matched correctly?

A.ip route show cache
B.ip route get <destination> mark <mark>
C.ip rule show
D.ip route show table all
AnswerB

This command simulates the routing lookup and shows the rule and table used.

Why this answer

Option B is correct because 'ip route get' with the 'mark' option simulates a packet lookup using the specified routing mark, allowing the administrator to see which routing table would be matched by the policy rules. This directly verifies whether the ip rule conditions (e.g., fwmark, source subnet) are correctly directing traffic to the intended table.

Exam trap

The trap here is that candidates assume 'ip rule show' is sufficient to verify rule matching, but it only displays the rules, not which rule is actually hit for a specific packet, leading to false confidence.

How to eliminate wrong answers

Option A is wrong because 'ip route show cache' displays the routing cache (which is deprecated in modern kernels and not used for policy routing verification), not the rule matching behavior. Option C is wrong because 'ip rule show' lists the configured policy rules but does not simulate a packet or show which rule is actually matched for a specific traffic flow. Option D is wrong because 'ip route show table all' dumps all routing tables but provides no insight into which rule triggers which table for a given packet.

401
MCQeasy

An administrator needs to prioritize traffic for a VoIP application over other traffic on a Linux router. Which tool should be used to implement traffic shaping and prioritization?

A.ip route with priority
B.tc (traffic control)
C.tcpdump with filters
D.iptables with the mangle table
AnswerB

tc is the dedicated tool for QoS, shaping, and scheduling.

Why this answer

B is correct because the `tc` (traffic control) command is the standard Linux utility for traffic shaping, prioritization, and bandwidth management. It operates at the kernel's QoS layer, allowing the administrator to define queuing disciplines (qdiscs) such as HTB or PRIO to prioritize VoIP packets based on classification rules, ensuring low latency for real-time traffic.

Exam trap

The trap here is that candidates confuse packet marking (iptables mangle) with actual traffic shaping, forgetting that marking alone does not prioritize traffic without a queuing discipline configured via `tc`.

How to eliminate wrong answers

Option A is wrong because `ip route with priority` is not a valid mechanism for traffic shaping; the `ip route` command manages routing table entries and can set route metrics or preferences, but it does not provide per-packet prioritization or bandwidth control. Option C is wrong because `tcpdump` is a packet capture and analysis tool, not a traffic control tool; it cannot shape or prioritize traffic, only observe it. Option D is wrong because while `iptables` with the mangle table can mark packets for later classification, it does not perform traffic shaping or prioritization itself; the actual queuing and scheduling must be handled by `tc`.

402
Multi-Selecteasy

Which TWO of the following commands can be used to load a kernel module into the running kernel?

Select 2 answers
A.insmod
B.depmod
C.rmmod
D.modprobe
E.modinfo
AnswersA, D

insmod loads a module directly from a file.

Why this answer

insmod and modprobe are the two commands that actually load a kernel module into the running kernel. insmod loads a module directly from a file path, while modprobe loads modules along with their dependencies. The other commands either display information or manage dependencies.

403
MCQmedium

A system administrator notices that the default gateway is missing after a reboot. The network configuration uses ifup/ifdown scripts. Which file should be modified to ensure the default gateway is persistent?

A./etc/resolv.conf
B./etc/network/routes
C./etc/sysconfig/network
D./etc/network/interfaces
AnswerD

The 'gateway' directive in this file sets the default gateway persistently.

Why this answer

On Debian-based systems using ifup/ifdown scripts, persistent network configuration—including the default gateway—is defined in /etc/network/interfaces. The gateway is set with the 'gateway' directive under the appropriate interface stanza, ensuring it is applied automatically on boot. This file is the central configuration source for the ifupdown suite.

Exam trap

The trap here is that candidates familiar with Red Hat systems may incorrectly choose /etc/sysconfig/network, forgetting that the question explicitly specifies ifup/ifdown scripts, which are characteristic of Debian-based distributions.

How to eliminate wrong answers

Option A is wrong because /etc/resolv.conf only configures DNS resolver settings (nameservers, search domains), not routing or default gateways. Option B is wrong because /etc/network/routes is not a standard file in the ifupdown framework; routing is handled via the 'up' or 'post-up' directives in /etc/network/interfaces or through separate route files in /etc/network/if-up.d/. Option C is wrong because /etc/sysconfig/network is used by Red Hat-based distributions (e.g., RHEL, CentOS) with the initscripts or NetworkManager, not by Debian/Ubuntu systems using ifup/ifdown.

404
MCQhard

A security audit reveals that a server with PAM authentication allows users to log in even when the '/etc/nologin' file exists, contrary to policy. Which PAM module is most likely misconfigured or missing?

A.pam_nologin.so
B.pam_securetty.so
C.pam_access.so
D.pam_lastlog.so
AnswerA

Denies login if /etc/nologin exists.

Why this answer

Option B is correct because pam_nologin.so checks for /etc/nologin and denies login if present. Option A is wrong because pam_securetty.so restricts root login on ttys, unrelated. Option C is wrong because pam_lastlog.so records login time.

Option D is wrong because pam_access.so restricts based on access lists, not nologin.

405
MCQhard

A Samba server is configured as a print server. Clients running Windows 10 report that printer drivers cannot be uploaded. The relevant smb.conf section is: [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes What is the most likely cause?

A.The 'printable = yes' directive is missing
B.The 'path' is incorrectly set to /var/spool/samba
C.The 'guest ok = yes' directive is missing
D.The 'browseable = no' directive prevents driver discovery
AnswerC

Needed for driver upload

Why this answer

The 'printable = yes' directive is present, so option A is not the issue. The 'path' /var/spool/samba is the standard spool directory for Samba print jobs, so option B is incorrect. The 'browseable = no' only hides the share from browsing, but does not prevent driver uploads; Windows clients can still connect directly.

The most likely cause is that 'guest ok = yes' is missing, because by default Samba requires authentication for printer shares, and Windows 10 clients attempting to upload drivers often do so under the guest account (or without valid credentials) unless the share explicitly allows guest access. Without 'guest ok = yes', the upload is denied.

Exam trap

The trap here is that candidates mistakenly think 'browseable = no' prevents driver discovery, when in fact Windows driver uploads rely on direct UNC connections (e.g., \\server\printername) and are independent of browseability.

How to eliminate wrong answers

Option A is wrong because 'printable = yes' is already present in the configuration, and it is required for a print share; its absence would prevent printing, not driver uploads. Option B is wrong because /var/spool/samba is the correct default spool directory for Samba print jobs; changing it would not affect driver uploads. Option D is wrong because 'browseable = no' only hides the share from network browsing (e.g., in Windows Explorer), but does not prevent Windows clients from connecting directly via the printer path or uploading drivers; driver discovery and upload use the printer's UNC path, not browsing.

406
MCQmedium

An administrator wants to restrict access to a Samba share based on client IP addresses. Which parameter in the [share] section of smb.conf should be used?

A.hosts allow
B.allow hosts
C.browseable
D.valid users
AnswerA

'hosts allow' defines IP-based access control per share.

Why this answer

The `hosts allow` parameter in the `[share]` section of `smb.conf` restricts access to the Samba share based on client IP addresses or subnets. It is the correct directive for IP-based access control, allowing the administrator to specify which hosts are permitted to connect. This parameter is evaluated before authentication, blocking unauthorized IPs at the connection level.

Exam trap

The trap here is that candidates confuse the parameter order (`allow hosts` vs `hosts allow`) or mistakenly think `valid users` can filter by IP, when it only filters by authenticated user identity.

How to eliminate wrong answers

Option B is wrong because `allow hosts` is not a valid Samba parameter; the correct syntax is `hosts allow` (with the keyword order reversed). Option C is wrong because `browseable` controls whether the share appears in network browse lists, not IP-based access restrictions. Option D is wrong because `valid users` restricts access based on usernames or groups, not client IP addresses.

407
Multi-Selectmedium

Which TWO of the following commands are used to manage kernel modules? (Select TWO.)

Select 2 answers
A.lsmod
B.insmod
C.modprobe
D.rmmod
E.depmod
AnswersB, C

insmod loads a single module directly.

Why this answer

B (insmod) is correct because it directly inserts a kernel module into the running kernel, though it does not resolve dependencies automatically. C (modprobe) is correct because it is the recommended tool for managing kernel modules, as it automatically loads dependencies and handles module parameters via configuration files in /etc/modprobe.d/.

Exam trap

The trap here is that candidates often confuse 'managing' modules with 'listing' or 'removing' them, and may incorrectly select lsmod or rmmod, or fail to recognize that modprobe is the primary management command while insmod is a lower-level alternative.

408
MCQeasy

Which command can be used to create a swap partition on /dev/sdb1?

A.swapcreate /dev/sdb1
B.mkswap /dev/sdb1; swapon /dev/sdb1
C.swapon /dev/sdb1
D.mkfs.swap /dev/sdb1
AnswerB

Correct sequence to create and enable swap.

Why this answer

B is correct because creating a swap partition requires two steps: first, `mkswap` initializes the partition as a swap area by writing a swap signature (UUID and superblock) to /dev/sdb1; second, `swapon` activates the swap space, making it available to the kernel for paging. Without `mkswap`, the partition lacks the necessary swap metadata and cannot be used.

Exam trap

The trap here is that candidates may assume `swapon` alone can both create and activate swap, similar to how `mount` can create a filesystem with `-t` in some contexts, but swap requires explicit initialization with `mkswap` first.

How to eliminate wrong answers

Option A is wrong because `swapcreate` is not a standard Linux command; the correct command to initialize a swap partition is `mkswap`. Option C is wrong because `swapon` alone only activates an already-initialized swap partition; it does not create the swap filesystem or signature, so it would fail on a raw partition. Option D is wrong because `mkfs.swap` is not a valid command; the proper utility for setting up swap is `mkswap`, not a variant of `mkfs`.

409
MCQmedium

You are the security administrator for a company that runs a web application on a Linux server. The application runs under the user 'www-data' and listens on TCP port 8080. The server also runs an SSH service on port 22. Recently, an external penetration test revealed that an attacker could exploit a vulnerability in the web application to execute commands as the 'www-data' user, and from there, the attacker could escalate privileges to root due to a misconfigured sudo rule. You need to implement a defense-in-depth approach to limit the impact of such an attack. Which single action would be the most effective in preventing privilege escalation from the 'www-data' user to root, while still allowing the application to function normally?

A.Review and remove any sudo privileges granted to the 'www-data' user in /etc/sudoers, and ensure the application does not require sudo.
B.Change the SSH port to a non-standard port to reduce the attack surface.
C.Run the web application in a chroot jail to isolate it from the rest of the filesystem.
D.Implement mandatory access control with AppArmor profiles for the web application.
AnswerA

Directly eliminates the escalation path.

Why this answer

Option A is correct because the core issue is a misconfigured sudo rule that allows the 'www-data' user to execute commands as root. By reviewing and removing any sudo privileges for 'www-data' in /etc/sudoers, you directly eliminate the privilege escalation path without affecting the web application's normal operation, as the application itself does not require sudo to function on its designated port 8080.

Exam trap

The trap here is that candidates often choose AppArmor or chroot as a general security measure, overlooking that the specific vulnerability is a misconfigured sudo rule, which must be fixed directly to prevent privilege escalation.

How to eliminate wrong answers

Option B is wrong because changing the SSH port to a non-standard port only obscures the service from casual scans but does not prevent privilege escalation from the compromised 'www-data' user; the attacker can still connect via SSH if credentials are compromised or use other lateral movement techniques. Option C is wrong because running the web application in a chroot jail can limit filesystem access but does not prevent the 'www-data' user from using sudo if a misconfigured sudo rule exists, as chroot does not restrict process capabilities or sudo execution. Option D is wrong because implementing AppArmor profiles can confine the web application's behavior and system calls, but it does not directly address the misconfigured sudo rule; an attacker could still execute 'sudo' commands if the rule is present, as AppArmor typically does not restrict sudo execution unless specifically profiled.

410
MCQeasy

After creating a new partition table on /dev/sda, what command should be run to install GRUB2 to the Master Boot Record?

A.grub-mkconfig -o /boot/grub/grub.cfg
B.update-grub
C.grub-install /dev/sda1
D.grub-install /dev/sda
AnswerD

This installs GRUB to the MBR of /dev/sda.

Why this answer

After creating a new partition table on /dev/sda, the Master Boot Record (MBR) resides on the disk device itself, not on a partition. The `grub-install /dev/sda` command installs GRUB2's boot code into the MBR (first 440 bytes) and embeds the core image in the post-MBR gap. This makes the disk bootable by the BIOS.

Exam trap

The trap here is that candidates confuse installing GRUB to a partition (e.g., /dev/sda1) with installing it to the MBR of the whole disk (/dev/sda), because they think the bootloader should reside on the root filesystem partition, but the MBR is a disk-level structure, not a partition-level one.

How to eliminate wrong answers

Option A is wrong because `grub-mkconfig -o /boot/grub/grub.cfg` only generates the GRUB configuration file from templates; it does not install any boot code to the MBR or disk. Option B is wrong because `update-grub` is a wrapper script that calls `grub-mkconfig` to regenerate the configuration file; it performs no installation to the MBR. Option C is wrong because `grub-install /dev/sda1` attempts to install GRUB to a partition (e.g., /dev/sda1), which is incorrect for MBR booting—GRUB must be installed to the whole disk device (e.g., /dev/sda) to write to the MBR, not to a partition block device.

411
MCQhard

Refer to the exhibit. A packet is sent from 192.168.1.100 to 10.0.0.5. Which interface will the packet exit?

A.eth0, then eth1 after ARP
B.eth0
C.eth1
D.lo
AnswerC

The route for 10.0.0.0/8 uses eth1.

Why this answer

The packet is sent from 192.168.1.100 (a private IP in the 192.168.0.0/16 range) to 10.0.0.5 (a private IP in the 10.0.0.0/8 range). Since these are on different subnets, the packet must be routed through a gateway. The routing table on the source host (or router) will have a route for 10.0.0.0/8 pointing to eth1, so the packet exits via eth1.

No ARP is needed on eth0 because the packet never leaves eth0 for this destination.

Exam trap

The trap here is that candidates assume the packet must first exit the source interface (eth0) and then be routed, but in reality the routing decision happens before any packet transmission, and the kernel selects the exit interface based solely on the destination IP and routing table, not on the source interface.

How to eliminate wrong answers

Option A is wrong because it suggests the packet exits eth0 first and then eth1 after ARP, which implies a multi-hop path that is not indicated by the routing table; the packet is routed directly via the interface with a matching route, not sequentially through multiple interfaces. Option B is wrong because eth0 is on the 192.168.1.0/24 subnet, which does not have a route to 10.0.0.5; the packet would be dropped or sent to a default gateway, not exit eth0. Option D is wrong because the loopback interface (lo) is only used for traffic destined to the local host (127.0.0.0/8), not for traffic to a remote network like 10.0.0.5.

412
Multi-Selectmedium

Which TWO statements about LVM thin provisioning are correct?

Select 2 answers
A.Thin pools are created using the 'pvcreate' command.
B.The filesystem on a thin volume must support the 'discard' option to free unused space.
C.Thin volumes can be over-provisioned, allowing more virtual space than physical storage.
D.Thin provisioning requires a dm-cache device to function.
E.Thin volumes automatically grow when they run out of space.
AnswersB, C

fstrim or mount -o discard allows space reclamation.

Why this answer

Option B is correct because thin volumes allocate data blocks on demand from a thin pool. To allow the underlying physical storage to reclaim unused blocks when files are deleted, the filesystem must support the 'discard' option (or use fstrim) so that it can notify the device mapper of freed space. Without discard, the thin pool never learns that blocks are no longer in use, preventing space reclamation.

Exam trap

The trap here is that candidates often assume thin volumes automatically grow or that discard is optional, but the exam tests the precise requirement that the filesystem must support and enable discard to free space back to the thin pool.

413
Multi-Selectmedium

Which TWO of the following are recommended best practices for securing a Linux server that is publicly accessible?

Select 2 answers
A.Run all services with root privileges.
B.Set all user passwords to simple, memorable ones.
C.Use a firewall to restrict access to only necessary ports.
D.Enable NFS exports for file sharing.
E.Disable direct root login via SSH.
AnswersC, E

Reduces the attack surface by limiting exposed services.

Why this answer

Options A and D are correct. Disabling root login via SSH and using a firewall to allow only necessary ports are standard security practices. Option B is incorrect because running services as root increases risk.

Option C is incorrect because NFS is generally not recommended over the internet. Option E is incorrect because passwords should be complex, not simple.

414
MCQhard

A systems administrator is configuring a Postfix mail server to use Dovecot for SASL authentication. The authentication method is set to PLAIN in Dovecot, and Postfix has smtpd_sasl_auth_enable=yes and smtpd_sasl_type=dovecot. Dovecot's auth socket is at /var/run/dovecot/auth-client. The mail logs show repeated "SASL authentication failed" errors for known good credentials. The administrator checks that the socket exists and that Dovecot is running. What is the most likely cause?

A.The smtpd_recipient_restrictions does not include permit_sasl_authenticated.
B.The Dovecot service is not listening on TCP port 143 for IMAP.
C.The mynetworks parameter in Postfix is set incorrectly.
D.The postfix user does not have read permission on the Dovecot auth socket.
AnswerD

The socket file permissions may restrict access to the postfix user, causing authentication failures.

Why this answer

The most likely cause is that the Postfix user (typically 'postfix' or the mail queue owner) lacks read permission on the Dovecot auth socket at /var/run/dovecot/auth-client. Dovecot's SASL authentication via a Unix socket requires the connecting process (Postfix) to have read/write access to that socket file. Even though the socket exists and Dovecot is running, if the permissions are too restrictive (e.g., owned by 'dovecot' with mode 0600), Postfix cannot communicate with Dovecot's auth service, resulting in repeated 'SASL authentication failed' errors despite valid credentials.

Exam trap

The trap here is that candidates assume a running service and existing socket guarantee functionality, overlooking Unix socket permissions and the need for the Postfix process user to have read/write access to the auth socket.

How to eliminate wrong answers

Option A is wrong because permit_sasl_authenticated in smtpd_recipient_restrictions controls whether authenticated clients are allowed to relay mail, not whether authentication itself succeeds; authentication failures occur before this restriction is evaluated. Option B is wrong because Dovecot does not need to listen on TCP port 143 for IMAP to provide SASL authentication to Postfix; Postfix communicates with Dovecot via the local auth socket, not over IMAP. Option C is wrong because mynetworks defines trusted networks for relay control and does not affect SASL authentication; misconfiguration of mynetworks would cause relay access errors, not authentication failures.

415
MCQhard

An enterprise environment uses Samba as an Active Directory domain controller using Samba 4.11. The administrator needs to configure a read-only domain controller (RODC) for a remote branch office. Which of the following steps is correct?

A.On the RODC server, run 'samba-tool domain join EXAMPLE.COM member' and then promote to RODC.
B.Install Samba on the RODC server, then run 'samba-tool domain provision --domain=EXAMPLE --adminpass=Pa$$w0rd' on the RODC.
C.On the existing DC, run 'samba-tool domain rodc create rodc-name' and then on the RODC server join with 'samba-tool domain join EXAMPLE.COM RODC'.
D.Install Samba on the RODC server, then run 'samba-tool domain join EXAMPLE.COM RODC -UAdministrator'.
AnswerC

This correctly pre-creates the RODC account and then joins.

Why this answer

Option C is correct because Samba 4.11 requires the RODC computer account to be pre-created on the existing DC using 'samba-tool domain rodc create', which sets up the necessary krbtgt account and replication metadata. The RODC server then joins the domain as a read-only domain controller with 'samba-tool domain join EXAMPLE.COM RODC', which authenticates against the pre-created account and configures the local Samba instance as a read-only replica.

Exam trap

The trap here is that candidates often assume a simple domain join with the RODC role flag is sufficient, overlooking the mandatory pre-creation step on the existing DC that Samba requires to establish the RODC's unique security context.

How to eliminate wrong answers

Option A is wrong because joining as a 'member' creates a domain member server, not a domain controller; promoting it to RODC afterward is not a supported workflow in Samba 4.11 and would lack the pre-created RODC account. Option B is wrong because 'samba-tool domain provision' creates a new domain, which is incorrect for adding a RODC to an existing domain; it would overwrite the domain configuration and cause a conflict. Option D is wrong because while the join command syntax is close, it omits the critical prerequisite step of pre-creating the RODC account on the existing DC; without this, the join will fail as Samba requires the RODC computer object and associated krbtgt account to exist beforehand.

416
MCQhard

After adding a new network interface, the system assigns it the name 'enp0s3' instead of 'eth0'. Which of the following best describes the reason for this change?

A.The system uses the new predictable network interface naming scheme.
B.The kernel assigns names randomly to avoid conflicts.
C.The network card is faulty, causing the kernel to rename it.
D.The interface is a virtual device, so it gets a non-standard name.
AnswerA

udev rules based on firmware/PCI topology generate names like enp0s3.

Why this answer

The system uses the predictable network interface naming scheme (also known as Consistent Network Device Naming), introduced in systemd/udev. This scheme assigns names like 'enp0s3' based on the physical location of the device (e.g., 'en' for Ethernet, 'p0' for PCI bus 0, 's3' for slot 3), replacing the traditional 'eth0' naming that could change unpredictably across reboots or hardware additions.

Exam trap

The trap here is that candidates may assume 'eth0' is the only valid naming convention and think the change is due to a fault or randomness, rather than recognizing the deliberate shift to predictable naming for stability in multi-interface environments.

How to eliminate wrong answers

Option B is wrong because the kernel does not assign names randomly; it uses deterministic rules from udev or the biosdevname utility to avoid conflicts. Option C is wrong because a faulty network card would not cause the kernel to rename it; the name change is a deliberate design choice for consistency, not a fault response. Option D is wrong because 'enp0s3' is not specific to virtual devices; it is used for physical interfaces as well, and virtual interfaces typically get names like 'eth0' or 'ens3' depending on the hypervisor.

417
MCQeasy

A system administrator notices that the 'pcspkr' kernel module is causing beeps on the server console. The administrator wants to prevent this module from loading permanently. Which of the following is the correct method to blacklist the module?

A.Add 'install pcspkr /bin/false' to /etc/modprobe.conf
B.Set the kernel parameter 'pcspkr=off' in GRUB
C.Add 'blacklist pcspkr' to /etc/modprobe.d/blacklist.conf
D.Remove the module file from /lib/modules/$(uname -r)/kernel/drivers/input/misc/
AnswerC

This is the standard method to blacklist a kernel module.

Why this answer

Option C is correct because the standard method to permanently prevent a kernel module from loading is to add a 'blacklist' directive to a file in /etc/modprobe.d/. The 'blacklist pcspkr' line tells modprobe not to load the pcspkr module automatically, even if it is requested by hardware detection or dependencies. This is the recommended approach on modern Linux distributions using modprobe's configuration system.

Exam trap

The trap here is that candidates may confuse kernel command-line parameters (like 'modprobe.blacklist=') with module-specific parameters, or think that removing the module file is a valid administrative action, when in fact the proper method is to use the modprobe blacklist configuration.

How to eliminate wrong answers

Option A is wrong because 'install pcspkr /bin/false' would override the module's install command, but it does not prevent the module from being loaded by dependencies or alias resolution; it only replaces the load action with a false return, which may still trigger unwanted side effects and is not the standard blacklist mechanism. Option B is wrong because 'pcspkr=off' is not a valid kernel parameter; the kernel does not have a built-in parameter to disable a specific module by name, and GRUB parameters are used for kernel command-line options, not for module blacklisting. Option D is wrong because removing the module file from the filesystem is not a supported or safe method; it can break package management, prevent future updates, and may cause system instability, and the module could be reinstalled by updates or kernel upgrades.

418
Multi-Selecthard

Which THREE files are commonly involved in configuring a Linux client for LDAP authentication?

Select 3 answers
A./etc/hosts
B./etc/resolv.conf
C./etc/pam.d/system-auth
D./etc/ldap.conf
E./etc/nsswitch.conf
AnswersC, D, E

PAM configuration file that includes pam_ldap or pam_krb5.

Why this answer

Option C is correct because /etc/pam.d/system-auth (or its equivalent, such as /etc/pam.d/common-auth on Debian-based systems) is the central PAM configuration file that defines authentication modules. For LDAP authentication, the pam_ldap module is typically stacked here to allow LDAP-based user credential verification, making it essential for integrating LDAP into the system's authentication flow.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf or /etc/hosts as being part of LDAP client configuration, but these files handle network resolution, not authentication or identity lookup configuration.

419
Multi-Selecthard

A Postfix administrator wants to restrict which clients can relay mail through the server. Which three smtpd restriction lists are typically used for this purpose? (Choose three.)

Select 3 answers
A.smtpd_helo_restrictions
B.smtpd_data_restrictions
C.smtpd_sender_restrictions
D.smtpd_client_restrictions
E.smtpd_recipient_restrictions
AnswersA, D, E

Checks the HELO/EHLO hostname.

Why this answer

A is correct because `smtpd_helo_restrictions` allows the administrator to enforce checks based on the HELO/EHLO hostname presented by the client during the SMTP greeting. By using restrictions like `reject_invalid_helo_hostname` or `reject_non_fqdn_helo_hostname`, the server can block clients that provide suspicious or non-compliant HELO names, which is a common tactic to prevent unauthorized relay attempts.

Exam trap

The trap here is that candidates often confuse `smtpd_sender_restrictions` with relay control, but it only filters based on the sender address, not on whether the client is authorized to relay mail.

420
MCQeasy

A company's network has a single switch connecting all devices. The IT manager wants to isolate the development team's traffic from the rest of the network without buying new hardware. Which configuration should the administrator implement on the switch ports connected to the development team's computers?

A.Set the ports to access mode and assign them to VLAN 10.
B.Enable port security with a maximum MAC address count.
C.Configure the switch ports as part of a bridge group.
D.Set the ports to trunk mode.
AnswerA

VLANs isolate traffic at L2, and access ports assign the port to a specific VLAN, creating separate broadcast domains.

Why this answer

VLANs (Virtual Local Area Networks) logically segment a network at Layer 2, isolating traffic between groups without requiring additional hardware. Setting the switch ports to access mode and assigning them to VLAN 10 places the development team's computers into a separate broadcast domain, preventing their traffic from being visible to devices in other VLANs. This is the standard method for implementing port-based VLAN membership on a managed switch.

Exam trap

The trap here is that candidates often confuse trunk mode (used for inter-switch links) with access mode (used for end devices), mistakenly thinking trunking provides isolation when it actually aggregates VLAN traffic.

How to eliminate wrong answers

Option B is wrong because port security with a maximum MAC address count restricts which devices can connect to a port based on MAC addresses, but it does not isolate traffic at Layer 2; it only controls access. Option C is wrong because configuring switch ports as part of a bridge group is not a standard VLAN isolation technique; bridge groups are used in routing contexts (e.g., on routers or Linux bridges) and do not provide the per-port VLAN segmentation required here. Option D is wrong because trunk mode is used to carry traffic for multiple VLANs between switches or to routers, not to assign an end device to a single VLAN; setting a port to trunk mode would expect tagged frames and would not isolate the development team's traffic.

421
MCQmedium

A system administrator notices that a new iSCSI target is not appearing as a block device after running iscsiadm. The target is known to be online and reachable. What is the most likely cause?

A.The iSCSI initiator name is not set.
B.The target IQN is not specified correctly.
C.The iSCSI service (iscsid) is not running.
D.The network interface is down.
AnswerC

The iscsid daemon must be active to manage sessions.

Why this answer

The iSCSI initiator requires the `iscsid` daemon to be running in order to process discovery and login requests from `iscsiadm`. Even if the target is online and reachable, without the `iscsid` service, the kernel's iSCSI layer cannot establish a session or create the corresponding block device (e.g., /dev/sdX). This is the most likely cause because the administrator has confirmed network connectivity and target availability, leaving the service state as the primary suspect.

Exam trap

The trap here is that candidates often assume the issue is a configuration error (like a wrong IQN or missing initiator name) when the problem is actually a missing or stopped service, because they overlook the dependency of `iscsiadm` on the `iscsid` daemon.

How to eliminate wrong answers

Option A is wrong because the initiator name is typically set automatically during package installation (e.g., in /etc/iscsi/initiatorname.iscsi) and is not required for a single session; a missing name would cause a different error, not a silent failure to appear as a block device. Option B is wrong because if the IQN were incorrect, `iscsiadm` would return an explicit authentication or login failure, not a scenario where the target is known to be online and reachable yet no block device appears. Option D is wrong because the network interface being down would prevent the target from being reachable at all, contradicting the premise that the target is known to be online and reachable.

422
MCQmedium

An administrator needs to extend an ext4 filesystem on logical volume 'home' by 5 GB. The volume group 'vg' has free extents. Which sequence of commands is correct?

A.lvextend -l +100%FREE /dev/vg/home; resize2fs /dev/vg/home
B.resize2fs /dev/vg/home; lvextend -L +5G /dev/vg/home
C.lvextend -L +5G /dev/vg/home; mount -o remount /dev/vg/home
D.lvresize -L +5G /dev/vg/home; e2fsck -f /dev/vg/home; resize2fs /dev/vg/home
AnswerA

Extends the LV with all free extents, then resizes the ext4 filesystem.

Why this answer

Option A is correct because it first extends the logical volume to use all free extents in the volume group with `lvextend -l +100%FREE`, then resizes the ext4 filesystem with `resize2fs` to utilize the newly allocated space. This sequence ensures the logical volume has sufficient capacity before the filesystem is expanded, which is required because `resize2fs` cannot extend beyond the current block device size.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking the filesystem can be resized before the logical volume is extended, or they mistakenly believe `mount -o remount` will trigger a filesystem resize.

How to eliminate wrong answers

Option B is wrong because it attempts to resize the filesystem before extending the logical volume; `resize2fs` will fail or do nothing if the underlying block device has no additional space. Option C is wrong because `mount -o remount` does not resize the filesystem; it only remounts the filesystem with new options, and the filesystem must be explicitly resized after the logical volume is extended. Option D is wrong because it includes `e2fsck -f` unnecessarily before `resize2fs`; while a filesystem check is not harmful, it is not required for extending an ext4 filesystem, and the correct sequence is to extend the logical volume first, then resize the filesystem.

423
MCQhard

An organization's Postfix mail server is being used as an open relay. The administrator wants to restrict relaying to only authenticated users from the internal network. Which combination of settings is correct?

A.smtpd_helo_restrictions = permit_sasl_authenticated, reject_unauth_destination
B.smtpd_recipient_restrictions = reject_unauth_destination, permit_mynetworks, permit_sasl_authenticated
C.smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination
D.smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
AnswerD

Allows internal networks and authenticated users before rejecting unauthorized destinations.

Why this answer

Option D is correct because it enforces relaying restrictions in the correct order: first permit mail from trusted internal networks (permit_mynetworks), then permit authenticated users (permit_sasl_authenticated), and finally reject all other unauthorized destinations (reject_unauth_destination). This ensures that only authenticated users or hosts in mynetworks can relay, while blocking open relay attempts from external unauthenticated sources.

Exam trap

The trap here is that candidates often place reject_unauth_destination first to block open relays, forgetting that it must come after permit_mynetworks and permit_sasl_authenticated to avoid blocking legitimate internal or authenticated relays.

How to eliminate wrong answers

Option A is wrong because smtpd_helo_restrictions controls restrictions based on the HELO/EHLO command, not recipient relaying; it does not include permit_mynetworks, so internal hosts would be blocked unless authenticated. Option B is wrong because it places reject_unauth_destination before permit_mynetworks and permit_sasl_authenticated, causing legitimate internal or authenticated relays to be rejected before they are allowed. Option C is wrong because smtpd_client_restrictions only checks the client IP/hostname and does not evaluate SASL authentication or recipient destination, so authenticated users would still be blocked if not in mynetworks.

424
Multi-Selecteasy

Which three of the following are required steps to compile and install a custom Linux kernel from source? (Choose three.)

Select 3 answers
A.Run 'make modules_install' to install compiled modules
B.Run 'update-grub' to regenerate GRUB configuration
C.Run 'depmod -a' to generate module dependencies
D.Run 'make install' to install the kernel image and update boot loader
E.Run 'make oldconfig' to configure the kernel
AnswersA, D, E

This copies modules to /lib/modules/$(uname -r)/.

Why this answer

Option A is correct because after building kernel modules with 'make', you must run 'make modules_install' to copy the compiled modules into the appropriate directory under /lib/modules/$(uname -r)/, making them available for the kernel to load. This step is essential for any kernel that uses loadable modules, as it populates the module tree with the correct .ko files.

Exam trap

The trap here is that candidates confuse optional or automatic post-install steps (like 'update-grub' or 'depmod -a') with the mandatory compilation and installation steps, leading them to select B or C instead of the correct required steps A, D, and E.

425
MCQmedium

A Samba server is configured as above. Users alice and bob have local system accounts but neither can connect to the share. What is the most likely cause?

A.The share path /srv/share does not exist or has incorrect permissions.
B.The parameter 'read only = no' is misspelled; it should be 'writable = yes'.
C.The users have not been added to the Samba password database.
D.The valid users list must use group names with '@' prefix, not individual names.
AnswerC

Users must be added with smbpasswd -a or pdbedit -a to enable Samba authentication.

Why this answer

Option B is correct. With security = user and passdb backend = tdbsam, each user must be added to the Samba password database using smbpasswd -a or pdbedit -a. Without this, authentication fails even though the system accounts exist.

Option A is possible but less likely given typical troubleshooting. Option C is incorrect because individual user names are valid in valid users. Option D is incorrect because 'read only = no' is a valid parameter.

426
MCQmedium

A company runs a critical database server on a Linux system. The server is subject to a strict compliance policy that requires all commands executed by the database administrator (user 'dbadmin') to be logged. Additionally, any attempt to change the system time must be logged regardless of the user. The administrator has configured auditd and added the following rules: -w /usr/bin -p x -k binary_exec, -a always,exit -F arch=b64 -S adjtimex -F key=time_change. However, during a compliance audit, it is discovered that not all commands executed by dbadmin are being logged. Which of the following is the most likely cause?

A.The auditd logs are being overwritten because the audit log file size is too small.
B.The auditd service is not running because the kernel was not compiled with audit support.
C.The adjtimex syscall rule is incorrect and prevents other rules from being processed.
D.The rule -w /usr/bin -p x only monitors executables in /usr/bin, not commands in other directories or built-in shell commands.
AnswerD

The rule only watches /usr/bin; dbadmin may run commands from elsewhere.

Why this answer

Option D is correct because the rule `-w /usr/bin -p x` only monitors execution of binaries located in `/usr/bin`. Commands executed from other directories (e.g., `/usr/local/bin`, `/opt`, or built-in shell commands like `cd` or `alias`) are not captured. Additionally, the rule does not log commands run via absolute paths outside `/usr/bin` or scripts executed by interpreters, leaving gaps in the audit trail for dbadmin's activities.

Exam trap

The trap here is that candidates assume `-w /usr/bin -p x` logs all command executions, but it only monitors file access events on that specific directory, missing commands from other paths or shell internals.

How to eliminate wrong answers

Option A is wrong because log file size or overwriting would cause missing older logs, not a failure to log specific commands; auditd continues to log new events regardless of rotation. Option B is wrong because if the kernel lacked audit support, auditd would fail to start entirely and no rules would be processed, but the question states that some logging (e.g., time changes) is occurring, proving audit is functional. Option C is wrong because the adjtimex syscall rule is syntactically correct and does not prevent other rules from being processed; auditd rules are independent and do not block each other.

427
MCQeasy

To create a simple bridge interface that connects two Ethernet interfaces, which of the following commands should be used?

A.ip link add br0 type bridge && ip link set br0 up
B.brctl addbr br0 && brctl addif br0 eth0 eth1
C.ifconfig br0 create && ifconfig br0 up
D.Both A and B work correctly
AnswerA

This creates the bridge and brings it up using the iproute2 suite.

Why this answer

Option A is correct because the `ip link add br0 type bridge` command creates a new bridge interface using the modern iproute2 suite, and `ip link set br0 up` activates it. This is the current standard method for bridge creation on Linux, replacing the older brctl tool. The bridge then connects Ethernet interfaces by enslaving them with `ip link set eth0 master br0`.

Exam trap

The trap here is that candidates may remember the older `brctl` commands as valid, but fail to notice the syntax error in Option B (adding two interfaces at once) and assume both A and B are correct, leading them to choose Option D.

How to eliminate wrong answers

Option B is wrong because while `brctl addbr br0` and `brctl addif br0 eth0 eth1` can create a bridge and add interfaces, the `brctl addif` command only accepts one interface at a time; adding two interfaces in one command (eth0 eth1) is syntactically invalid and will fail. Option C is wrong because `ifconfig br0 create` is not a valid command; `ifconfig` does not support creating bridge interfaces—it only configures existing ones, and the `create` argument is used for virtual interfaces like VLANs, not bridges. Option D is wrong because both A and B do not work correctly; B has a syntax error and C is entirely invalid.

428
MCQhard

A Samba server is configured to store NT ACLs on a Linux filesystem that does not support them natively. Which VFS module should be used to map NT ACLs to POSIX ACLs?

A.vfs objects = recycle
B.vfs objects = full_audit
C.vfs objects = streams_xattr
D.vfs objects = acl_xattr
AnswerD

acl_xattr stores NT ACLs in xattr and maps them to POSIX ACLs.

Why this answer

Option D is correct because the `acl_xattr` VFS module is specifically designed to store NT ACLs in extended attributes on a Linux filesystem that lacks native NT ACL support. When Samba is configured with `vfs objects = acl_xattr`, it maps Windows NT ACLs to POSIX ACLs by serializing the NT ACL into the `user.NTACL` extended attribute, allowing Samba to enforce Windows-style permissions even on filesystems like ext4 or XFS that only support POSIX ACLs natively.

Exam trap

The trap here is that candidates often confuse the `streams_xattr` module (which handles alternate data streams) with the `acl_xattr` module, because both use extended attributes, but only `acl_xattr` maps NT ACLs to POSIX ACLs.

How to eliminate wrong answers

Option A is wrong because the `recycle` VFS module is used to implement a recycle bin for deleted files, not for ACL mapping. Option B is wrong because the `full_audit` VFS module is used for logging Samba operations, not for storing or mapping NT ACLs. Option C is wrong because the `streams_xattr` VFS module is used to support NTFS alternate data streams by storing them in extended attributes, but it does not handle NT ACL to POSIX ACL mapping.

429
MCQmedium

A company runs a DNS server using BIND9 on a Linux server. The server is configured with two network interfaces: one internal (192.168.1.10) and one external (203.0.113.10). The server is configured to be authoritative for example.com. Internal clients can resolve example.com, but external clients receive "SERVFAIL" responses. The host command from an external client returns "Host not found". The administrator checks the named configuration and finds the following in /etc/bind/named.conf.options: options { directory "/var/cache/bind"; listen-on { 127.0.0.1; 192.168.1.10; 203.0.113.10; }; allow-query { 192.168.1.0/24; }; recursion no; dnssec-validation auto; }; The zone configuration for example.com has proper allow-transfer and allow-update settings. What change should be made to resolve external queries?

A.Add 'recursion yes;' to the options block.
B.Add 'listen-on port 53 { 203.0.113.10; };' to the options block.
C.Change 'allow-query' to '{ any; };'
D.Change 'listen-on' to '{ any; };'
AnswerC

Allows queries from any IP, fixing the external resolution.

Why this answer

The 'allow-query' directive restricts which clients can send queries to the server. With 'allow-query { 192.168.1.0/24; };', only internal clients on that subnet are permitted to query, causing external clients to receive SERVFAIL. Changing it to '{ any; };' allows all clients to query the server, resolving the issue while still keeping recursion disabled for security.

Exam trap

The trap here is that candidates often confuse 'allow-query' with 'listen-on' or 'recursion', assuming the issue is about network binding or recursive resolution rather than the explicit query access control list.

How to eliminate wrong answers

Option A is wrong because enabling recursion ('recursion yes;') would allow the server to perform recursive queries on behalf of external clients, which is unnecessary for authoritative responses and introduces security risks like amplification attacks; the problem is not about recursion but about query permissions. Option B is wrong because 'listen-on' already includes the external IP (203.0.113.10), so adding a separate listen-on statement for port 53 is redundant and does not address the access control issue. Option D is wrong because changing 'listen-on' to '{ any; };' would make the server listen on all interfaces, which is already effectively achieved by listing the specific IPs; the real issue is the restrictive 'allow-query', not the listening interfaces.

430
MCQmedium

Your company runs a web application on a Linux server that uses Apache HTTPD with mod_ssl for HTTPS. Recently, after a security audit, it was discovered that the server is vulnerable to the POODLE attack on SSLv3. The server is running RHEL 8 with Apache 2.4. The SSL configuration file /etc/httpd/conf.d/ssl.conf currently has the line 'SSLProtocol all -SSLv2'. You need to disable SSLv3 and also disable all versions of TLS below 1.2, while still allowing TLS 1.2 and 1.3. The server must remain available immediately. Which action should you take?

A.Change 'SSLProtocol all -SSLv2' to 'SSLProtocol all -SSLv2 -SSLv3'
B.Add 'SSLProtocol -SSLv3' after the existing line
C.Change 'SSLProtocol all -SSLv2' to 'SSLProtocol TLSv1.2 TLSv1.3'
D.Change the line to 'SSLProtocol TLSv1.2 TLSv1.3 -SSLv2 -SSLv3'
AnswerC

This explicitly enables only TLS 1.2 and 1.3, disabling all older protocols.

Why this answer

Option C is correct. Changing 'SSLProtocol all -SSLv2' to 'SSLProtocol TLSv1.2 TLSv1.3' disables SSLv3 and older TLS versions. Option A would disable more than needed (TLSv1 and TLSv1.1 are included in 'all -SSLv2 -SSLv3'), but it doesn't explicitly allow TLS 1.2/1.3; however, 'all' includes TLS 1.2, but removing SSLv3 still allows TLS 1.0 and 1.1? Actually 'all' includes TLS 1.0,1.1,1.2, so 'all -SSLv2 -SSLv3' would allow TLS 1.0 and 1.1, which are too old.

Option B only adds -SSLv3 but does not disable TLS 1.0/1.1. Option D removes SSLv2 and SSLv3 but still allows TLS 1.0/1.1 via 'all'. Only option C explicitly sets only the desired protocols.

431
MCQeasy

Which of the following is the primary configuration file for the udev device manager?

A./etc/udev/rules.d/
B./lib/udev/rules.d/
C./etc/udev/rules.d/
D./etc/udev/udev.conf
AnswerD

This is the primary udev configuration file.

Why this answer

The primary configuration file for the udev device manager is /etc/udev/udev.conf. This file sets global parameters such as the device timeout, logging priority, and the default permissions for device nodes. While custom rules are placed in /etc/udev/rules.d/, the main configuration file that controls udev's behavior is udev.conf.

Exam trap

The trap here is that candidates often confuse the directory for custom rules (/etc/udev/rules.d/) with the actual configuration file, or they think the system rules directory (/lib/udev/rules.d/) is the primary config, but the question specifically asks for the 'primary configuration file' which is udev.conf.

How to eliminate wrong answers

Option A is wrong because /etc/udev/rules.d/ is a directory containing custom user-defined udev rules, not the primary configuration file. Option B is wrong because /lib/udev/rules.d/ is a directory for system-provided default rules, not the configuration file. Option C is wrong because /etc/udev/rules.d/ is a directory, not a file; the primary configuration file is /etc/udev/udev.conf.

432
MCQmedium

A system fails to boot with the error shown. Which kernel parameter should be added to the kernel command line to resolve the issue?

A.root=/dev/sda1
B.noprompt
C.rootfstype=ext4
D.rootdelay=10
E.single
AnswerD

Adds a delay before attempting to mount root, allowing the device to become ready.

Why this answer

The error 'unknown-block(8,1)' indicates the root device is not ready when the kernel tries to mount it. Adding rootdelay=10 introduces a delay, giving the device time to become available. The other options are either already present or address different issues.

433
MCQhard

You are a network administrator for a medium-sized company. The company has a Linux server acting as a router/firewall with three network interfaces: eth0 (public, 203.0.113.2/24, gateway 203.0.113.1), eth1 (DMZ, 10.0.1.1/24), and eth2 (internal, 192.168.1.1/24). The DMZ hosts a web server with IP 10.0.1.100, and the internal network has client machines. The firewall rules are currently set to default DROP on INPUT and FORWARD, ACCEPT on OUTPUT. The administrator wants to allow internal clients (192.168.1.0/24) to access the web server (10.0.1.100) on port 80. Additionally, the administrator wants to allow external users (from the internet) to access the web server's public IP (203.0.113.2) on port 80, which should be DNATed to 10.0.1.100. The administrator has enabled IP forwarding and added the following rules: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.100:80 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT Internal clients cannot access the web server. External users are able to access the web server successfully. What is the most likely reason internal clients cannot access the web server?

A.The DNAT rule does not apply to traffic coming from the internal network because it is not received on eth0.
B.The web server cannot route back to the internal clients because it is in the DMZ.
C.The FORWARD rule for return traffic does not match because the destination is the client.
D.IP forwarding is not enabled for the internal interface.
AnswerA

Internal traffic uses eth2 as input interface, so DNAT rule does not trigger; the destination remains the public IP, which is not local.

Why this answer

The DNAT rule is placed in the PREROUTING chain of the nat table, which only processes packets arriving on the specified interface (eth0). Internal clients (192.168.1.0/24) sending traffic to the web server (10.0.1.100) do not enter via eth0; they are routed through eth2. Therefore, the DNAT rule never matches their packets, and the destination remains 10.0.1.100, which is directly reachable without NAT.

However, the FORWARD rules only allow traffic from eth0 to eth1 and back, so internal client traffic from eth2 to eth1 is implicitly dropped by the default FORWARD policy, causing the failure.

Exam trap

The trap here is that candidates assume DNAT rules apply to all incoming traffic regardless of interface, but PREROUTING rules are interface-specific, and internal traffic bypasses them entirely.

How to eliminate wrong answers

Option B is wrong because the web server in the DMZ can route back to internal clients via the router's eth1 interface; the router has a route to 192.168.1.0/24 via eth2, so return traffic is not blocked by routing. Option C is wrong because the FORWARD rule for return traffic matches packets with source port 80, regardless of destination; the issue is not the return rule but the lack of a forward rule for the initial connection from eth2 to eth1. Option D is wrong because IP forwarding is enabled globally (the administrator enabled it), and it applies to all interfaces; there is no per-interface setting for IP forwarding in Linux.

434
MCQmedium

A company runs a mixed Linux/Windows environment. The Samba server (version 4.15) is configured as a domain member using 'security = ADS'. Recently, the IT team enabled 'winbind use default domain = yes' to simplify logins. After the change, users report that they can no longer access Samba shares when authenticating with just their username (e.g., 'jdoe') instead of 'DOMAIN\jdoe'. However, authentication using the full domain-qualified name still works. The smb.conf includes: [global] security = ADS workgroup = MYDOM realm = MYDOM.LOCAL winbind use default domain = yes winbind separator = / Users are in the 'Domain Users' group and the share configuration is: [share] path = /srv/share valid users = @"MYDOM\domain users" Which of the following is the most likely cause and solution?

A.Change 'winbind separator' to backslash or remove it to default to backslash
B.Disable 'winbind use default domain' to force full domain qualification
C.The valid users line uses quotes around the group name; remove the quotes
D.Enable 'winbind offline logon' to allow cached credentials
AnswerA

The separator mismatch causes authentication failures

Why this answer

Option A is correct because when 'winbind use default domain = yes' is set, Samba expects the winbind separator to be a backslash (\), not a forward slash (/). With a forward slash separator, the username 'jdoe' is not correctly mapped to 'MYDOM\jdoe' during authentication, causing access failures. Changing the separator to backslash (or removing it to default to backslash) resolves the issue by aligning with Samba's internal handling of default domain usernames.

Exam trap

The trap here is that candidates often assume the forward slash separator is interchangeable with backslash in Samba, but in the context of 'winbind use default domain = yes', only backslash works correctly for default domain username resolution.

How to eliminate wrong answers

Option B is wrong because disabling 'winbind use default domain' would force users to always use full domain qualification (e.g., 'MYDOM\jdoe'), which contradicts the goal of simplifying logins and does not fix the separator mismatch. Option C is wrong because the quotes around the group name in the valid users line are syntactically correct in Samba; they do not cause authentication failures, and removing them would not resolve the separator issue. Option D is wrong because 'winbind offline logon' is used for caching credentials for offline access, not for fixing username mapping or separator problems in a domain member configuration.

435
MCQmedium

A developer compiled a custom kernel, installed it, but the system hangs before init starts. The previous kernel works. Which step was most likely missed?

A.Not updating GRUB configuration
B.Not rebuilding initramfs
C.Not running depmod
D.Not setting the correct root filesystem
AnswerB

The initramfs contains drivers needed early; forgetting to rebuild it is the most likely cause of the hang.

Why this answer

When a custom kernel is compiled and installed, the initramfs must be rebuilt to include the necessary kernel modules for mounting the root filesystem at boot. If the initramfs is not regenerated, the kernel may lack critical drivers (e.g., for storage controllers or filesystems), causing the system to hang before init starts because it cannot access the root device. The previous kernel works because its initramfs was built with the correct modules for that kernel version.

Exam trap

The trap here is that candidates often assume a kernel hang before init is due to a bootloader misconfiguration (GRUB), but the real issue is the missing initramfs, which is required to provide the drivers for the root filesystem that the kernel itself does not have built-in.

How to eliminate wrong answers

Option A is wrong because not updating GRUB configuration would typically result in the system booting the old kernel, not a hang with the new kernel; the new kernel is already selected and booting, so GRUB is not the issue. Option C is wrong because depmod updates module dependencies in /lib/modules/<kernel-version>, but the kernel can still boot without it; the hang occurs before init due to missing root filesystem access, not module loading order. Option D is wrong because if the root filesystem setting were incorrect, the kernel would likely panic with a 'VFS: Unable to mount root fs' message, not hang silently before init; the hang suggests the initramfs is missing or incomplete.

436
MCQhard

A client on the internet sends a TCP SYN packet to 10.0.1.10:8080. The router receives it on eth0. According to the exhibit, what will happen to the packet?

A.The packet is dropped because the destination IP is not directly connected.
B.The packet is forwarded to 10.0.1.1 because it is the default gateway.
C.The packet is forwarded to 10.0.2.5:80 via eth1, with source IP changed to 10.0.2.20.
D.The packet is forwarded to 10.0.2.5:80 via eth1, with source IP unchanged.
AnswerD

As described, DNAT changes destination, routing sends it to eth1, and no SNAT is applied.

Why this answer

The router receives the TCP SYN packet on eth0 destined for 10.0.1.10:8080. According to the exhibit (not shown but implied), a destination NAT (DNAT) rule is configured to translate the destination IP and port to 10.0.2.5:80. The packet is forwarded out eth1 with the destination changed, but the source IP remains unchanged because DNAT does not modify the source address.

This is a standard port forwarding scenario.

Exam trap

The trap here is that candidates often confuse DNAT with SNAT and assume the source IP is also changed, or they think the packet is dropped because the destination IP is not directly connected to the router's LAN interface.

How to eliminate wrong answers

Option A is wrong because the destination IP 10.0.1.10 is directly connected to the router (assuming it is a public IP on eth0 or a DMZ), so the packet is not dropped for being not directly connected. Option B is wrong because the default gateway is used for forwarding packets to external networks, not for handling packets destined to a local IP that has a NAT rule applied. Option C is wrong because DNAT only changes the destination IP and port, not the source IP; source IP modification would require source NAT (SNAT) or masquerading, which is not indicated.

437
MCQmedium

A Samba share requires that users must provide valid credentials, but the share should be accessible to any authenticated user without further restrictions. Which security mode should be used?

A.security = domain
B.security = server
C.security = share
D.security = user
AnswerD

This requires valid credentials for each connection.

Why this answer

The `security = user` mode requires each user to provide valid credentials (username and password) to access the share, but once authenticated, the share is accessible without further per-share restrictions. This matches the requirement exactly: authentication is mandatory, but authorization is not granularly controlled per share beyond the user's identity.

Exam trap

The trap here is that candidates confuse 'authentication' with 'authorization' and assume `security = share` is correct because it sounds like 'sharing without restrictions,' but `security = share` actually bypasses user-level authentication entirely.

How to eliminate wrong answers

Option A is wrong because `security = domain` requires the Samba server to be a member of a Windows domain and relies on a domain controller for authentication, which is overkill and not necessary for a simple authenticated share without further restrictions. Option B is wrong because `security = server` is deprecated and delegates authentication to another SMB server, which adds complexity and is not the standard way to require user credentials for a local share. Option C is wrong because `security = share` allows access without per-user authentication (often using a guest or anonymous connection), which directly contradicts the requirement that users must provide valid credentials.

438
Multi-Selectmedium

Which TWO commands can be used to query a DHCP server's lease database on a Linux server running ISC DHCP? (Assume default paths.) (Select two.)

Select 2 answers
A.dhcpd -t
B.cat /var/lib/dhcp/dhcpd.leases
C.dhcp-lease-list
D.less /etc/dhcp/dhcpd.conf
E.dhcpd -p
AnswersB, C

Lease database file.

Why this answer

Option B is correct because the ISC DHCP server stores its lease database in a plain-text file at `/var/lib/dhcp/dhcpd.leases` by default. Reading this file with `cat` directly displays all active and expired leases, including IP addresses, MAC addresses, and lease durations. Option C is correct because `dhcp-lease-list` is a utility that parses the same lease file and presents the data in a formatted, human-readable table.

Exam trap

The trap here is that candidates confuse the lease database file with the configuration file, or assume that command-line flags like `-t` or `-p` are used for lease queries, when in fact they serve entirely different purposes (syntax testing and port selection).

439
Multi-Selecthard

Which TWO tools are commonly used for traffic shaping and QoS on Linux? (Choose two.)

Select 2 answers
A.ethtool
B.wondershaper
C.iptables
D.tc
E.route
AnswersB, D

Script that simplifies use of tc for bandwidth limiting.

Why this answer

Wondershaper is a user-friendly shell script that wraps the `tc` command to simplify traffic shaping by limiting bandwidth on a network interface. It uses the Linux kernel's QoS capabilities, specifically the HTB (Hierarchical Token Bucket) queuing discipline, to prioritize and throttle traffic. This makes it a common tool for basic traffic shaping tasks on Linux.

Exam trap

The trap here is that candidates confuse iptables' ability to mark packets for QoS with actually performing traffic shaping, forgetting that iptables itself does not implement queuing or bandwidth limits.

440
MCQmedium

Based on the capture, which of the following statements is correct about the communication between 10.0.0.1 and 10.0.0.3?

A.The three-way handshake is complete for a TCP connection
B.All of the above
C.The client is using a random high port
D.The server 10.0.0.3 is running an HTTP server
AnswerB

All three statements are correct based on the capture.

Why this answer

Option B is correct because the TCP three-way handshake (SYN, SYN-ACK, ACK) is visible in the capture, the client 10.0.0.1 uses a high ephemeral port (e.g., 49152), and the server 10.0.0.3 responds on port 80, indicating an HTTP server is running. All three statements (A, C, D) are true, making 'All of the above' the correct choice.

Exam trap

The trap here is that candidates may assume only one statement is correct, but the question is designed so that all three individual statements (A, C, D) are true, making 'All of the above' the only comprehensive answer.

How to eliminate wrong answers

Option A is wrong because it is actually correct—the three-way handshake is complete, so it cannot be eliminated alone. Option B is the correct answer, not wrong. Option C is wrong because it is also correct—the client uses a random high port (e.g., 49152) as per ephemeral port range.

Option D is wrong because it is correct—the server 10.0.0.3 responds on port 80, which is the default HTTP port, indicating an HTTP server is running.

441
MCQhard

An administrator wants to chroot SSH users in the 'jailed' group to their home directories. Which configuration in /etc/ssh/sshd_config achieves this?

A.Subsystem sftp internal-sftp Match Group jailed ChrootDirectory %h
B.Match User jailed ChrootDirectory %h
C.ChrootGroup jailed ChrootDirectory %h
D.Match Group jailed ChrootJail %h
E.Match Group jailed ChrootDirectory %h
AnswerE

Matches the group and sets chroot to the home directory.

Why this answer

Option B is correct. The ChrootDirectory directive is used within a Match Group block. Option A is for a specific user, C is missing the Match block, D uses wrong syntax (ChrootJail), and E uses Subsystem which is for SFTP.

442
MCQeasy

Which protocol does Samba implement to provide file sharing services to Windows clients?

A.HTTP
B.AFP
C.SMB
D.NFS
AnswerC

Samba uses SMB/CIFS to interoperate with Windows clients.

Why this answer

Samba implements the SMB (Server Message Block) protocol, specifically the CIFS variant, to provide file and printer sharing services to Windows clients. SMB operates over TCP port 445 (direct hosting) or NetBIOS over TCP/IP (ports 137-139), enabling cross-platform file access in mixed Linux/Windows environments.

Exam trap

The trap here is that candidates often confuse SMB with NFS because both are network file-sharing protocols, but NFS is native to Unix/Linux and lacks the Windows-specific features (e.g., NetBIOS, RAP, named pipes) that Samba implements via SMB.

How to eliminate wrong answers

Option A is wrong because HTTP (Hypertext Transfer Protocol) is a stateless application protocol for web content transfer, not designed for file sharing with Windows SMB semantics or authentication. Option B is wrong because AFP (Apple Filing Protocol) is Apple's proprietary protocol for macOS file sharing, not used by Windows clients. Option D is wrong because NFS (Network File System) is a Unix/Linux-centric protocol (RFC 1813, 3530) that lacks the native authentication and locking mechanisms required by Windows clients.

443
MCQhard

An administrator needs to encrypt a large file using GPG with a symmetric cipher and then decrypt it on another system. Which command encrypts the file using AES256 and prompts for a passphrase?

A.gpg --clearsign --cipher-algo AES256 file.txt
B.gpg --encrypt --cipher-algo AES256 file.txt
C.gpg --sign --cipher-algo AES256 file.txt
D.gpg --symmetric --cipher-algo AES256 file.txt
AnswerD

Symmetric encryption prompts for passphrase; uses AES256.

Why this answer

Option B is correct because --symmetric with --cipher-algo AES256 performs symmetric encryption. Option A is wrong because --encrypt is for asymmetric. Option C is wrong because --sign is for signing.

Option D is wrong because --clearsign is for clearsigning.

444
MCQeasy

Refer to the exhibit. Which module is currently in use by another module?

A.usb_storage
B.kvm_intel
C.aesni_intel
D.kvm
AnswerD

kvm is used by kvm_intel.

Why this answer

The `lsmod` command shows that `kvm` has a 'Used by' count of 1, indicating another module is currently using it. The 'Used by' column lists the modules that depend on the given module, so `kvm` is in use by another module (likely `kvm_intel` or `kvm_amd`). This is the correct interpretation because the question asks which module is currently in use by another module, and `kvm` is the one with a non-zero 'Used by' value.

Exam trap

The trap here is that candidates often misinterpret the 'Used by' column as showing which modules are being used by the listed module, rather than which modules are using the listed module, leading them to incorrectly select `kvm_intel` or `usb_storage`.

How to eliminate wrong answers

Option A is wrong because `usb_storage` has a 'Used by' count of 0, meaning no other module is currently using it. Option B is wrong because `kvm_intel` has a 'Used by' count of 0, indicating it is not currently in use by another module; it is a dependency of `kvm` but not used by another module at this moment. Option C is wrong because `aesni_intel` has a 'Used by' count of 0, showing no other module depends on it currently.

445
MCQeasy

Which of the following commands creates a new network namespace named 'test'?

A.netns add test
B.network namespace add test
C.ip netns add test
D.ip netns create test
AnswerC

This is the correct syntax to create a new network namespace.

Why this answer

The correct command to create a new network namespace named 'test' is 'ip netns add test'. The 'ip netns' command is part of the iproute2 suite and is the standard tool for managing network namespaces in Linux. The 'add' subcommand creates a new namespace by binding it to a mount point under /var/run/netns/.

Exam trap

The trap here is that candidates may confuse the 'ip netns' subcommands, incorrectly using 'create' instead of 'add', or omitting the 'ip' prefix, because they are misled by the generic verb 'create' or the phrase 'network namespace' from other contexts like Docker or systemd-nspawn.

How to eliminate wrong answers

Option A is wrong because 'netns add test' is not a valid command; the correct syntax requires the 'ip' prefix to invoke the iproute2 tool. Option B is wrong because 'network namespace add test' is not a valid Linux command; the proper command uses 'ip netns' and not the full phrase 'network namespace'. Option D is wrong because 'ip netns create test' uses the incorrect subcommand 'create'; the correct subcommand is 'add', as 'create' is not recognized by the ip netns utility.

446
MCQeasy

Refer to the exhibit. What type of attack is indicated by the log entries?

A.Privilege escalation attempt
B.Man-in-the-middle attack
C.Distributed denial-of-service (DDoS) attack
D.Brute-force attack on SSH
AnswerD

The repeated failed login attempts for the root user from the same IP signature a brute-force attempt.

Why this answer

Option A is correct because multiple failed password attempts for root from the same IP in quick succession indicate a brute-force attack. Option B is wrong because a DDoS would involve many different IPs. Option C is wrong because a man-in-the-middle attack would not show in auth logs.

Option D is wrong because privilege escalation is internal.

447
Drag & Dropmedium

Arrange the steps to perform a disaster recovery from a full system backup using tar.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Boot into rescue, prepare disks, mount, extract backup, then reboot.

448
Multi-Selecteasy

Which TWO commands display UUIDs of block devices? (Select TWO)

Select 2 answers
A.parted /dev/sda print
B.lsblk -o UUID
C.udevadm info --query=all --name=/dev/sda
D.blkid
E.fdisk -l
AnswersB, D

Shows UUID column.

Why this answer

B is correct because `lsblk -o UUID` explicitly lists the UUID column for all block devices, showing the filesystem UUIDs. D is correct because `blkid` is the dedicated command to display block device attributes, including UUIDs, by reading the udev database or directly probing the device.

Exam trap

The trap here is that candidates often confuse partition UUIDs (shown by `fdisk -l` for GPT disks) with filesystem UUIDs, or assume `parted` or `udevadm` are standard tools for listing filesystem UUIDs, when in fact only `blkid` and `lsblk` are the correct commands for that specific task.

449
MCQmedium

Refer to the exhibit. An administrator runs aide --check and receives a warning that /var/log/syslog has changed. Why is this expected?

A.The SHA512 hash for /var/log is incorrect.
B.The /var/log entry monitors the directory itself, not its contents; changes inside the directory are not tracked.
C.The /var/log entry includes permissions but not content hashes, so changes in file content are not monitored.
D.The +c flag checks for changes in the file's ctime, so syslog changes are detected.
AnswerB

Only the directory's attributes and hash are checked, not files within.

Why this answer

The rule for /var/log uses 'p+sha512', which only monitors the directory's permissions and SHA512 hash of the directory entry itself, not its contents. Files inside /var/log are not monitored individually.

450
MCQmedium

A system administrator wants to change the default kernel boot parameters temporarily to debug a boot issue. Which step should be taken at the GRUB menu to modify kernel parameters for the next boot only?

A.Select the kernel entry and press 'e' to edit the boot parameters.
B.Edit /etc/default/grub and run update-grub to apply changes.
C.Press 'c' to enter the command line and modify parameters.
D.Press 'Esc' to access the advanced options menu.
AnswerA

Pressing 'e' allows temporary editing of boot entries.

Why this answer

Option A is correct because pressing 'e' at the GRUB menu allows you to edit the boot parameters for the selected kernel entry temporarily. This modifies the kernel command line only for the current boot, without persisting changes to disk. After editing, pressing Ctrl+X or F10 boots the system with the modified parameters, making it ideal for debugging boot issues.

Exam trap

The trap here is that candidates confuse the temporary edit (pressing 'e') with the permanent configuration method (editing /etc/default/grub), assuming both achieve the same result for a single boot.

How to eliminate wrong answers

Option B is wrong because editing /etc/default/grub and running update-grub makes permanent changes to the GRUB configuration, affecting all future boots, not just the next boot. Option C is wrong because pressing 'c' enters the GRUB command-line interface, which is used for manual commands like ls or insmod, not for editing kernel boot parameters for the next boot. Option D is wrong because pressing 'Esc' typically exits the GRUB menu or returns to the previous screen, not providing access to an advanced options menu for modifying kernel parameters.

Page 5

Page 6 of 7

Page 7

All pages