Linux Professional Institute Certification Level 2 LPIC-2 (LPIC-2) — Questions 451511

511 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

A BIND9 nameserver is configured with 'allow-transfer { none; };' but a secondary nameserver needs to receive zone transfers. What change must be made on the master?

A.Add a 'masters' statement in the slave's configuration.
B.Set 'allow-transfer' to the secondary's IP.
C.Set 'notify' to yes.
D.Set 'also-notify' to the secondary IP.
AnswerB

allow-transfer specifies which servers are allowed to request zone transfers.

Why this answer

The 'allow-transfer' directive on the master nameserver controls which hosts are permitted to request zone transfers (AXFR/IXFR). Setting it to 'none;' blocks all transfers, so to allow a secondary to receive the zone, you must explicitly list the secondary's IP address in the 'allow-transfer' statement on the master. This is the direct and necessary change to enable zone transfers to that specific slave.

Exam trap

The trap here is that candidates confuse the slave-side 'masters' directive or the notification mechanisms ('notify', 'also-notify') with the actual access control needed on the master to permit the zone transfer itself.

How to eliminate wrong answers

Option A is wrong because 'masters' is a slave-side directive that tells the secondary where to request the zone from; it does not change the master's access control. Option C is wrong because 'notify yes;' is a master-side directive that sends NOTIFY messages to slaves when the zone changes, but it does not override the 'allow-transfer' restriction; the transfer itself will still be denied. Option D is wrong because 'also-notify' specifies additional IPs to send NOTIFY messages to, but like 'notify', it does not grant transfer permission; the secondary must still be allowed by 'allow-transfer'.

452
Multi-Selectmedium

An Apache administrator is troubleshooting a slow website. Which THREE modules could be causing performance issues if misconfigured?

Select 3 answers
A.mod_proxy
B.mod_ssl
C.mod_status
D.mod_include
E.mod_rewrite
AnswersA, B, E

Proxying requests adds network latency and resource usage, especially with backend timeouts.

Why this answer

mod_proxy can cause performance issues if misconfigured because it may create excessive backend connections, fail to reuse connections via KeepAlive, or introduce latency through improper load balancing or reverse proxy caching settings. A common misconfiguration is setting ProxyTimeout too low, causing premature connection drops and retries.

Exam trap

The trap here is that candidates may incorrectly assume mod_status or mod_include are performance-critical modules, when in fact the exam focuses on modules that directly impact request processing throughput and resource consumption under load.

453
MCQeasy

An Apache web server is experiencing high memory usage under heavy load. The administrator wants to reduce the number of idle child processes. Which configuration directive should be adjusted?

A.ServerLimit
B.MaxRequestWorkers
C.KeepAliveTimeout
D.MinSpareThreads
AnswerD

Reducing this value decreases the number of idle threads kept ready, lowering memory usage.

Why this answer

Option D is correct because MinSpareThreads controls the minimum number of idle threads that should be available to handle incoming requests. By reducing this value, the administrator ensures fewer idle child processes are kept running, which lowers memory usage under heavy load. This directive is specific to Apache's worker MPM (Multi-Processing Module) and directly influences the number of spare processes.

Exam trap

The trap here is that candidates often confuse MinSpareThreads with MinSpareServers (prefork MPM) or think that reducing MaxRequestWorkers is the primary way to control memory, when in fact MinSpareThreads directly targets idle process reduction in the worker MPM.

How to eliminate wrong answers

Option A is wrong because ServerLimit sets the maximum number of child processes that can be created, not the number of idle processes; adjusting it upward would allow more processes, worsening memory usage. Option B is wrong because MaxRequestWorkers (formerly MaxClients) limits the total number of concurrent connections (or threads) that can be served, not the number of idle child processes; reducing it would cap overall load but not specifically target idle processes. Option C is wrong because KeepAliveTimeout controls how long an idle keep-alive connection is kept open before closing, which affects connection reuse but does not directly reduce the number of idle child processes; it can actually increase idle processes if set too high.

454
MCQmedium

A Linux client is experiencing slow name resolution. The /etc/nsswitch.conf file has the line 'hosts: files dns'. The /etc/hosts file contains many entries. What is the most effective way to improve resolution speed?

A.Increase the DNS timeout in /etc/resolv.conf
B.Change the nsswitch.conf line to 'hosts: dns files'
C.Install and configure nscd (Name Service Cache Daemon)
D.Remove all entries from /etc/hosts except localhost
AnswerB

Checking DNS first avoids reading the large hosts file for most queries, improving resolution speed for external names.

Why this answer

Option B is correct because the current order 'hosts: files dns' causes the resolver to check the entire /etc/hosts file first for every query, which is slow when the file contains many entries. Reversing the order to 'hosts: dns files' makes the resolver query DNS first, which is typically faster for most lookups, and only falls back to the local file if DNS fails. This directly addresses the bottleneck without requiring additional services or data removal.

Exam trap

The trap here is that candidates assume removing entries from /etc/hosts or adding a caching daemon will fix the speed issue, when the real problem is the lookup order in nsswitch.conf, which directly controls whether the resolver checks a potentially large local file before querying DNS.

How to eliminate wrong answers

Option A is wrong because increasing the DNS timeout in /etc/resolv.conf would make resolution slower, not faster, as it extends the wait time for DNS responses. Option C is wrong because installing nscd adds overhead and does not change the order of resolution; it caches results but still processes the entire /etc/hosts file first when 'files' is listed before 'dns'. Option D is wrong because removing entries from /etc/hosts is unnecessary and may break local name resolution for static mappings; the issue is the lookup order, not the file's content size.

455
Multi-Selectmedium

An administrator is setting up a Samba share for a project team. The team members are in different UNIX groups. Which three options can be used to restrict access to specific users or groups? (Choose three.)

Select 3 answers
A.read list
B.write list
C.force group
D.invalid users
E.valid users
AnswersA, D, E

Specifies users and groups that have read-only access.

Why this answer

Option A (read list) is correct because it explicitly restricts read-only access to a list of users or groups, allowing the administrator to control which users can only read files in the Samba share. This is a direct Samba parameter that limits access to specific users or groups, even if they are in different UNIX groups.

Exam trap

The trap here is that candidates often confuse 'write list' as a restriction mechanism, but it actually grants write access, not restricts it, while 'force group' is a red herring that deals with ownership, not access control.

456
MCQmedium

A web server is running in enforcing mode under SELinux. The administrator wants to allow Apache to connect to a remote database server. Which SELinux boolean needs to be set to allow httpd to make network connections?

A.httpd_enable_homedirs
B.httpd_can_network_connect_db
C.httpd_can_network_connect
D.httpd_unified
AnswerC

Setting this boolean to on allows httpd to initiate outbound network connections, including to databases.

Why this answer

Option C is correct. Option A is wrong because httpd_can_network_connect_db is for database protocols (e.g., MySQL), but the question says 'connect to a remote database server', which is specific. Actually, httpd_can_network_connect allows general outbound connections, and httpd_can_network_connect_db is more specific for database ports.

The answer depends on the exact scenario. The official SELinux policy includes httpd_can_network_connect and httpd_can_network_connect_db. For a generic database connection, httpd_can_network_connect_db is more precise, but httpd_can_network_connect also works.

The question likely expects httpd_can_network_connect as the essential boolean. But to be precise, I'll choose httpd_can_network_connect. Option B is wrong because httpd_enable_homedirs allows access to home directories.

Option D is wrong because httpd_unified allows Apache to run in unified mode.

457
Multi-Selectmedium

Which TWO conditions must be met for a Linux bridge to forward traffic between its ports?

Select 2 answers
A.The bridge has an IP address.
B.The bridge has at least two ports added.
C.The kernel module bridge is loaded.
D.The interfaces are in promiscuous mode.
E.Spanning Tree Protocol is disabled.
AnswersB, C

Forwarding between ports requires at least two interfaces in the bridge.

Why this answer

Option B is correct because a Linux bridge requires at least two ports to forward traffic; a bridge with only one port cannot forward frames between interfaces. Option C is correct because the bridge kernel module must be loaded (e.g., via `modprobe bridge`) to provide the bridging functionality; without it, bridge operations are impossible.

Exam trap

The trap here is that candidates often confuse the requirements for a bridge with those for a router, incorrectly assuming an IP address is necessary for forwarding, or they forget that the bridge kernel module must be explicitly loaded in Linux.

458
MCQhard

A government agency runs a classified application on a Linux server with strict auditing requirements. The application writes sensitive data to a MySQL database. The auditor requires that all SQL queries executed by the application be logged with timestamps, user, and the full query text. Additionally, the audit logs must be immutable (cannot be altered by the application or any user except a designated auditor account). The database runs on the same server. Which combination of tools and configurations should the administrator deploy?

A.Enable auditd to monitor the MySQL process and log all system calls.
B.Enable MySQL's general query log, direct it to a file on a separate filesystem mounted with the 'noexec' and 'append' options, and set the file immutable with chattr +a.
C.Enable the MySQL audit log plugin and configure rsyslog to forward logs to a remote log server.
D.Use tcpdump to capture all network traffic to port 3306 and save to a file with packet captures.
AnswerB

The general query log logs plaintext queries; chattr +a makes the file append-only, preventing modification of existing logs.

Why this answer

Option D is correct. MySQL's general query log logs all queries, and using a separate filesystem with mount options like 'ro' for the auditor (or using append-only via chattr) can ensure immutability. Option A (auditd) can log system calls but not SQL queries directly.

Option B (rsyslog) with MySQL audit plugin is possible but the audit plugin logs to a table, which may not be immutable. Option C (tcpdump) captures network traffic but not local connections via socket.

459
MCQmedium

A filesystem created with mkfs.ext4 on /dev/sda1 has a reserved block count of 5%. How can the administrator reduce it to 1% without reformatting?

A.tune2fs -r 1 /dev/sda1
B.tune2fs -m 1 /dev/sda1
C.dumpe2fs -r 1 /dev/sda1
D.resize2fs -r 1 /dev/sda1
AnswerB

-m sets reserved blocks percentage.

Why this answer

The `-m` option of tune2fs sets the reserved block percentage for the filesystem. Since the question asks to reduce the reserved block count from 5% to 1% without reformatting, `tune2fs -m 1 /dev/sda1` correctly adjusts the reserved blocks percentage to 1% on the existing ext4 filesystem.

Exam trap

The trap here is confusing the `-m` (percentage) and `-r` (absolute block count) options of tune2fs, leading candidates to choose `-r 1` thinking it sets 1% when it actually sets only 1 block reserved.

How to eliminate wrong answers

Option A is wrong because `-r` sets the reserved block count to a specific number of blocks, not a percentage; `-r 1` would reserve only 1 block, not 1%. Option C is wrong because `dumpe2fs` is a read-only tool that displays filesystem information, it cannot modify reserved block counts. Option D is wrong because `resize2fs` is used to resize filesystems, not to change reserved block percentages.

460
Multi-Selecteasy

Which THREE commands are specifically used to diagnose Samba issues?

Select 3 answers
A.smbstatus
B.testparm
C.smbtree
D.netstat
E.ping
AnswersA, B, C

Shows current Samba connections and locked files.

Why this answer

smbstatus is correct because it displays the current Samba connections, including active SMB sessions, open files, and locked files, which is essential for diagnosing who is accessing Samba shares and what resources are in use. It queries the Samba internal state via the smbd daemon, providing real-time diagnostic information about connected clients.

Exam trap

The trap here is that candidates may confuse general network troubleshooting tools (like netstat or ping) with Samba-specific diagnostic commands, assuming any network tool can diagnose Samba issues, but only commands that directly interact with Samba daemons or its configuration are valid for this purpose.

461
MCQhard

A Samba server configured as an Active Directory domain member is unable to authenticate users from the domain. The administrator verifies that DNS resolution works, but `wbinfo -u` returns no output. What is the most likely cause?

A.The smb.conf file is missing the 'idmap config' lines.
B.The winbind service is not running.
C.The Kerberos ticket is expired.
D.The system clock is not synchronized with the domain controller.
AnswerB

If winbind is not running, `wbinfo -u` cannot retrieve domain users.

Why this answer

The `wbinfo -u` command queries the winbind service to list domain users. If it returns no output, the most likely cause is that the winbind service is not running, as it is responsible for resolving Windows domain users and groups on a Samba member server. Without winbind, Samba cannot authenticate domain users even if DNS and Kerberos are working correctly.

Exam trap

The trap here is that candidates assume DNS or Kerberos issues are the root cause because they are common in domain authentication problems, but the specific symptom of `wbinfo -u` returning no output directly points to the winbind service not running, not to higher-layer protocol failures.

How to eliminate wrong answers

Option A is wrong because missing 'idmap config' lines in smb.conf would cause issues with mapping domain users to UIDs/GIDs, but `wbinfo -u` would still return usernames if winbind is running and can contact the domain controller. Option C is wrong because an expired Kerberos ticket would cause authentication failures (e.g., 'kinit' errors), but `wbinfo -u` does not rely on a cached TGT; it uses the machine account credentials via winbind. Option D is wrong because clock skew with the domain controller would cause Kerberos authentication failures, but `wbinfo -u` would still work if winbind is running and the clock difference is within default tolerances (typically 5 minutes).

462
MCQmedium

Refer to the exhibit. A DNS query for 'ftp.example.com' returns NXDOMAIN. What configuration change would best resolve this?

A.Add a CNAME record for ftp pointing to www.example.com.
B.Increase the serial number in the SOA record.
C.Ensure recursion is enabled on the server.
D.Add an A record for ftp pointing to an IP address.
AnswerD

Adding an A record directly answers the query for ftp.example.com.

Why this answer

An NXDOMAIN response means the queried domain name does not exist in the zone. To resolve 'ftp.example.com', a DNS record must be created that maps the name to an IP address. Option D adds an A record, which directly provides the IPv4 address for the host, making the query succeed.

Exam trap

The trap here is that candidates may confuse NXDOMAIN with a server configuration issue (like recursion) or think that a CNAME can substitute for a missing A record, but NXDOMAIN specifically means the name is absent from the zone, requiring a direct resource record addition.

How to eliminate wrong answers

Option A is wrong because a CNAME record creates an alias, but the target 'www.example.com' must itself resolve to an IP address; if 'ftp.example.com' does not exist at all, a CNAME does not create the required A record and may still result in NXDOMAIN if the target is also missing. Option B is wrong because increasing the serial number in the SOA record only triggers zone transfers and does not add any missing resource records; it has no effect on the existence of 'ftp.example.com'. Option C is wrong because recursion is a server setting that allows the DNS server to query other servers on behalf of clients; it does not add missing records to the zone, and NXDOMAIN is returned when the authoritative server has no record for the name, regardless of recursion.

463
MCQhard

A DHCP server is configured to serve multiple subnets but only clients on one subnet receive IP addresses. The server is connected to a router that does not forward DHCP broadcasts. What should be configured to support the other subnets?

A.Add more subnet declarations to the DHCP server
B.Set up a DHCP relay agent on the other subnets
C.Add 'shared-network' declarations
D.Configure the router to act as a DHCP server
AnswerB

A relay forwards DHCP broadcasts across routers.

Why this answer

The router does not forward DHCP broadcasts, so clients on other subnets cannot reach the DHCP server. A DHCP relay agent (e.g., `dhcrelay` or `ip helper-address`) intercepts broadcast requests on those subnets and forwards them as unicast to the DHCP server, allowing the server to assign addresses from the appropriate subnet pools. This is the standard solution per RFC 1542 when routers do not support BOOTP forwarding.

Exam trap

The trap here is that candidates often think adding more subnet declarations or using shared-network directives will fix the issue, but the core problem is the lack of broadcast forwarding, which only a relay agent can solve.

How to eliminate wrong answers

Option A is wrong because adding more subnet declarations to the DHCP server does not solve the problem of broadcast packets not reaching the server from remote subnets; the server already has the necessary subnet declarations, but the clients cannot communicate. Option C is wrong because 'shared-network' declarations are used when multiple subnets share the same physical network segment (e.g., for load balancing), not for routing DHCP broadcasts across separate subnets. Option D is wrong because configuring the router to act as a DHCP server would change its role entirely and is unnecessary; the correct approach is to enable DHCP relay on the router or a separate agent to forward broadcasts, not to replace the existing server.

464
MCQmedium

A Linux client is unable to resolve hostnames for external domains but can ping internal hosts by IP. The /etc/resolv.conf file is correctly configured with a valid DNS server. What is the most likely cause?

A.The /etc/hosts file contains an entry that overrides the DNS resolution for external domains.
B.The nmblookup service is not running.
C.The search domain in /etc/resolv.conf is incorrect, causing the resolver to append an inappropriate domain to queries.
D.The /etc/nsswitch.conf file is missing the 'dns' service in the 'hosts' line.
AnswerC

An incorrect search domain can cause the resolver to try invalid fully qualified domain names, leading to resolution failures for external hosts.

Why this answer

Option C is correct because when a search domain is incorrectly configured in /etc/resolv.conf, the resolver appends that domain to single-label hostnames before querying the DNS server. For external fully qualified domain names (FQDNs), this can cause the resolver to send queries like 'externaldomain.com.incorrect.domain' instead of the intended domain, leading to resolution failures. Since internal IPs are reachable (bypassing DNS) and the DNS server itself is valid, the issue is most likely the resolver's domain search behavior.

Exam trap

The trap here is that candidates often assume a misconfigured /etc/resolv.conf means the DNS server is wrong or unreachable, but the question explicitly states it is correctly configured with a valid server, so the issue must be in how the resolver processes queries, specifically the search domain or ndots behavior.

How to eliminate wrong answers

Option A is wrong because /etc/hosts entries override DNS only for the specific hostnames listed; they do not block resolution of other external domains unless explicitly added. Option B is wrong because nmblookup is a NetBIOS name resolution tool for Windows networks, not relevant to standard DNS-based hostname resolution on a Linux client. Option D is wrong because if the 'hosts' line in /etc/nsswitch.conf were missing the 'dns' service, the resolver would not query DNS at all, making it impossible to resolve any external domain; the problem statement confirms external resolution fails but internal IPs work, indicating DNS is partially functional.

465
Multi-Selectmedium

Which TWO of the following are effective methods to secure SSH access on a Linux server? (Choose two.)

Select 2 answers
A.Disable root login over SSH.
B.Use FTP over SSH (SFTP) for file transfers.
C.Disable password authentication and use only key-based authentication.
D.Require users to change their passwords every 30 days.
E.Change the default SSH port from 22 to a non-standard port.
AnswersC, E

Key-based authentication is much stronger against brute-force and phishing.

Why this answer

Options A and D are correct. Option A: Changing the SSH port reduces automated attacks. Option D: Using key-based authentication is more secure than passwords.

Option B is wrong because using FTP over SSH (SFTP) is not an authentication method. Option C is wrong because regular password changes without key-only is less secure (though some may argue, but best practice is key-only). Option E is wrong because disabling root login prevents direct root access, but it is not a method to secure SSH itself; it's a separate measure.

466
MCQeasy

Which file on a Linux client determines the order in which different name resolution methods (e.g., hosts file, DNS, LDAP) are consulted?

A./etc/host.conf
B./etc/resolv.conf
C./etc/nsswitch.conf
D./etc/named.conf
AnswerC

This file defines the order of name resolution methods for various databases.

Why this answer

Option C is correct because /etc/nsswitch.conf (Name Service Switch) controls the order and sources for system databases like 'hosts', 'passwd', and 'group'. For hostname resolution, the 'hosts' line specifies the lookup order (e.g., 'files dns ldap'), meaning the system checks /etc/hosts first, then DNS, then LDAP. This file is the central configuration for name resolution order on Linux systems.

Exam trap

The trap here is that candidates confuse /etc/resolv.conf (which only sets DNS servers and search domains) with the file that controls the overall resolution order, leading them to pick option B instead of C.

How to eliminate wrong answers

Option A is wrong because /etc/host.conf is a legacy file used by older glibc (before nsswitch) to control resolver behavior, but it is not the primary file for ordering multiple resolution methods like DNS and LDAP. Option B is wrong because /etc/resolv.conf only configures DNS resolver parameters (nameservers, search domains) and does not define the order of resolution methods (e.g., hosts vs. DNS vs.

LDAP). Option D is wrong because /etc/named.conf is the configuration file for the BIND DNS server (named), not a client-side file that determines resolution order on the client machine.

467
MCQmedium

A user in group staff (but not admin) tries to write to the share. What is the most likely error?

A.NT_STATUS_BAD_NETWORK_NAME
B.NT_STATUS_ACCESS_DENIED
C.Connection successful but cannot write
D.NT_STATUS_OBJECT_NAME_NOT_FOUND
AnswerC

The user can connect (valid includes staff) but write fails due to read only and no write list.

Why this answer

Option C is correct because the user is in group 'staff' but not 'admin', and the Samba share configuration likely has 'write list = @admin' or similar, restricting write access to the admin group. The connection succeeds (the share is visible and readable), but the write operation fails silently or returns a permission error at the filesystem level, not a network-level error. This matches the scenario where authentication passes but authorization for writing fails.

Exam trap

The trap here is that candidates confuse network-level errors (bad network name, object not found) with authorization errors, assuming any failure to write must produce a specific NT_STATUS code, when in practice Samba often returns a generic 'cannot write' message at the client level.

How to eliminate wrong answers

Option A is wrong because NT_STATUS_BAD_NETWORK_NAME indicates the share name itself is invalid or not found, which would prevent any connection, not just write access. Option B is wrong because NT_STATUS_ACCESS_DENIED is a generic error that could occur, but in Samba, when a user can connect but lacks write permissions, the client often reports 'cannot write' rather than a distinct NT_STATUS_ACCESS_DENIED; the question specifies 'most likely error' based on typical Samba behavior. Option D is wrong because NT_STATUS_OBJECT_NAME_NOT_FOUND means a specific file or directory within the share is missing, not that the user lacks write permission to the share root.

468
Multi-Selecthard

Which TWO of the following are valid methods to configure a Linux system to use a specific DNS server for name resolution?

Select 2 answers
A.Add an entry to /etc/hosts with the DNS server's IP.
B.Write the DNS server IP to /etc/resolv.conf using systemd-resolved.
C.Set the 'hosts' line in /etc/nsswitch.conf to include 'dns'.
D.Use NetworkManager to set DNS servers for a connection.
E.Edit the /etc/resolv.conf file and add a nameserver line.
AnswersD, E

NetworkManager can manage DNS settings dynamically.

Why this answer

Option D is correct because NetworkManager provides a centralized way to manage network connections, including DNS settings. When you configure DNS servers via NetworkManager (e.g., using `nmcli` or the GUI), it writes the appropriate `nameserver` lines to `/etc/resolv.conf` (or manages it via its own internal resolver), ensuring the system uses those DNS servers for name resolution. Option E is correct because directly editing `/etc/resolv.conf` and adding a `nameserver` line is the traditional, low-level method to specify DNS servers, which the resolver library reads directly.

Exam trap

The trap here is that candidates often confuse the role of `/etc/hosts` (static hostname-to-IP mapping) with DNS server configuration, or they think editing `/etc/nsswitch.conf` alone sets the DNS server, when it only defines the lookup order.

469
MCQeasy

Refer to the exhibit. What is the root filesystem device as specified in the kernel command line?

A.Could not be determined
B./dev/sda1
C./dev/sda3
D./dev/sda2
AnswerD

The 'root=/dev/sda2' kernel parameter sets /dev/sda2 as the root filesystem.

Why this answer

The kernel command line includes the parameter `root=/dev/sda2`, which explicitly specifies the root filesystem device as `/dev/sda2`. This is the standard way to indicate the partition where the root filesystem is mounted during boot, making option D correct.

Exam trap

The trap here is that candidates may assume the root filesystem is always on the first partition (e.g., `/dev/sda1`) or confuse it with other partitions like swap, but the kernel command line explicitly overrides such assumptions with the `root=` parameter.

How to eliminate wrong answers

Option A is wrong because the kernel command line in the exhibit clearly shows `root=/dev/sda2`, so the root filesystem device can be determined. Option B is wrong because `/dev/sda1` is not referenced in the kernel command line; it might be a common misconception that the root filesystem is always on the first partition, but here it is explicitly set to `/dev/sda2`. Option C is wrong because `/dev/sda3` is not specified in the kernel command line; this could be confused with a swap or other partition, but the root device is explicitly `/dev/sda2`.

470
MCQeasy

Which file is used to configure which users and groups are allowed to use the 'cron' daemon?

A./var/spool/cron/
B./etc/cron.d/
C./etc/crontab
D./etc/cron.allow
AnswerD

Lists users allowed to use cron.

Why this answer

The /etc/cron.allow file explicitly lists users and groups permitted to schedule cron jobs. If this file exists, only those entries can use crontab; all others are denied, regardless of /etc/cron.deny. This provides a whitelist-based access control mechanism for the cron daemon.

Exam trap

The trap here is that candidates confuse the access control files (/etc/cron.allow and /etc/cron.deny) with the directories or system crontab files that store or schedule jobs, such as /var/spool/cron/ or /etc/crontab.

How to eliminate wrong answers

Option A is wrong because /var/spool/cron/ is a directory containing individual user crontab files (e.g., /var/spool/cron/crontabs/), not a configuration file for access control. Option B is wrong because /etc/cron.d/ is a directory for system cron job fragments (e.g., hourly, daily tasks), not for user authorization. Option C is wrong because /etc/crontab is the system-wide crontab file used to define periodic system jobs, not to control which users can submit cron jobs.

471
MCQhard

An LDAP client fails to authenticate users against an LDAP server. The /etc/nsswitch.conf includes 'passwd: files ldap' and the /etc/pam.d/system-auth has appropriate pam_ldap.so entries. However, 'getent passwd' shows only local users. Which command should the administrator run first to diagnose the issue?

A.View the contents of /etc/nsswitch.conf.
B.Run 'ldapsearch -x -H ldap://server -b dc=example,dc=com' to test connectivity.
C.Restart the nslcd service.
D.Check the syntax of /etc/ldap.conf with 'slaptest -f /etc/ldap.conf'.
AnswerB

Directly tests if client can bind to LDAP server.

Why this answer

Option B is correct because the first step in diagnosing an LDAP authentication failure is to verify basic connectivity to the LDAP server. Running 'ldapsearch -x -H ldap://server -b dc=example,dc=com' tests whether the client can reach the server and perform a simple anonymous search. If this fails, no amount of configuration tweaking will resolve the issue, as the root cause is likely network or server availability.

Exam trap

The trap here is that candidates often jump to restarting services or checking configuration files, but the LPIC-2 exam emphasizes a systematic troubleshooting approach where connectivity testing (ldapsearch) is the first logical step before assuming configuration or service issues.

How to eliminate wrong answers

Option A is wrong because viewing /etc/nsswitch.conf again is redundant; the question already states it includes 'passwd: files ldap', so the configuration is correct and rechecking it does not diagnose the connectivity issue. Option C is wrong because restarting nslcd would only help if the service is misconfigured or hung, but the problem is that 'getent passwd' shows only local users, indicating nslcd may not be running or cannot reach the server; however, the first diagnostic step should be a direct connectivity test, not a service restart. Option D is wrong because 'slaptest' is a tool for OpenLDAP's slapd configuration, not for the client-side /etc/ldap.conf file; checking syntax of /etc/ldap.conf is done manually or with other tools, and syntax errors are less likely than connectivity issues.

472
MCQhard

A user alice is connected to the 'data' share via smbd, but a file is locked. Which command can forcibly close the file?

A.smbpasswd -L -e alice
B.smbcontrol smbd close-share data
C.systemctl restart nmbd
D.kill -9 $(pgrep smbd)
AnswerB

smbcontrol can interact with smbd to close a share.

Why this answer

Option B is correct because `smbcontrol smbd close-share data` sends a message to the smbd process to forcibly close all open files on the 'data' share, releasing any locks held by users like alice. This command directly targets the Samba daemon's internal state without disrupting the entire service or other shares.

Exam trap

The trap here is that candidates may confuse `smbcontrol` with other Samba utilities or think that restarting the entire Samba service (nmbd or smbd) is the only way to clear locks, overlooking the targeted `close-share` command.

How to eliminate wrong answers

Option A is wrong because `smbpasswd -L -e alice` enables a local Samba user account but does not affect file locks or close open files. Option C is wrong because `systemctl restart nmbd` restarts the NetBIOS name service daemon, which handles name resolution, not file locking or share connections. Option D is wrong because `kill -9 $(pgrep smbd)` forcefully terminates all smbd processes, which would close all files but also disconnect all users and disrupt Samba services, whereas the question asks for a command that forcibly closes a specific file without unnecessary disruption.

473
Multi-Selecteasy

An administrator wants to configure Samba to allow only specific users to access a share. Which TWO configuration parameters in smb.conf can be used to restrict access based on usernames?

Select 2 answers
A.hosts allow
B.invalid users
C.write list
D.valid users
E.read list
AnswersB, D

Specifies which users are denied access to the share.

Why this answer

Option B (invalid users) is correct because it explicitly lists usernames that are denied access to a share, overriding any other access controls. Option D (valid users) is correct because it restricts access to only the specified usernames, denying all others. Both parameters operate at the Samba share level and directly filter based on usernames.

Exam trap

The trap here is that candidates often confuse 'valid users' and 'invalid users' with access control lists (ACLs) or think they only affect write permissions, when in fact they control all access (read and write) to the share.

474
MCQmedium

Refer to the exhibit. The system boots successfully, but the root filesystem is mounted as read-only even after the boot process completes. Which of the following is the most likely cause?

A.The kernel command line contains the 'ro' parameter, which remains in effect.
B.The root device /dev/mapper/vg-root does not exist.
C.The root filesystem is damaged and forces read-only mount.
D.SELinux is enforcing and prevents write access to the root filesystem.
AnswerA

The 'ro' parameter causes the root filesystem to be mounted read-only unless remounted rw by init.

Why this answer

The 'ro' parameter in the kernel command line instructs the kernel to mount the root filesystem as read-only during early boot. Even after the boot process completes, if no subsequent remount (e.g., via init scripts or systemd) is performed, the root filesystem remains read-only. This is the most direct and common cause of a root filesystem staying read-only after boot.

Exam trap

The trap here is that candidates often assume a successful boot implies the root filesystem is automatically remounted read-write, overlooking that the 'ro' kernel parameter persists unless explicitly overridden by a remount command in the boot process.

How to eliminate wrong answers

Option B is wrong because if the root device /dev/mapper/vg-root did not exist, the system would fail to mount the root filesystem entirely, resulting in a kernel panic or boot failure, not a successful boot with a read-only mount. Option C is wrong because a damaged filesystem typically triggers a forced fsck and may be remounted read-only if corruption is detected, but the system would not complete a normal boot without intervention; the question states the system boots successfully, implying no critical damage. Option D is wrong because SELinux enforcing mode controls access control policies but does not force the root filesystem to be mounted read-only; it can prevent writes based on security contexts, but the mount state itself is determined by the kernel mount options, not SELinux.

475
MCQmedium

Based on the exhibit, what is the configuration of the network interfaces?

A.eth0 is directly connected to a bridge; eth0.10 is a separate physical interface; br0 uses VLAN tagging.
B.eth0 is a VLAN ID 10 access port; eth0.10 is a separate link.
C.eth0 is a member of VLAN 1 only; eth0.10 is a bridge port.
D.eth0 is a VLAN trunk port with native VLAN 1; eth0.10 is a VLAN interface for VLAN 10; br0 is a bridge containing eth0.
AnswerD

Correct interpretation of the exhibit.

Why this answer

Option D is correct because the configuration shows eth0 as a trunk port carrying multiple VLANs, with VLAN 1 as the native VLAN (untagged). The eth0.10 is a VLAN subinterface for VLAN 10, and br0 is a Linux bridge that includes eth0, allowing bridged traffic for the native VLAN while the subinterface handles tagged traffic for VLAN 10.

Exam trap

The trap here is that candidates often confuse VLAN subinterfaces with separate physical interfaces or assume eth0 is an access port, failing to recognize that a trunk port with a native VLAN and subinterfaces is the standard configuration for carrying multiple VLANs over a single link.

How to eliminate wrong answers

Option A is wrong because eth0.10 is not a separate physical interface; it is a VLAN subinterface created on eth0. Option B is wrong because eth0 is not an access port for VLAN 10; it is a trunk port with native VLAN 1, and eth0.10 is not a separate link but a logical interface. Option C is wrong because eth0 is not a member of VLAN 1 only; it carries multiple VLANs as a trunk, and eth0.10 is not a bridge port but a VLAN subinterface.

476
Multi-Selecthard

Which THREE of the following tools can be used to implement file integrity checking on a Linux system?

Select 3 answers
A.AIDE
B.Logwatch
C.Nmap
D.Tripwire
E.sha256sum
AnswersA, D, E

Advanced Intrusion Detection Environment checks file integrity.

Why this answer

Options A, C, and E are correct. AIDE and Tripwire are classic file integrity checkers, and sha256sum can be used to manually verify file hashes. Option B (Logwatch) is a log analyzer, not a file integrity checker.

Option D (Nmap) is a network scanner.

477
MCQmedium

A Samba server provides printer sharing using CUPS. Which three global parameters are essential for CUPS integration? (Select THREE)

A.printing = cups
B.cups server = localhost
C.printcap name = cups
D.load printers = yes
E.cups options = "raw"
AnswerA, C, D

Specifies CUPS as the printing system.

Why this answer

Option A is correct because the `printing = cups` parameter explicitly tells Samba to use CUPS as its printing subsystem, enabling communication between Samba and CUPS via the CUPS API. This is essential for Samba to send print jobs to CUPS-managed printers and to retrieve printer information from CUPS.

Exam trap

The trap here is that candidates often assume `cups server = localhost` is required for local CUPS integration, but it is actually the default and only needed for remote CUPS servers, while `cups options = "raw"` is a common but non-essential tuning parameter, not a core requirement.

How to eliminate wrong answers

Option B is wrong because `cups server = localhost` is not a required global parameter; Samba defaults to connecting to CUPS on localhost, and this setting is only needed if CUPS runs on a different host. Option E is wrong because `cups options = "raw"` is not a global parameter for basic CUPS integration; it is an optional per-printer or global setting used to bypass CUPS filtering (e.g., for sending raw data to printers), and it is not essential for enabling CUPS support.

478
Multi-Selecthard

An administrator is configuring netfilter rules to implement a stateful firewall. Which TWO of the following commands are necessary to allow the firewall to correctly forward TCP traffic from internal to external networks (assuming proper default policies)?

Select 2 answers
A.iptables -A FORWARD -m state --state NEW -j ACCEPT
B.iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
C.iptables -A FORWARD -j ACCEPT
D.iptables -A FORWARD -m state --state RELATED -j ACCEPT
E.iptables -A FORWARD -m state --state NEW -p tcp --dport 80 -j ACCEPT
AnswersB, D

This allows established connections, crucial for stateful firewall.

Why this answer

Option B is correct because a stateful firewall must allow packets belonging to already established connections to pass through the FORWARD chain. The `-m state --state ESTABLISHED` match ensures that any packet that is part of an existing TCP connection (i.e., has seen the three-way handshake) is accepted, which is essential for forwarding return traffic from external networks back to internal hosts.

Exam trap

The trap here is that candidates often think only the `ESTABLISHED` rule is needed, forgetting that `RELATED` is also required for protocols like FTP or ICMP error messages that are associated with an existing connection but are not part of the same TCP stream.

479
MCQhard

An administrator configures AIDE to monitor /etc. After initializing the database, what command updates the database with current file hashes without removing old entries?

A.aide --update
B.aide --init
C.aide --compare
D.aide --check
AnswerA

This updates the database with current file hashes while preserving unchanged entries.

Why this answer

The aide --update command updates the database by adding new entries and updating changed ones. --check only compares, --init creates a new database, --compare is not a valid option.

480
MCQeasy

A new network card driver module is not being loaded at boot. The administrator wants to ensure the module is loaded automatically without modifying the kernel command line. Which file should be used?

A./etc/modules-load.d/<name>.conf
B./lib/modules/$(uname -r)/modules.builtin
C./etc/modprobe.d/<name>.conf
D./etc/rc.local
AnswerA

This directory is used by systemd to load kernel modules at boot. Adding the module name to a new file here will load it automatically.

Why this answer

Option A is correct because /etc/modules-load.d/<name>.conf is the standard configuration directory used by systemd-modules-load.service to load kernel modules at boot without modifying the kernel command line. Files in this directory list module names (one per line) that are loaded automatically during early boot, making it the proper mechanism for ensuring a network card driver module is loaded.

Exam trap

The trap here is confusing /etc/modprobe.d/ (for module options and aliases) with /etc/modules-load.d/ (for specifying modules to load at boot), leading candidates to incorrectly choose option C.

How to eliminate wrong answers

Option B is wrong because /lib/modules/$(uname -r)/modules.builtin is a file that lists modules compiled directly into the kernel (built-in), not loadable modules; it is generated by the kernel build process and cannot be edited to force module loading. Option C is wrong because /etc/modprobe.d/<name>.conf is used to set module parameters or aliases (via modprobe), not to specify which modules to load at boot; it affects how modules are loaded but does not trigger automatic loading. Option D is wrong because /etc/rc.local is a legacy script for local startup commands, but it runs late in the boot process (after network services) and is not the standard mechanism for early module loading; systemd-based systems often disable it by default.

481
MCQeasy

A system administrator wants to ensure that only key-based authentication is allowed for SSH and password authentication is disabled. Which configuration change is required in /etc/ssh/sshd_config?

A.PasswordAuthentication yes and PubkeyAuthentication yes
B.PasswordAuthentication no and PubkeyAuthentication no
C.PasswordAuthentication no and PubkeyAuthentication yes
D.PasswordAuthentication no
AnswerC

This disables password logins and enables key-based authentication, meeting the requirement.

Why this answer

Option B is correct because setting 'PasswordAuthentication no' and 'PubkeyAuthentication yes' disables password logins and enables key-based authentication. Option A is wrong because disabling PasswordAuthentication alone still allows other methods. Option C is wrong because enabling both allows password logins.

Option D is wrong because it disables both, preventing any authentication.

482
Multi-Selecteasy

Which TWO of the following are valid methods to modify kernel parameters at runtime without rebooting?

Select 2 answers
A.Using modprobe to load kernel modules with parameters
B.Editing /etc/sysctl.conf and running sysctl --system
C.Writing to files in /proc/sys/ using echo
D.Using the sysctl command to set parameters
E.Adding parameters to the kernel command line in /etc/default/grub
AnswersC, D

Writing directly to /proc/sys/ files changes parameters immediately.

Why this answer

Option C is correct because the /proc/sys/ directory exposes kernel tunable parameters as virtual files, and writing a new value to these files (e.g., echo 1 > /proc/sys/net/ipv4/ip_forward) immediately changes the corresponding kernel parameter at runtime without requiring a reboot. This is a direct interface to the kernel's sysctl mechanism.

Exam trap

The trap here is that candidates confuse persistent configuration methods (like editing /etc/sysctl.conf or kernel command line) with runtime modification methods, or they mistakenly think loading a module with modprobe is equivalent to modifying kernel parameters.

483
MCQeasy

A user reports they cannot obtain an IP address via DHCP. The DHCP server logs show no client activity, but the network cable is connected. Which configuration is most likely missing on the DHCP server?

A.deny unknown-clients
B.default-lease-time
C.option domain-name
D.subnet declaration
AnswerD

A subnet declaration is required to define the pool of addresses.

Why this answer

The DHCP server logs show no client activity, meaning the server is not receiving DHCPDISCOVER packets from the client. The most likely missing configuration is a subnet declaration, which defines the network segment the DHCP server should listen on and allocate addresses from. Without a matching subnet declaration in the DHCP configuration (e.g., /etc/dhcp/dhcpd.conf), the server will ignore requests from that subnet, even if the physical cable is connected.

Exam trap

The trap here is that candidates often focus on client-side issues or access control (like deny unknown-clients) when the logs show no activity, but the real cause is the server not being configured to listen on the client's subnet at all.

How to eliminate wrong answers

Option A is wrong because 'deny unknown-clients' would cause the server to reject clients not in a host declaration, but the server logs would still show client activity (e.g., DHCPDISCOVER received and denied). Option B is wrong because 'default-lease-time' only affects the lease duration offered to clients; its absence does not prevent the server from receiving or responding to DHCP requests. Option C is wrong because 'option domain-name' is an optional parameter that provides a DNS domain suffix; its absence does not block DHCP communication or cause a complete lack of client activity in the logs.

484
MCQhard

A Linux administrator is setting up an IPsec VPN between two sites using strongSwan. The VPN established successfully, but traffic between the sites is not being encrypted. What is the most probable cause?

A.The IPsec policies are not configured to match the traffic.
B.The firewall is blocking UDP port 500.
C.The kernel does not support IPsec (net.ipv4.ip_forward=0).
D.The IPsec daemon is not started.
AnswerA

The SPD defines which traffic should be encrypted; without matching policies, traffic flows in plain text.

Why this answer

Option A is correct because the most probable cause for traffic not being encrypted after a successful IPsec tunnel establishment is that the IPsec policies (e.g., strongSwan's `ipsec.conf` `conn` section with `leftsubnet`/`rightsubnet`) do not match the actual traffic flows. Even if the IKE/SA is up, strongSwan only applies encryption to packets that match the configured selectors; mismatched subnets or protocols result in cleartext traffic bypassing the tunnel.

Exam trap

The trap here is that candidates assume a successful IKE/SA establishment guarantees encryption for all traffic, but LPIC-2 tests the understanding that IPsec policies (SPD selectors) independently control which packets are encrypted, and a mismatch leaves traffic unencrypted.

How to eliminate wrong answers

Option B is wrong because if the firewall were blocking UDP port 500 (IKE), the VPN would not have established successfully—IKE negotiation would fail. Option C is wrong because `net.ipv4.ip_forward=0` disables IP forwarding between interfaces, which would prevent any traffic flow (encrypted or not) between sites, but the question states traffic flows unencrypted, so forwarding must be enabled. Option D is wrong because if the IPsec daemon (strongSwan's `charon`) were not started, the VPN could not have established at all; the successful establishment proves the daemon is running.

485
MCQmedium

A network administrator notices that VLAN tagging is not working on a Linux bridge. The bridge interface br0 has member ports eth0 and eth1. The administrator runs 'bridge vlan show' and sees that only the default VLAN 1 is present. What is the most likely cause?

A.The bridge is not enabled for VLAN filtering
B.The kernel module for VLAN is not loaded
C.The VLAN protocol is not set to 802.1Q
D.Ports eth0 and eth1 are not set to promiscuous mode
AnswerA

Without enabling VLAN filtering on the bridge, only the default VLAN (VLAN 1) is allowed.

Why this answer

The 'bridge vlan show' command only displays VLAN filtering information when VLAN filtering is enabled on the bridge. By default, Linux bridges operate in a simple switching mode without VLAN awareness, meaning all frames are forwarded regardless of VLAN tags. The administrator must explicitly enable VLAN filtering using 'ip link set dev br0 type bridge vlan_filtering 1' to activate per-VLAN forwarding and filtering, which is why only the default untagged VLAN 1 appears.

Exam trap

The trap here is that candidates assume VLAN tagging works automatically on a Linux bridge because they are familiar with VLAN interfaces or managed switches, but Linux bridges require explicit VLAN filtering configuration to process 802.1Q tags.

How to eliminate wrong answers

Option B is wrong because the kernel module for VLAN (8021q) is only required for creating VLAN interfaces (e.g., eth0.10) or for the host to process VLAN tags at the network layer; the bridge itself handles VLAN tagging natively when VLAN filtering is enabled, without needing the 8021q module. Option C is wrong because the VLAN protocol is implicitly 802.1Q in Linux bridges; there is no separate configuration to set the protocol, and the issue is not about protocol mismatch but about the bridge not being configured to filter VLANs. Option D is wrong because promiscuous mode is not required for VLAN tagging on a bridge; promiscuous mode allows a NIC to receive all packets, but VLAN filtering is a bridge-level feature independent of promiscuous mode on member ports.

486
MCQhard

A company wants to set up a Linux bridge to connect a wireless interface (wlan0) to a wired interface (eth0) to allow devices on the wired network to access the internet through the wireless uplink. The Linux server runs Debian with hostapd to create an access point on wlan0. The administrator creates a bridge br0 using brctl and adds eth0 and wlan0 as ports. They assign IP 192.168.10.1/24 to br0 and start hostapd. Clients on the wired network can access the internet, but cannot ping clients on the wireless network, and vice versa. The administrator verifies that both interfaces are enslaved to br0 (brctl show shows both). They also confirm that IP forwarding is enabled and there are no iptables rules blocking anything. Which of the following is the most likely cause?

A.The wireless interface wlan0 is not set to 4-address mode (WDS) to allow bridging.
B.The DHCP server is only listening on the bridge interface, not on the individual interfaces.
C.The hostapd configuration is missing the 'bridge' parameter to bind to the bridge.
D.The iptables firewall is blocking broadcast traffic between bridge ports.
AnswerA

Bridging requires 4-address frames on wireless interfaces.

Why this answer

A is correct because a standard wireless interface (station mode) uses 3-address frames (source, destination, BSSID) and drops frames with a fourth address, which is required for bridging. When a bridge forwards a frame from the wired side to the wireless side, it uses the MAC addresses of the original source and destination, but the wireless medium requires the fourth address (the transmitter address) to identify the bridge itself. Without enabling 4-address mode (WDS) on wlan0, the wireless driver will reject these bridged frames, preventing communication between wired and wireless clients.

Exam trap

The trap here is that candidates assume bridging works identically on wireless and wired interfaces, overlooking the 802.11 frame format limitation that requires 4-address mode for transparent bridging.

How to eliminate wrong answers

Option B is wrong because DHCP server scope does not affect Layer 2 bridging; clients on different sides of the bridge can still ping each other if the bridge forwards frames correctly, regardless of DHCP configuration. Option C is wrong because the 'bridge' parameter in hostapd is used to integrate with a bridge for DHCP forwarding and client isolation, but its absence does not prevent the bridge from forwarding frames between ports at Layer 2. Option D is wrong because the administrator explicitly confirmed there are no iptables rules blocking anything, and iptables does not filter traffic between bridge ports by default unless ebtables or netfilter bridge rules are configured.

487
MCQeasy

An administrator wants to implement network bonding for redundancy on a Linux server running RHEL 8. The server has two physical interfaces em1 and em2. The administrator creates a bond interface bond0 with mode active-backup (mode 1) and adds the slaves em1 and em2. They assign IP address 192.168.50.10/24 to bond0 and bring up the bond. The bond appears to work initially, with one slave active. However, when they disconnect the cable from the active slave, the bond does not fail over to the other slave. The administrator checks /proc/net/bonding/bond0 and sees that the link status for both slaves shows 'up' even after the disconnection. They confirm the bonding module is loaded and the mode is correct. Which of the following is the most likely missing configuration?

A.The MII monitoring interval (miimon) is not configured.
B.The bond interface requires a specific kernel module that is missing.
C.The slave interfaces were not set to 'down' before enslaving.
D.The bond mode is set to mode 0 instead of mode 1.
AnswerA

miimon is required for link monitoring.

Why this answer

The correct answer is A because in active-backup bonding mode (mode 1), the kernel bonding driver requires the MII (Media Independent Interface) monitoring interval (miimon) to be configured in order to detect link failures. Without miimon, the driver never polls the slave interfaces for link state changes, so even when a cable is disconnected, the driver continues to see the link as 'up' and does not trigger a failover. The administrator must set miimon=100 (or another value in milliseconds) in the bond configuration to enable periodic link monitoring.

Exam trap

The trap here is that candidates often assume active-backup mode automatically handles failover without additional configuration, but the LPIC-2 exam tests the understanding that link monitoring (miimon) must be explicitly configured for the bonding driver to detect physical link loss.

How to eliminate wrong answers

Option B is wrong because the bonding module is already loaded and the bond interface works initially, indicating the required kernel module (bonding) is present; a missing module would prevent the bond from working at all. Option C is wrong because setting slave interfaces to 'down' before enslaving is not a requirement for bonding; the bonding driver can enslave interfaces that are up, and the bond will manage their state. Option D is wrong because the administrator confirmed the mode is active-backup (mode 1), and the symptom of no failover despite correct mode points to a missing monitoring mechanism, not a mode mismatch.

488
MCQhard

A new client with IP 10.0.1.15 tries to connect to HTTPS on the server. Based on the exhibit, what happens?

A.The connection is dropped by rule 5.
B.The connection is rejected with an ICMP error.
C.The connection is accepted only if state RELATED.
D.The connection is accepted because 10.0.1.15 is in 10.0.0.0/8.
AnswerD

Matches rule 4, accepting HTTPS.

Why this answer

Option C is correct because 10.0.1.15 is in 10.0.0.0/8, so it matches rule 4 (ACCEPT https) and is allowed. Option A is wrong because rule 4 matches. Option B is wrong because rule 4 matches.

Option D is wrong because rule 5 is default drop only after all previous rules.

489
MCQmedium

An administrator notices that clients are unable to obtain IP addresses from the DHCP server. The server logs show 'no free leases' error. What is the most likely cause?

A.The DHCP server's subnet declaration does not match the client's network.
B.The DHCP server's address range is exhausted.
C.The dhcpd.conf file has invalid syntax.
D.The DHCP relay agent is misconfigured.
AnswerB

Directly matches the error message.

Why this answer

The 'no free leases' error indicates that the DHCP server has exhausted all available IP addresses in its configured pool. This occurs when the address range defined in the dhcpd.conf file has been fully allocated to clients and no leases are available for new requests. The server logs confirm this specific condition, making address exhaustion the most likely cause.

Exam trap

The trap here is that candidates may confuse 'no free leases' with configuration or relay issues, but the error message directly points to address pool exhaustion, not connectivity or syntax problems.

How to eliminate wrong answers

Option A is wrong because a subnet declaration mismatch would typically result in 'no subnet declaration' or 'not authoritative' errors, not 'no free leases'. Option C is wrong because invalid syntax in dhcpd.conf would cause the DHCP daemon to fail to start or report a configuration parse error, not a runtime lease exhaustion error. Option D is wrong because a misconfigured relay agent would prevent DHCP discover packets from reaching the server, resulting in no response or timeout, not a 'no free leases' error from the server.

490
MCQhard

A company is migrating from Apache HTTPD 2.2 to 2.4 and needs to configure SSL for a virtual host. The administrator wants to use modern security practices. Which of the following configurations is the most secure and recommended for Apache 2.4?

A.SSLEngine on; SSLProtocol -SSLv2 -SSLv3; SSLCipherSuite MEDIUM:!aNULL
B.SSLEngine on; SSLProtocol TLSv1.2 TLSv1.3; SSLCipherSuite ECDHE+AESGCM
C.SSLEngine on; SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1; SSLCipherSuite HIGH:!aNULL:!MD5
D.SSLEngine on; SSLProtocol all; SSLCipherSuite DEFAULT
AnswerC

Disables all insecure protocols and uses a strong, widely compatible cipher suite.

Why this answer

Option C is correct because it explicitly enables only TLS 1.2 and TLS 1.3 (by disabling SSLv3, TLSv1.0, and TLSv1.1) and uses the HIGH cipher suite with exclusion of aNULL (anonymous NULL ciphers) and MD5 (weak hash). This aligns with modern security standards (e.g., PCI DSS, NIST) and Apache 2.4's recommended hardening practices, avoiding deprecated protocols and weak ciphers.

Exam trap

The trap here is that candidates often choose Option B because they think specifying only TLSv1.2 and TLSv1.3 is sufficient, but they overlook that 'ECDHE+AESGCM' is not a complete cipher string and fails to exclude weak ciphers like those with MD5 or anonymous key exchange, which Apache will still negotiate if not explicitly denied.

How to eliminate wrong answers

Option A is wrong because it uses 'MEDIUM:!aNULL' which includes ciphers of only medium strength (e.g., 128-bit) and does not explicitly disable TLSv1.0 or TLSv1.1, leaving older, less secure protocols enabled; also, it lacks explicit TLSv1.2/TLSv1.3 support. Option B is wrong because 'ECDHE+AESGCM' is not a valid SSLCipherSuite syntax in Apache — it should use OpenSSL cipher string format like 'ECDHE+AESGCM:!aNULL:!MD5' and it omits disabling older protocols beyond TLSv1.2/TLSv1.3 (though it does specify them, it fails to exclude weak ciphers like those with MD5 or anonymous DH). Option D is wrong because 'SSLProtocol all' enables all protocols including SSLv2, SSLv3, TLSv1.0, and TLSv1.1, which are insecure; 'SSLCipherSuite DEFAULT' uses Apache's default cipher list, which may include weak or deprecated ciphers (e.g., RC4, 3DES) and does not enforce modern security.

491
MCQhard

A Linux router running FRR (Free Range Routing) needs to participate in OSPF with adjacent Cisco routers. Which configuration file should be modified to enable OSPF?

A./etc/quagga/ospfd.conf
B./etc/network/interfaces
C./etc/frr/frr.conf
D./etc/ospfd.conf
AnswerC

FRR main configuration file where OSPF, BGP, etc. are defined.

Why this answer

FRR (Free Range Routing) stores its unified routing protocol configuration in /etc/frr/frr.conf. This file is the primary configuration file for all FRR daemons, including OSPF, and is read by the frr service at startup. Modifying this file and then reloading FRR enables OSPF on the Linux router to peer with adjacent Cisco routers.

Exam trap

The trap here is that candidates familiar with the older Quagga project may assume the configuration file is still /etc/quagga/ospfd.conf, but FRR has replaced Quagga and uses /etc/frr/frr.conf as the single configuration file for all routing protocols.

How to eliminate wrong answers

Option A is wrong because /etc/quagga/ospfd.conf is the configuration file for the older Quagga project, not FRR; FRR is a fork of Quagga and uses its own directory structure. Option B is wrong because /etc/network/interfaces is used by Debian/Ubuntu for basic network interface configuration (IP addresses, routes) and does not control OSPF routing daemon settings. Option D is wrong because /etc/ospfd.conf is not a standard path for any routing suite; FRR does not use a separate ospfd.conf file and instead consolidates all protocol configurations into frr.conf.

492
MCQmedium

A company has multiple subnets and wants to implement policy-based routing to direct traffic from a specific development subnet (192.168.10.0/24) through a specialized firewall for content filtering, while all other traffic uses the default gateway. Which of the following steps is required to achieve this using iproute2 tools?

A.Use iptables to mark packets from the development subnet and then use ip rule to use the main table for marked packets.
B.Add an ip rule to route traffic from 192.168.10.0/24 to the firewall without creating a new table.
C.Add a static route to the main routing table for 192.168.10.0/24 pointing to the firewall.
D.Create a new routing table (e.g., table 100), add a default route via the firewall in that table, and add an ip rule to use table 100 for traffic from 192.168.10.0/24.
AnswerD

This correctly implements policy-based routing by using a separate routing table and a rule.

Why this answer

Option D is correct because policy-based routing (PBR) with iproute2 requires creating a separate routing table, adding a default route via the firewall in that table, and then using an ip rule to match traffic from the source subnet (192.168.10.0/24) and direct it to that custom table. This allows traffic from the development subnet to follow a different path than the default gateway, while all other traffic continues to use the main routing table.

Exam trap

The trap here is that candidates often confuse destination-based static routing (which affects where traffic goes) with source-based policy routing (which affects how traffic leaves), leading them to choose Option C or B instead of recognizing the need for a separate routing table and ip rule.

How to eliminate wrong answers

Option A is wrong because iptables marking is not required for source-based PBR; ip rule can match directly on source address without marks, and using the main table for marked packets would not route them through the firewall. Option B is wrong because ip rule without a custom table cannot override the default route; the rule must reference a distinct routing table that contains the desired default route via the firewall. Option C is wrong because adding a static route to the main routing table for 192.168.10.0/24 would only affect traffic destined to that subnet, not traffic originating from it; policy routing requires source-based rules, not destination-based routes.

493
MCQeasy

A security policy requires that all users must change their passwords every 90 days. Which command enforces maximum password age for an existing user 'jdoe'?

A.chage -M 90 jdoe
B.passwd -f jdoe
C.usermod -e 90 jdoe
D.chage -E 90 jdoe
AnswerA

Sets maximum number of days a password is valid.

Why this answer

The `chage -M 90 jdoe` command sets the maximum number of days a password is valid for user 'jdoe' to 90 days, enforcing the security policy. The `-M` option directly controls the password aging parameter that defines when the password must be changed, as stored in `/etc/shadow`.

Exam trap

The trap here is confusing the `-M` (maximum password age) option with the `-E` (account expiration) option, as both use a numeric argument but control entirely different aspects of user account lifecycle.

How to eliminate wrong answers

Option B is wrong because `passwd -f jdoe` forces a password change at the next login but does not set a maximum age limit; it only sets the 'force change' flag. Option C is wrong because `usermod -e 90 jdoe` sets the account expiration date to 90 days from the epoch (January 1, 1970), which would immediately expire the account, not enforce a 90-day password rotation. Option D is wrong because `chage -E 90 jdoe` sets the account expiration date to 90 days from the epoch, not the maximum password age; `-E` controls account expiry, not password aging.

494
MCQhard

A company is migrating from a workgroup environment to an Active Directory domain. The Samba server is already configured as a domain member using winbind. The administrator wants to ensure that files created by domain users on the Samba server are owned by the corresponding UNIX user accounts derived from the domain. Which idmap backend and configuration is recommended for this purpose?

A.idmap config * : backend = ad
B.idmap config * : backend = tdb
C.idmap config * : backend = autorid
D.idmap config * : backend = rid
AnswerD

This derives UIDs from RIDs for consistent mapping.

Why this answer

Option D is correct because the 'rid' backend uses the RID of domain users to generate consistent UNIX IDs without a mapping database, which is simple and common. Option A is wrong because 'tdb' is for local mapping, not consistent across machines. Option B is wrong because 'ad' requires RFC2307 schema in AD.

Option C is wrong because 'autorid' is for multiple domains but may not provide consistent IDs.

495
MCQmedium

A company uses BIND9 as the authoritative name server for its public zone example.com. External users report that they cannot resolve the MX record for the domain, but internal users can. What is the most likely cause?

A.The zone file lacks an MX record.
B.The allow-query ACL restricts queries to the internal network.
C.The server is behind a firewall that blocks UDP port 53.
D.The recursion is set to no.
AnswerB

If allow-query limits to internal IPs, external queries are rejected, causing resolution failures for external users.

Why this answer

Option B is correct because the allow-query ACL in BIND9 restricts which source IP addresses are permitted to send queries to the server. If it is set to allow only the internal network (e.g., 192.168.0.0/16), external users' queries are rejected, causing resolution failures for MX records and all other records. Internal users succeed because their IPs match the ACL, while external users receive a REFUSED response or no answer.

Exam trap

The trap here is that candidates often confuse allow-query (which controls who can send queries) with allow-transfer (zone transfers) or recursion settings, or they assume a missing record is the cause when the symptom is selective failure based on client location.

How to eliminate wrong answers

Option A is wrong because if the zone file lacked an MX record, internal users would also fail to resolve it, but the problem states internal users can resolve it. Option C is wrong because a firewall blocking UDP port 53 would prevent all DNS traffic (both internal and external) from reaching the server, yet internal users succeed. Option D is wrong because setting recursion to no only prevents the server from performing recursive queries on behalf of clients; it does not affect the server's ability to answer authoritative queries for its own zones, such as the MX record for example.com.

496
Multi-Selecteasy

Which THREE of the following actions are recommended as initial security hardening steps after installing a new Linux server? (Choose three.)

Select 3 answers
A.Update all packages using the package manager.
B.Disable root login via SSH.
C.Install a graphical desktop environment for easier administration.
D.Enable and configure a firewall (e.g., iptables or firewalld).
E.Set up a web server to monitor system status.
AnswersA, B, D

Ensures the latest security patches are applied.

Why this answer

Options A, C, and E are correct. Updating packages fixes known vulnerabilities. Disabling root SSH login reduces attack surface.

Enabling a firewall restricts network access. Option B is wrong because installing a graphical desktop increases attack surface and is unnecessary. Option D is wrong because setting up a web server is an application, not a security hardening step.

497
MCQmedium

A firewall rule set is implemented using iptables. The administrator wants to allow incoming SSH connections only from the 192.168.1.0/24 subnet, while all other incoming traffic is dropped. Which set of rules achieves this?

A.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -j DROP
B.iptables -A INPUT -p tcp --sport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -j DROP
C.iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j DROP
E.iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -j DROP
AnswerA

Allows SSH from subnet, then drops all other input.

Why this answer

Option D is correct. First, allow SSH from the subnet, then drop all other incoming traffic. Option A drops before allowing, B uses wrong syntax (dport with --sport), C allows all SSH before restricting, and E is correct but uses DROP instead of REJECT; however, the question does not specify preference, but D is more standard.

Actually, D uses DROP which is fine. Option E allows SSH from anywhere then restricts? No, E uses both ACCEPT and DROP in order; first rule allows all SSH, second drops all input, so SSH from anywhere would be allowed. So D is best.

498
MCQmedium

A company wants to host multiple websites on a single Apache server with different domain names. Which approach is most appropriate?

A.Name-based virtual hosting
B.IP-based virtual hosting
C.Port-based virtual hosting
D.Using mod_rewrite for each domain
AnswerA

Allows multiple domain names on a single IP/port using the Host header.

Why this answer

Name-based virtual hosting allows a single Apache server to serve multiple websites using the same IP address and port by relying on the HTTP Host header sent by the client. This is the most efficient and commonly used method for hosting multiple domains on one server, as it conserves IP addresses and requires minimal configuration via the `<VirtualHost *:80>` directive.

Exam trap

The trap here is that candidates often confuse name-based virtual hosting with IP-based hosting, assuming each domain needs its own IP address, or mistakenly think mod_rewrite can handle domain routing without virtual host containers.

How to eliminate wrong answers

Option B is wrong because IP-based virtual hosting requires a separate IP address for each domain, which is wasteful and often impractical given IPv4 address scarcity. Option C is wrong because port-based virtual hosting uses different TCP ports (e.g., 8080, 8081) for each site, which is not user-friendly as users would need to specify non-standard ports in URLs. Option D is wrong because mod_rewrite is a URL rewriting engine, not a virtual hosting mechanism; it cannot serve different content based solely on the domain name without additional virtual host containers.

499
MCQhard

An administrator wants to create a chroot environment for a potentially compromised service. The service needs to read /etc/resolv.conf and /etc/hosts, and run from a directory /chroot/service. Which of the following steps is essential to ensure the chroot environment is secure and functional?

A.Set the chroot directory to be read-only.
B.Mount /proc within the chroot jail.
C.Copy only the service binaries and configuration files into the chroot.
D.Create /dev/null and /dev/random inside the chroot using mknod.
AnswerD

Device files are required for many system calls; without them, the service may crash or hang.

Why this answer

Option B is correct because the chroot environment must contain the necessary device files for system calls. Option A is wrong because copying binaries into the chroot is not always sufficient; they must be linked against libraries available inside. Option C is wrong because /proc should be mounted for some services but not essential for basic resolution files; however, it is often needed.

Option D is wrong because setting the jail to read-only filesystem is a security measure but not essential for functionality. The most essential step is to create device nodes (like /dev/null, /dev/random) because many services require them.

500
MCQmedium

Refer to the exhibit. What is the effect of this sudoers configuration?

A.Users alice and bob can run any software command on the localhost only.
B.Members of ADMINS can run any command as root on any host.
C.Users alice and bob can run apt-get and dpkg on any host as root, requiring a password.
D.Users alice and bob can run apt-get and dpkg without a password.
AnswerC

The configuration grants exactly that: the specified commands, on any host, with password prompt.

Why this answer

The directive 'ADMINS ALL = SOFTWARE' grants members of the ADMINS group (alice and bob) permission to run the commands in SOFTWARE (apt-get and dpkg) on any host (ALL) as root. No NOPASSWD tag is present, so a password is required.

501
MCQhard

A Linux system administrator is tasked with upgrading the kernel on a server running a custom compiled kernel (version 4.19) with many in-house modules. The new kernel (5.10) has significant changes, including a different API for some module functions. After compiling the new kernel and the modules, the system boots but some modules fail to load with 'Unknown symbol' errors. The administrator needs to identify which symbols are missing and fix the modules. Which of the following is the most effective approach?

A.Check dmesg for each module load error and recompile modules one by one
B.Rename the missing symbols in the source code to match the new kernel's exported symbols
C.Run 'modprobe --dump-modversions mymodule.ko' and compare with 'cat /proc/kallsyms' to identify mismatches
D.Use 'nm mymodule.ko' to list all symbols and manually compare with the kernel's symbol table
AnswerC

This method systematically shows which symbols the module requires and whether they are present in the running kernel.

Why this answer

Option C is correct because `modprobe --dump-modversions mymodule.ko` displays the symbol version (CRC) checksums for each symbol the module uses, and comparing these with `/proc/kallsyms` (which lists all symbols exported by the running kernel along with their CRC values) directly pinpoints which symbols have mismatched versions. This is the most efficient method to identify 'Unknown symbol' errors caused by API changes between kernel 4.19 and 5.10, as it reveals exactly which symbols need updating in the module source code.

Exam trap

The trap here is that candidates often assume symbol name matching is sufficient (Option D) or that recompiling blindly (Option A) will fix the issue, when in fact the kernel's symbol versioning (CRC) mechanism is what causes the failure, and only a version-aware comparison can diagnose it correctly.

How to eliminate wrong answers

Option A is wrong because checking dmesg for each module load error and recompiling modules one by one is a slow, trial-and-error approach that does not provide a systematic way to identify all missing or mismatched symbols at once. Option B is wrong because renaming missing symbols in the source code to match the new kernel's exported symbols is incorrect; the issue is not the symbol name but the version (CRC) mismatch due to API changes, and renaming would break the module's logic or cause further errors. Option D is wrong because `nm mymodule.ko` lists all symbols in the module but does not show the version (CRC) information needed to detect API mismatches; it only shows symbol names, which may be identical even when the underlying function signatures have changed.

502
Matchingmedium

Match each system log to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General system messages (legacy)

System log on Debian-based systems

Authentication and security events

Kernel messages

Mail server logs

Why these pairings

These log files are commonly found in Linux systems.

503
MCQhard

A Samba server is configured with 'security = ads' and joined to an Active Directory domain. Users can authenticate but cannot access shares. The smb.conf includes 'winbind use default domain = yes'. What could be the problem?

A.The 'winbind use default domain' option should be 'no'
B.The 'idmap backend' is not configured
C.The Samba server's time is not synchronized with the domain controller
D.The 'valid users' parameter uses domain prefix while default domain is set
AnswerD

If valid users expects 'DOMAIN\user' but winbind strips the domain, authentication fails.

Why this answer

When 'winbind use default domain = yes' is set, Winbind strips the domain prefix from usernames, so users authenticate as 'username' instead of 'DOMAIN\username'. If the 'valid users' parameter in a share definition explicitly uses the domain prefix (e.g., 'valid users = DOMAIN\username'), the stripped username will not match, and access is denied. This mismatch is the most direct cause of authentication succeeding but share access failing.

Exam trap

The trap here is that candidates assume authentication success means all Samba operations are fine, overlooking the subtle interaction between 'winbind use default domain' and share-level access control parameters like 'valid users'.

How to eliminate wrong answers

Option A is wrong because setting 'winbind use default domain = no' would require users to always specify the domain prefix, which does not resolve the mismatch if 'valid users' already uses a prefix; the core issue is the inconsistency between the default domain setting and the share's user specification. Option B is wrong because the 'idmap backend' configuration is essential for mapping SIDs to UIDs/GIDs, but a missing or misconfigured idmap backend typically causes authentication failures or inability to resolve user identities, not a scenario where users can authenticate but cannot access shares due to a 'valid users' mismatch. Option C is wrong because time synchronization with the domain controller is critical for Kerberos authentication; if time were out of sync, authentication itself would fail (with a clock skew error), not just share access.

504
MCQhard

Refer to the exhibit. What is the most likely cause of this Apache error?

A.The filesystem containing the logs is full.
B.The server is out of memory.
C.The semaphore limit for the Apache user is exceeded.
D.The RewriteMap file specified is missing.
AnswerC

Apache uses semaphores for lock files; exhausting semaphore limits causes this error.

Why this answer

The Apache error 'semaphore limit exceeded' occurs when the number of semaphores allocated to the Apache user exceeds the system-wide or per-user semaphore limit. Apache uses semaphores for inter-process communication (IPC) in its prefork or worker MPMs to coordinate child processes. The correct answer is C because this error directly indicates that the kernel's semaphore limits (e.g., `SEMMSL`, `SEMMNS`, or `SEMOPM` in `/proc/sys/kernel/sem`) have been exhausted for the Apache user, often due to too many child processes or a misconfigured `MaxClients` directive.

Exam trap

The trap here is that candidates often confuse semaphore errors with disk space or memory issues, but LPIC-2 specifically tests knowledge of IPC resource limits and their impact on Apache MPM behavior.

How to eliminate wrong answers

Option A is wrong because a full filesystem containing logs would typically produce 'No space left on device' errors in Apache's error_log, not a semaphore-related error. Option B is wrong because out-of-memory conditions usually manifest as 'Cannot allocate memory' or 'fork: Cannot allocate memory' errors, not semaphore limit errors. Option D is wrong because a missing RewriteMap file would generate a configuration parsing error or 'RewriteMap: cannot open file' message during Apache startup or reload, not a runtime semaphore error.

505
MCQhard

A database server experiences performance degradation. Analysis shows high I/O wait on a LVM logical volume that uses striping across two physical volumes. What is the most effective way to improve performance?

A.Add a cache layer using lvmcache on a fast SSD
B.Increase the stripe size and recreate the LV
C.Add an additional PV to the VG and extend the LV
D.Convert the LV to use linear mapping instead of striping
AnswerA

Caching with SSDs accelerates reads and writes, reducing I/O wait.

Why this answer

Adding a cache layer using lvmcache on a fast SSD is the most effective way to reduce high I/O wait because it places frequently accessed (hot) data on the faster SSD while keeping the bulk of data on the slower striped HDDs. This directly addresses the I/O bottleneck without requiring data migration or downtime, and it leverages the existing striped layout for sequential throughput while improving latency for random reads/writes.

Exam trap

The trap here is that candidates assume striping alone maximizes performance, but they overlook that high I/O wait is often due to random access latency, which a cache layer directly mitigates without requiring a disruptive reconfiguration.

How to eliminate wrong answers

Option B is wrong because increasing the stripe size and recreating the LV would require taking the volume offline and migrating all data, which is disruptive and may not reduce I/O wait if the bottleneck is random access latency rather than sequential throughput. Option C is wrong because adding an additional PV to the VG and extending the LV would increase total capacity but does not inherently improve I/O wait; it could even increase contention if the new PV is equally slow. Option D is wrong because converting the LV to linear mapping would eliminate the parallelism of striping, likely worsening performance for workloads that benefit from concurrent I/O across multiple disks.

506
MCQeasy

An administrator wants to drop incoming TCP packets on port 22 from IP 10.0.0.5 using iptables. Which command is correct?

A.iptables -A INPUT -d 10.0.0.5 -p tcp --dport 22 -j DROP
B.iptables -A FORWARD -s 10.0.0.5 -p tcp --dport 22 -j DROP
C.iptables -A OUTPUT -s 10.0.0.5 -p tcp --dport 22 -j DROP
D.iptables -A INPUT -s 10.0.0.5 -p tcp --dport 22 -j DROP
AnswerD

This correctly matches incoming packets from 10.0.0.5 to port 22 and drops them.

Why this answer

The correct command uses the INPUT chain, source IP, protocol TCP, destination port 22, and target DROP. Options A, B, and C use incorrect chains or directions.

507
MCQmedium

An administrator needs to add support for a new hardware device by compiling a kernel module. After compiling the module against the current kernel source, the module fails to load with 'modprobe: ERROR: could not insert 'mymod': Unknown symbol in module'. Which of the following is the most likely cause?

A.The module has not been signed for Secure Boot
B.The module was compiled against a different kernel version than the running kernel
C.The module's dependencies are missing
D.The module name conflicts with a built-in driver
AnswerB

Symbols exported by the kernel change between versions; the module must be compiled against the exact running kernel.

Why this answer

The error 'Unknown symbol in module' indicates that the module references a kernel symbol (function or variable) that is not present in the currently running kernel. This most commonly occurs when the module was compiled against a different kernel version or configuration than the running kernel, causing symbol version mismatches. The kernel's symbol versioning (CONFIG_MODVERSIONS) checks CRC values of exported symbols, and a mismatch prevents insertion.

Exam trap

The trap here is that candidates often confuse 'Unknown symbol' with missing dependencies (Option C), but the error specifically points to a symbol version mismatch, not a missing module dependency chain.

How to eliminate wrong answers

Option A is wrong because Secure Boot signature issues produce a different error (e.g., 'Required key not available' or 'Module has invalid ELF structures'), not 'Unknown symbol'. Option C is wrong because missing dependencies cause 'Unknown symbol' errors only if the dependency module itself is not loaded, but the error message would typically name the missing symbol; however, the primary cause here is version mismatch, not dependency order. Option D is wrong because a name conflict with a built-in driver would cause a different error (e.g., 'Module already present in kernel' or 'insmod: ERROR: could not insert module mymod: File exists'), not an unknown symbol error.

508
MCQeasy

A system administrator wants to ensure that all commands executed by root are logged to a remote syslog server. Which rsyslog configuration directive should be used?

A.auth.* @192.168.1.100
B.authpriv.* @192.168.1.100
C.user.* @192.168.1.100
D.kern.* @192.168.1.100
AnswerB

authpriv facility logs security/authorization messages including sudo commands.

Why this answer

Option B is correct because the `authpriv` facility in rsyslog is specifically designated for security and authorization messages, including all commands executed by root via `sudo` or direct login. The directive `authpriv.* @192.168.1.100` sends all messages from this facility to the remote syslog server at UDP port 514. This matches the requirement to log root's commands, as Linux systems typically log such events under the `authpriv` facility.

Exam trap

The trap here is confusing `auth` with `authpriv` — candidates often pick `auth.*` thinking it covers all authentication, but `authpriv` is the correct facility for privileged command logging and is a key distinction tested in LPIC-2.

How to eliminate wrong answers

Option A is wrong because `auth.*` covers general authentication events (e.g., login attempts) but not the detailed command logging from root's sessions, which is specifically assigned to `authpriv`. Option C is wrong because `user.*` is for generic user-level messages, not security-related command logs. Option D is wrong because `kern.*` captures kernel messages, not user command execution logs.

509
MCQhard

An administrator configures an NIS client by running 'ypbind' and updating /etc/nsswitch.conf to include 'nis' for passwd, shadow, and group. However, 'getent passwd' still shows only local users. Which step is most likely missing?

A.Restart the ypserv service on the client.
B.Execute 'yppasswd' to initialize NIS client.
C.Edit /etc/yp.conf to specify the NIS server's domain and address.
D.Run 'make -C /var/yp' on the client.
AnswerC

ypbind needs this to locate the server.

Why this answer

The NIS client must know which NIS server to contact for domain information. This is configured in /etc/yp.conf, which specifies the NIS domain name and the server's hostname or IP address. Without this file, ypbind cannot locate a server, so getent falls back to local sources despite nsswitch.conf listing 'nis'.

Exam trap

The trap here is that candidates assume updating nsswitch.conf alone is sufficient, overlooking the mandatory /etc/yp.conf configuration that ypbind requires to discover and bind to an NIS server.

How to eliminate wrong answers

Option A is wrong because ypserv is the NIS server daemon, not a client service; restarting it on the client is meaningless and would not configure the client to find a server. Option B is wrong because yppasswd is used to change NIS passwords, not to initialize or enable NIS client functionality. Option D is wrong because 'make -C /var/yp' rebuilds the NIS server's maps (typically run on the server), not on the client, and has no effect on client-side resolution.

510
Multi-Selecteasy

Which two commands can be used to trace the delegation path of a DNS domain? (Choose two.)

Select 2 answers
A.dig +trace
B.nslookup -type=any
C.host -C
D.dig -x
E.whois
AnswersA, C

dig +trace follows the delegation chain from root servers.

Why this answer

The `dig +trace` command performs a full iterative DNS resolution from the root nameservers down to the authoritative nameservers for the queried domain, showing each delegation step. The `host -C` command queries the SOA record and displays the authoritative nameservers for the domain, which can be used to trace the delegation chain. Both commands reveal the hierarchical delegation path of a DNS domain.

Exam trap

The trap here is that candidates often confuse `nslookup -type=any` with a delegation tracing tool, but it only returns all records from the resolver's cache without following the delegation chain, and `dig -x` is mistakenly thought to trace something because of the 'trace' keyword in the option.

511
Drag & Dropmedium

Order the steps to configure a Linux system as a router using iptables.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable forwarding, set policies, add NAT and forward rules, then save.

Page 6

Page 7 of 7

All pages