CompTIA Linux+ Practice Test (XK0-005)

Systemd considers any non-zero exit status a failure by default, so ExecStop commands are skipped after a failed start. The SuccessExitStatus directive overrides this behavior by listing exit codes that should be regarded as clean exits. Adding SuccessExitStatus=2 makes code 2 a normal exit, allowing the service to stop cleanly and execute ExecStop. Restart=on-failure would restart the unit rather than adjust success criteria. Changing the Type does not affect acceptable exit codes. ValidExitCodes is not a valid directive.

A process that has completed execution but still has an entry in the process table is in the 'zombie' state. This occurs when a process has finished running, but its parent has not yet called wait() to read the child's exit status, leaving an entry in the process table as a 'zombie' that needs to be reaped. This is why the 'zombie' state is also sometimes referred to as a 'defunct' process. The other options are incorrect: 'running' is when a process is actively being executed; 'sleeping' is when a process is waiting for a resource or event; 'stopped' is when a process has been paused, typically by a signal, not when it has finished execution.

The correct command uses the wget -O option. The -O (short for --output-document) flag writes the downloaded content to a specified file. In this scenario, it saves the patch with the desired descriptive filename vendor_patch_2025-10-07.tar.gz instead of the original, non-descriptive name from the URL. The --output-file option is incorrect because it redirects log messages from wget to a file, rather than saving the downloaded content. The --save-as and --download-as options are not valid for the wget command.

The nmap command can test connectivity to a specific TCP port on a remote host and report whether that port is open. By specifying the -p option with 80 (the default HTTP port) and the target's IP address, nmap sends the necessary probe packets and interprets the response, confirming both that the service is listening and that the port is reachable. openssl s_client focuses on initiating an SSL/TLS handshake; when pointed at an unencrypted HTTP port it typically hangs or errors, so it is not ideal for simple port-reachability tests. netstat displays sockets on the local system only and cannot interrogate a remote host. dig is used for DNS lookups, not for checking open ports.

Using the block-size option with a gigabyte parameter forces output into gigabyte units; other options either mix units, use megabytes, or apply SI prefixes variably. Specifically, the chosen invocation prints sizes with a “G” suffix for clarity.

The correct answer is ufw allow 443/tcp because it allows incoming TCP traffic on port 443, which is the standard port for HTTPS traffic. ufw allow 80/tcp is incorrect because it opens port 80 (HTTP), not 443. ufw deny 443/tcp explicitly blocks the required traffic. Finally, ufw allow 443/udp permits UDP on 443, whereas HTTPS relies on the TCP protocol.

ssh-add -t 3600 adds the private key to the agent with a maximum lifetime of 3 600 seconds (one hour). When that time elapses, the agent removes the key automatically-whether or not the key has been used-thereby limiting the window in which the credential is available.

• -T tests that a given public key matches a private key already in the agent; it does not set a lifetime.
• -x locks the agent with a passphrase, preventing further use of stored keys.
• -X unlocks a previously locked agent. None of these alternatives schedule automatic key removal.

The '-A' option in Nmap enables aggressive scanning, which combines OS detection, version detection, script scanning, and traceroute. This thorough scanning option is informative for deep network analysis. The '-sn' option is for ping scanning (host discovery), '-p-' scans all 65535 ports, and '-o' is an invalid option as it lacks the specifics for output files like '-oN' or '-oX'.

The correct answer is enable. The systemctl enable command is used to create a set of symlinks, so the specified unit is started automatically during the boot process. start only initiates the service immediately but does not configure it to start on boot. status provides the current status of the unit and does not modify its startup behavior. reload is used to re-read the configuration of a service without interrupting its operation.

The correct answer is chattr +i /path/to/file. The chattr command changes the file attributes on a Linux file system. The +i attribute makes a file immutable, which means that the file can neither be modified nor deleted, and new links cannot be created to it. This is an advanced method for securing files that are not commonly modified but are critical to system security. The incorrect options either do not directly apply to the prevention of hard link creation, use an incorrect attribute, or are unrelated to file attributes.

The grub2-install command is used to install the GRUB2 bootloader to the MBR when a system is using BIOS firmware. This command is critical when repairing or reconfiguring the GRUB2 installation. The grub2-mkconfig command generates a new GRUB2 configuration file based on the current system settings, but does not install GRUB to the MBR. There is no such command as grub2-update, and while update-grub is a wrapper script commonly found in Debian-based Linux distributions that calls grub2-mkconfig, it is not the correct command for installing GRUB2 to the MBR.

The -i.bak option tells the stream editor to modify the file directly and save the original with a .bak suffix. The s/ISSUE/NOTICE/g pattern performs a global replacement of every alert tag. Redirecting output without -i would not alter the original file, omitting the backup suffix would leave no saved copy, and awk or perl solutions either lack built-in backup support or use different syntax for backup creation.

The correct answer is ifconfig. The ifconfig command is one of the most commonly used programs from the net-tools suite for network interface configuration. In its basic form, it allows users to configure, manage, and query the settings of network interfaces. It's important to note that while ifconfig is still used on many systems, it is considered deprecated in favor of the more modern ip command from the iproute2 suite. The other answers are not correct because netstat is mainly used for displaying network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. iwconfig is used to configure wireless network interfaces, and hostname is used to show or set the system's host name, not to manage network interfaces.

The correct command is pkexec network-configuration-tool. The pkexec wrapper hands the request to PolicyKit, which evaluates the defined policies and, if necessary, invokes the desktop's polkit authentication agent to display a GUI password dialog. Running sudo network-configuration-tool would bypass PolicyKit and only present a terminal prompt. polkit network-configuration-tool is invalid because polkit is the privilege framework, not a launcher. pexec is an unrelated parallel-execution utility and provides no privilege-escalation or PolicyKit integration.

The pwd command (print working directory) returns the absolute path of the current directory. Capturing its output with command substitution $(pwd) is the standard and most reliable method for this task. The distractor dirname $0 would return the directory containing the script file itself, which is not necessarily the same as the directory it was executed from. which $0 is not a valid use of which, as which locates a command in the user's PATH, it does not operate on script paths this way. The correct shell variable for the current working directory is PWD, not CWD, making EXEC_DIR=$CWD incorrect.

OnBootSec=10min is the correct directive because it triggers the timer a specified period after the system booted. OnActiveSec=10min measures time from when the timer itself is activated-typically boot, but not always if the timer is started later. OnUnitActiveSec=10min and OnCalendar=*:0/10 relate to the last activation of the associated unit and wall-clock calendar events, respectively, so they do not guarantee a delay relative to boot.

In a public key infrastructure (PKI) and TLS handshake, the server's private key has two primary functions. First, it is used to decrypt data that has been encrypted by a client using the server's corresponding public key (e.g., the pre-master secret in an RSA key exchange). Second, it is used to create a digital signature on parts of the handshake data, which proves to the client that the server is the legitimate owner of the public key and certificate. The private key must always be kept secret on the server.

The read builtin pauses the script, waits for input from stdin, and stores the entered text in the specified variable-in this case USERNAME. Commands such as echo only display text, source executes another file in the current shell, and grep searches existing files; none of these capture live keyboard input, making read the only appropriate choice for this task.

The correct command is ./deploy.sh 2>&1 | tee deploy.log. Here's a breakdown of why: 2>&1 redirects the standard error (file descriptor 2) to the same location as standard output (file descriptor 1). The pipe | then takes this combined stream and sends it to the tee command's standard input. tee then does two things: it prints the stream to its standard output (the terminal) and also writes it to the specified file, deploy.log. The option ./deploy.sh > deploy.log 2>&1 redirects all output to the file, but nothing is displayed on the terminal. The option ./deploy.sh | tee deploy.log only pipes stdout to tee; stderr is not captured and will be displayed on the terminal but not written to the log file. The option ./deploy.sh | tee -a deploy.log also fails to capture stderr and incorrectly appends to the log file instead of overwriting it, as specified by the scenario.

Type=notify is used for daemons that call sd_notify() to send a READY=1 message to the systemd notification socket. Systemd will not mark the service active, nor start units that depend on it, until this message is received. Type=simple is considered active immediately after the main process is forked (or execed in the case of Type=exec). Type=forking assumes the service is ready once the parent process exits. Type=dbus waits until the specified D-Bus name is acquired. Only notify relies on an explicit ready signal from the service itself.