CompTIA Linux+ Practice Test (XK0-006)

The invocation deluser --remove-home charlie removes the user account and deletes only the user's home directory and mail spool, leaving every other file the user owns elsewhere on the filesystem intact, and it performs no backup. Running deluser charlie without options leaves the home directory behind, so policy is not met. Using --remove-all-files eradicates every file owned by charlie, including those in /srv/projects/, which violates the requirement to preserve project data. The command with --backup-to implicitly enables the backup feature, creating an archive before deletion and therefore breaks the "no backup" rule.

The correct command is systemd-analyze blame. This command displays a list of all running units, sorted in descending order by the time they took to initialize. This allows an administrator to quickly identify the services that consumed the most time during the boot process.

• systemd-analyze critical-chain is incorrect because it shows the chain of dependencies that are critical to the boot process, rather than a simple list of the slowest individual units.
• systemctl list-units --state=failed is incorrect as it only lists units that failed to start, not units that started successfully but were slow.
• top is incorrect because it is a real-time process monitoring tool used to view system resource usage after the system has booted, not to analyze the boot process itself.

The correct command is hostname -I. The -I or --all-ip-addresses option is used to display all network addresses for the host.

• The hostname -f command is incorrect as it displays the Fully Qualified Domain Name (FQDN), not the IP address.
• The hostname -d command is incorrect because it displays the DNS domain name.
• The hostname -a command is incorrect as it displays the host's alias name, if one is configured.

The :z suffix on a bind-mount or -v option tells the container engine to relabel the host path with the shared container_file_t type and no unique MCS category. Any container that mounts the same path with :z will then have SELinux permission to access it, satisfying the requirement that multiple containers share the directory. The :Z suffix applies a private, unique MCS label that prevents other containers from using the directory. The :shared flag relates to mount-propagation, not SELinux contexts, and leaving the mount unlabeled typically causes SELinux to deny access when the second container tries to use the directory.

The correct option is nofail. This option instructs the system not to report errors for this device if it does not exist, allowing the boot process to continue without interruption. The auto option, which is a default setting, will cause the system to attempt to mount the filesystem at boot, which can lead to delays or entry into emergency mode if the device is not present. The remount option is used to change the mount properties of an already mounted filesystem and is not used for initial mounting at boot. The nodev option is a security measure that prevents the interpretation of character or block special devices on the filesystem and does not relate to handling mount failures.

Effective prompt engineering is iterative: you supply the model with concrete feedback about what was wrong and instruct it to revise the earlier result. The option that names the two specific defects (deprecated API version and missing resource limits) and directs the model to return an updated manifest gives the model the contextual information it needs and avoids vague language. Simply regenerating without details, starting a new chat, or telling the model to "fix anything wrong" lacks the clarity and specificity needed for reliable improvement.

The ":Z" suffix tells Docker (or Podman) to relabel the mount point with a private SELinux label that is unique to the first container. When a second container tries to use that path, its processes carry a different MLS/MCS label and SELinux blocks access. Replacing ":Z" with ":z" applies a shared label (container_file_t without categories), allowing any container to read and write the content while SELinux remains enforcing. Using --privileged or label=disable would also bypass the denial, but those options remove most of the confinement and are not the recommended or least-privilege fix. Adding :ro would prevent writes and still use the private label, so the problem would persist.

The getenforce utility reports the current SELinux enforcement mode. When it returns "Permissive", the SELinux policy is loaded and every attempted access is still checked against that policy, but violations are only logged (as AVC messages) rather than blocked. In contrast, "Enforcing" would actively deny disallowed operations, "Disabled" would unload the SELinux module entirely and stop both labeling and logging, and the term "targeted" refers to a specific policy type rather than an enforcement mode. Therefore, the only accurate description of the Permissive state is that enforcement is turned off while auditing remains active.

The correct command is sed -i 's/192.168.1.5/10.10.0.5/g' app.conf. Here is a breakdown of the command:

• sed is the stream editor command.
• The -i option stands for "in-place" and modifies the file directly.
• 's/old/new/g' is the substitution command.
  • s indicates the substitute command.
  • /192.168.1.5/ is the pattern to search for.
  • /10.10.0.5/ is the replacement string.
  • g is the global flag, which ensures all occurrences on each line are replaced, not just the first one. The command sed 's/192.168.1.5/10.10.0.5/g' app.conf is incorrect because it lacks the -i flag; it will only print the modified text to standard output and will not save the changes to the file. The command sed 's/192.168.1.5/10.10.0.5/g' app.conf > app.conf is incorrect and dangerous. The shell processes the redirection > by truncating the output file (app.conf) before the sed command runs. This results in sed reading an empty file and the original content being lost. The command sed -i 's/192.168.1.5/10.10.0.5/' app.conf is incorrect because it is missing the global g flag. It would only replace the first occurrence of the IP address on any given line.

GRUB2 stores the menu that the firmware actually reads in /boot/grub/grub.cfg, but on Debian-based systems that file is regenerated automatically from templates each time update-grub (or a kernel package) is run. Persistent kernel command-line changes are therefore made in /etc/default/grub, usually by editing the GRUB_CMDLINE_LINUX (or GRUB_CMDLINE_LINUX_DEFAULT) variable and then regenerating the menu with update-grub. Editing /boot/grub/grub.cfg directly will work only until the next update overwrites it. The script /etc/grub.d/40_custom is meant for adding entirely new menu entries, not for changing the parameters of the distribution-generated entries. /etc/fstab influences how filesystems are mounted after the kernel has already mounted its root filesystem, so changing it will not fix a root= mismatch during early boot.

The Common Vulnerability Scoring System (CVSS) is a standardized framework used to rate the severity of software vulnerabilities. It assigns a numerical score from 0.0 to 10.0, where a higher score indicates a more severe vulnerability. When prioritizing remediation efforts, administrators should address the vulnerability with the highest CVSS score first. In this scenario, the remote code execution (RCE) vulnerability has a CVSS score of 9.8, which falls into the "Critical" severity range (9.0-10.0). This type of vulnerability poses the most significant threat and must be addressed immediately. The other vulnerabilities have lower scores, indicating they are of 'High' (7.0-8.9) or 'Medium' (4.0-6.9) severity, and should be handled after any critical issues are resolved.

The correct command is lsof /var/log/syslog. The lsof (List Open Files) command is used to display information about files that are open by various processes. When given a file path as an argument, it will list all processes that have that specific file open, along with details like the PID, user, and command name. The ps -ef | grep /var/log/syslog command is incorrect because ps lists running processes, but grepping for a file path is not a reliable way to find which process has a file open, as the file path is not typically part of the process's command line information. The file /var/log/syslog command is used to determine the type of a file (e.g., ASCII text, binary), not which process is using it. The stat /var/log/syslog command displays detailed file metadata like size, permissions, and timestamps, but does not show process-related information.

Replacing secrets and host details with placeholders prevents accidental disclosure of regulated data, while mandatory peer review ensures that any AI-generated code is checked for accuracy, security, and compliance before it reaches the repository. The other approaches expose credentials, bypass human quality assurance, violate corporate policy, or rely on a personal account that offers no organizational oversight, all of which conflict with recommended responsible-AI practices.

The --update ( -u ) option tells Git to update the index only where an entry already exists. It therefore stages changes to tracked files-including deletions-without touching any brand-new, untracked paths. Using git add -u (optionally with a pathspec such as ".") achieves exactly what is required.

• git add -A or git add --all would also stage the new untracked files because it adds, modifies, and removes entries to match the working tree.
• git add . stages modifications to tracked files and adds new files found under the current directory (since Git 2.0, it also stages deletions), so the unwanted files would be included.
• git add -i enters interactive mode; it could accomplish the task, but only after extra manual steps, so it does not meet the constraint of a single non-interactive command.

The correct choice is ipvlan. In both L2 and L3 modes, the ipvlan driver gives each container an IP address that is visible on the physical network, but all sub-interfaces reuse the parent interface's single MAC address. This conserves MAC entries on the switch while still allowing the containers to be addressed individually by IP.

• macvlan is wrong because it assigns a distinct MAC address to each container, quickly exceeding the switch's one-MAC limit.
• bridge is wrong because it keeps containers behind the Docker host's NAT, so the containers are not directly reachable on the LAN.
• host is wrong because it puts the container in the host's network namespace; the container does not get its own separate IP address on the LAN.

The correct answer is that a firewall on the destination server (192.168.10.105) is blocking ICMP echo requests. Since the administrator can successfully ping another server (192.168.10.106) on the same subnet, it confirms that the local workstation's network interface, IP configuration, and the physical network path are functioning correctly. The problem is specific to the target server. A common reason for a single host to be unresponsive to pings, while others on the same network are reachable, is a host-based firewall (like firewalld or iptables) configured to drop incoming ICMP packets. An incorrect default gateway would affect communication to different networks, not hosts on the same local subnet. Since the ping is directed to an IP address, DNS is not used for resolution. The network interface on the workstation must be active to have successfully pinged the other server.

The combination of options -I, -s, -o /dev/null, -w "%{http_code}\n", and -f delivers exactly what the script needs. -I performs a true HEAD request, so no body is transferred. -s suppresses the progress meter, and -o /dev/null discards anything that might still be written to standard output. -w prints just the value of the http_code variable, giving a clean numeric status line. Finally, -f makes curl exit with status 22 when the response code is 400 or higher, so the calling script can treat any 4xx/5xx reply as a failure.

The other commands miss at least one requirement:

• The version that omits -I still issues a GET and therefore transfers the response body.
• The variant that leaves out -o /dev/null lets the response headers appear on stdout, so the output is not limited to the status code.
• Using -X HEAD only changes the request word and does not behave like a real HEAD request; it can hang if the server sets an inappropriate Content-Length. Therefore it is not reliable for scripted checks.

The correct command is passwd -l temp_user. The -l option locks the specified user's password by prepending an exclamation mark (!) to the encrypted password hash in the /etc/shadow file. This action prevents the user from authenticating with their password. The -u option is used to unlock an account that was previously locked with -l. The -d option deletes the user's password, which is a different action from locking it. The -e option expires the user's password, forcing them to change it at the next login, but it does not lock the account.

The keyword local limits the variable's scope to the body of the function, creating a new "shadow" copy of count that disappears when the function returns; the global count therefore remains 0. Removing the word local lets the arithmetic assignment act on the already-defined global variable, so its value becomes 1 and the final echo reflects the increment.

Replacing local with declare -g would also alter the global variable, but declare and its -g option are Bash-specific and therefore break POSIX portability. Capturing the function's output with command substitution (count=$(increment)) runs the function in a subshell, so the parent shell's variable is still unchanged. Simply exporting the variable does not influence whether the function writes to the global or a local copy, so the value would still be 0.

Thus, deleting local is the only modification that meets all stated constraints.

i3 is a tiling window manager written for X11. It arranges windows in non-overlapping tiles, is operated almost entirely through customizable keyboard shortcuts, and does not require a separate compositing engine, making it suitable for minimal installations and older hardware.

Openbox is a lightweight stacking (floating) window manager; windows can freely overlap, so it does not satisfy the tiling requirement.

KWin and Mutter are compositing window managers used by KDE Plasma and GNOME Shell, respectively. While they can provide tiling plug-ins or scripts, their primary design includes a 3-D compositing layer that adds resource overhead the scenario specifically wants to avoid.