Linux Study Guide

CompTIA Linux+ (XK0-005) Study Guide

CompTIA Linux+ (XK0-005) validates the skills needed to administer Linux systems across distributions, covering system management, scripting and automation, security, and troubleshooting. It is a 90-minute exam (up to 90 questions, passing score 720 on a 100-900 scale) aimed at early-career sysadmins, DevOps engineers, and cloud/Linux support technicians with about 12 months of hands-on experience.

Domain 1 Domain 2 Domain 3 Domain 4

Practice CompTIA Linux+ (XK0-005) questions free Create free account

Domain 1: System Management

Key concepts you must know · 322 practice questions

systemctl is the front-end to systemd: 'systemctl start/stop/restart' controls a running service, 'enable' sets autostart at boot, 'disable' removes it, and 'mask' prevents the unit from starting at all. 'systemctl enable --now <svc>' enables and starts in one step.
chmod sets permission bits using octal (e.g. 755 = rwxr-xr-x) or symbolic notation (e.g. u+x, g-w, o=r). It changes only permissions, never ownership; use chown for ownership and chgrp for group.
Standard permission digits: read=4, write=2, execute=1. On directories, execute (x) means the ability to enter/traverse, and read (r) means the ability to list contents.
Package managers by family: apt/dpkg on Debian/Ubuntu (.deb), dnf/yum and rpm on RHEL/Fedora/CentOS (.rpm), and zypper on SUSE. 'dnf autoremove' and 'apt autoremove' reclaim space from orphaned dependencies.
tar archives: 'tar -czf archive.tar.gz dir' creates a gzip archive, '-cJf' uses xz compression, '-cjf' uses bzip2; extract with '-xzf'. The 'f' flag must immediately precede the filename.
Hard links (ln source target) point multiple names to the same inode and cannot cross filesystems; symbolic links (ln -s target link) store a path and can span filesystems but break if the target moves.
/etc/fstab defines persistent mounts; 'mount -a' mounts every fstab entry not already mounted. The noatime mount option skips access-time updates for better performance.
Create a filesystem with mkfs.ext4 /dev/sdb1 (or mkfs.xfs); XFS cannot be shrunk, only grown. Use lsblk to view block devices as a tree and blkid to read UUIDs and filesystem types.
LVM workflow: pvcreate (physical volume) then vgcreate (volume group) then lvcreate (logical volume). Grow online with 'lvextend -L +5G /dev/vg0/lv_data' followed by resize2fs (ext) or xfs_growfs (XFS).
Disk quotas restrict per-user/per-group space and inode usage; enable with the usrquota/grpquota mount options, then use quotacheck, edquota to edit limits, and quota to report usage.
ps aux gives a static snapshot of all processes with USER, PID, %CPU, %MEM, and COMMAND; top and htop give an interactive real-time view. uname -r prints the running kernel version.
Performance trending: sar (from the sysstat package) records historical CPU, run-queue, memory, and I/O data, useful for spotting trends over time rather than the instantaneous view that top provides.
User/group files: /etc/passwd (account definitions, world-readable), /etc/shadow (hashed passwords, root-only), /etc/group (group membership). Manage with useradd, usermod, groupadd, and passwd.

Domain 2: Scripting and Automation

Key concepts you must know · 308 practice questions

The shebang on line 1 (e.g. #!/bin/bash) tells the kernel which interpreter to run the script with; the script must also have execute permission (chmod +x) to run as ./script.sh.
Positional parameters: $0 is the script name, $1..$9 are arguments, $# is the argument count, $@ and $* expand to all arguments, and $? holds the exit status of the last command.
By Unix convention exit code 0 means success and any non-zero value means failure; set an explicit status with 'exit N' and test it via $? or directly in 'if cmd; then'.
Capture command output with command substitution: var=$(command) (preferred over legacy backticks because it nests cleanly). Arithmetic uses $(( ... )).
Control flow: for/do/done iterates a list, while/do/done loops while a condition holds, if/then/elif/else/fi branches, and case/esac matches patterns with *) as the default clause.
Read a file line by line safely with 'while IFS= read -r line; do ...; done < file' - the -r flag prevents backslash interpretation and IFS= preserves leading/trailing whitespace.
Defensive scripting header 'set -euo pipefail': -e exits on any error, -u errors on unset variables, and -o pipefail makes a pipeline fail if any stage fails.
Redirection: '>' overwrites stdout to a file, '>>' appends, '2>' redirects stderr, '2>>' appends stderr, and '2>&1' merges stderr into stdout. A pipe '|' feeds one command's stdout to the next's stdin.
cron format is five fields: minute hour day-of-month month day-of-week, then the command (e.g. '30 2 * * * /opt/backup.sh' runs at 02:30 daily). Per-user crontabs are edited with 'crontab -e'.
systemd timers are the modern alternative to cron, offering OnCalendar scheduling, dependency handling, journald logging, and missed-run catch-up (Persistent=true); pair a .timer unit with a matching .service unit.
Prevent overlapping job runs with flock (e.g. 'flock -n /var/lock/job.lock command'), which acquires an exclusive lock so a second instance exits rather than running concurrently.
rsync does delta-based incremental copies; common flags are -a (archive: preserve perms/times/links), -z (compress in transit), --partial (resume interrupts), and --delete (mirror by removing extras).
ssh-keygen generates a key pair (ED25519 or RSA); ssh-copy-id installs the public key into the remote ~/.ssh/authorized_keys, enabling passwordless, automatable key-based authentication.
Use sed and awk for stream/text processing in a single pass: sed for in-place substitution (sed -i 's/old/new/g'), awk for field extraction and column math (awk '{print $2}').

Domain 3: Security

Key concepts you must know · 312 practice questions

SSH provides an encrypted channel for remote login and command execution, replacing cleartext Telnet/rsh. Harden /etc/ssh/sshd_config with 'PermitRootLogin no' and 'PasswordAuthentication no' to enforce key-only access.
Mandatory Access Control: SELinux (label/context-based, default on RHEL/Fedora) and AppArmor (path-based, default on Debian/SUSE) confine processes beyond standard owner permissions. Check SELinux mode with getenforce; modes are Enforcing, Permissive, Disabled.
Fix a mislabeled file's SELinux context with restorecon, view contexts with 'ls -Z', and toggle policy booleans with setsebool -P. SELinux denials are logged in the audit log (ausearch/sealert).
sudo grants per-command elevated privileges per /etc/sudoers and logs every invocation for accountability; always edit the policy with visudo (syntax checking) rather than editing /etc/sudoers directly.
Firewall front-ends: firewalld uses 'firewall-cmd --permanent --add-port=443/tcp' then --reload; ufw uses 'ufw allow 22' and 'ufw status'; both manage the kernel netfilter rules (nftables/iptables underneath).
Best practice is a default-deny inbound firewall policy with explicit allow rules only for required ports, combined with installing only needed packages and disabling unused services to shrink the attack surface.
Special permission bits: setuid (chmod u+s, 4000) runs an executable as its owner, setgid (g+s, 2000) inherits group on files/dirs, and the sticky bit (chmod +t, 1000) on a shared dir like /tmp lets only the owner delete their files.
chattr +i makes a file immutable - it cannot be modified, renamed, or deleted even by root until the attribute is removed with chattr -i; view extended attributes with lsattr.
Full-disk encryption uses LUKS (dm-crypt); manage volumes with cryptsetup luksFormat/luksOpen. It protects data at rest if the disk is stolen but does not protect a running, mounted system.
Manage secrets with a dedicated secrets manager (e.g. Vault) that injects values at runtime, store any on-disk secret files as mode 0400 (owner read-only), and never commit credentials into scripts or repositories.
Set per-user resource limits in /etc/security/limits.conf (persistent) or with the ulimit shell builtin (current session) to cap open files (nofile), processes (nproc), and memory and prevent resource-exhaustion abuse.
Prefer ED25519 or RSA-2048+ SSH keys over passwords: keys cannot be phished or brute-guessed and enable secure unattended automation; protect private keys with a passphrase and ssh-agent.
For internal PKI, run an internal CA that issues short-lived certificates with automated rotation, reducing the window of exposure compared with long-lived manually managed certs.

Domain 4: Troubleshooting

Key concepts you must know · 319 practice questions

When a service fails, start with 'systemctl status <svc>' for state and recent errors, then 'journalctl -u <svc>' for full logs; -f follows live, -n N shows the last N lines, and -b limits to the current boot.
Disk space: 'df -h' shows per-filesystem usage in human-readable units, while 'df -i' shows inode usage - a filesystem can report space free yet still fail writes if inodes are exhausted.
Find what is consuming space with 'du -sh */ | sort -h' to rank directories by size; combine with find to locate large or old files.
A file deleted while still held open by a running process keeps consuming space until the process closes it; find such files with 'lsof | grep deleted' and reclaim space by restarting the process.
Memory diagnosis: 'free -h' shows total/used/free/buffers/cache, and vmstat reveals swapping (si/so columns) that indicates memory pressure; steadily climbing usage suggests an application memory leak.
The kernel ring buffer (dmesg) records hardware and kernel events; 'dmesg -T | grep -i oom' reveals Out-Of-Memory killer activity when the kernel terminates processes under memory exhaustion.
Network reachability: ping sends ICMP echo requests to confirm a host is reachable and measure latency; traceroute/tracepath maps the hop-by-hop path to locate where connectivity breaks.
Inspect interface configuration with 'ip addr' (iproute2 suite, modern) showing addresses and link state; the older ifconfig is deprecated on systemd systems. Use 'ip route' to view the routing table.
Identify listening ports and their owning processes with 'ss -tlnp' (the modern replacement for netstat); -t is TCP, -l is listening, -n is numeric, -p shows the PID/program.
I/O troubleshooting: iotop shows per-process disk I/O in real time, iostat reports device throughput and utilization, and 'sar -n DEV 1' (or iftop/nload) tracks network throughput per interface.
lsof lists open files and the processes holding them - useful for finding which process binds a port, locks a file, or keeps a deleted file open.
strace traces the system calls a process makes; 'strace -T -c' shows time spent per call and a summary count, helping pinpoint where a slow or hanging process is blocked.
Isolate where latency originates: time the local response with 'curl -w' (e.g. %{time_total}) and compare against ping/traceroute to the host to separate application slowness from network slowness.
For scalable diagnostics, ship logs to a central aggregator, emit structured logs with correlation IDs alongside metrics and tracing, and use UTC ISO 8601 timestamps with distinct readiness/liveness probes.

CompTIA Linux+ (XK0-005) exam tips

Watch for distribution-specific commands: the exam tests both families, so know apt/dpkg (Debian/Ubuntu) versus dnf/yum/rpm (RHEL/Fedora) and firewalld versus ufw, and pick the tool that matches the stated distro.
Memorize octal-to-symbolic permission mapping cold (4=r, 2=w, 1=x) - you will be asked to convert both directions and to predict the effect of setuid/setgid/sticky bits.
Performance-based questions (PBQs) ask you to type real commands or fill in config files; practice in an actual terminal so syntax like tar flags, fstab fields, and cron schedules is muscle memory.
Prefer modern tools in answers when both appear: ip over ifconfig, ss over netstat, systemctl/journalctl over service/legacy logs, and systemd timers over cron when scheduling features matter.
When a scenario describes a failing service, follow the standard order - check status, read journalctl/log, verify config, check permissions/ownership, then resources - and choose the diagnostic step before any destructive fix.

Study guide FAQ

How many questions are on the Linux+ XK0-005 exam and what is the passing score?

You get a maximum of 90 questions, including multiple-choice and performance-based (hands-on) items, in 90 minutes. The passing score is 720 on a scaled range of 100-900.

Does Linux+ focus on a specific distribution?

No. XK0-005 is distribution-agnostic and intentionally tests both Debian/Ubuntu and RHEL/Fedora/SUSE tooling. You must recognize when to use apt versus dnf, ufw versus firewalld, and AppArmor versus SELinux based on the scenario.

What are the performance-based questions like and how should I prepare?

PBQs simulate a terminal or configuration task where you type real commands or edit files such as fstab or sshd_config. Prepare by doing hands-on practice in a real Linux VM so command syntax, flags, and config file structure are second nature - reading alone is not enough.

How much experience do I need before taking Linux+?

CompTIA recommends about 12 months of hands-on Linux administration experience. Having CompTIA A+, Network+, and Server+ knowledge helps, but they are not required prerequisites for sitting the exam.

Test yourself: 1,261 CompTIA Linux+ (XK0-005) practice questions