CompTIA CompTIA Certifications CV0-003 Questions & Answers

• Question 421:

  A systems administrator wants to be notified every time an application's configuration files are updated. Which of the following should the administrator implement to achieve the objective?

  A. ZFS

  B. FIM

  C. MAC

  D. DLP

  Correct Answer: B

  Explanation: FIM stands for File Integrity Monitoring, and it is a security technique that monitors and detects changes in files and directories. FIM can help the systems administrator to be notified every time an application's configuration files are updated by generating alerts or reports when the files are modified, added, deleted, or accessed. FIM can also help verify the integrity and authenticity of the files by comparing their hashes or signatures with a baseline or a trusted source. FIM can be implemented using software tools or agents that run on the host or the network. References: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 9, Objective 9.1: Given a scenario, apply security controls and techniques.

• Question 422:

  A systems administrator is selecting the appropriate RAID level to support a private cloud with the following requirements:

  The storage array must withstand the failure of up to two drives. The storage array must maximize the storage capacity of its drives.

  Which of the following RAID levels should the administrator implement?

  A. RAID 0

  B. RAID 1

  C. RAID 5

  D. RAID 6

  E. RAID 10

  Correct Answer: D

  Explanation: RAID stands for Redundant Array of Independent Disks, which is a technology that combines multiple physical disks into a logical unit that provides improved performance, reliability, and storage capacity. RAID levels are different ways of organizing and distributing data across the disks in a RAID array. Each RAID level has its own advantages and disadvantages, depending on the requirements and trade-offs of the system. RAID 6 is a RAID level that uses block-level striping with double parity. This means that data is divided into blocks and distributed across all the disks in the array, and two sets of parity information are calculated and stored on different disks. Parity is a method of error detection and correction that can reconstruct the data in case of disk failure. RAID 6 can withstand the failure of up to two disks without losing any data, which makes it suitable for a private cloud that requires high fault tolerance. RAID 6 also maximizes the storage capacity of its drives, as it only uses two disks for parity and the rest for data. The storage capacity of a RAID 6 array is equal to (n-2) x S, where n is the number of disks and S is the size of the smallest disk. RAID 0, RAID 1, RAID 5, and RAID 10 are other RAID levels, but they do not meet the requirements of the private cloud. RAID 0 uses striping without parity, which improves performance but does not provide any redundancy or fault tolerance. RAID 0 cannot withstand any disk failure, as it would result in data loss. RAID 1 uses mirroring, which copies the same data to two or more disks. RAID 1 provides high reliability and fast read performance, but it wastes half of the storage capacity for redundancy. RAID 1 can only withstand the failure of one disk in each mirrored pair. RAID 5 uses striping with single parity, which distributes data and parity across all the disks in the array. RAID 5 provides a balance of performance, reliability, and storage capacity, but it can only withstand the failure of one disk. RAID 10 is a combination of RAID 1 and RAID 0, which creates a striped array of mirrored pairs. RAID 10 provides high performance and reliability, but it also wastes half of the storage capacity for redundancy. RAID 10 can withstand the failure of one disk in each mirrored pair, but not more than that. For more information on RAID levels, you can refer to the following sources: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 4, Storage Technologies, page 791 Cloud+ (Plus) Certification | CompTIA IT Certifications2

• Question 423:

  A systems administrator is troubleshooting a VDI deployment that is used to run high- frame-rate rendering. Users are reporting frequent application crashes. After running a benchmark, the administrator discovers the following:

  

  Which of the following should the administrator do to resolve this issue?

  A. Configure the GPU to run in compute mode.

  B. Allocate more RAM in the VM template.

  C. Select a higher vGPU profile.

  D. Configure the GPU to run in graphics mode.

  Correct Answer: C

  Explanation: The benchmark results show that the video RAM utilization is at 99%, which is likely causing the application crashes. Video RAM is used to store graphics data and textures that are processed by the GPU. Selecting a higher vGPU profile can help allocate more video RAM to the virtual machines, which can help resolve this issue. A vGPU profile is a predefined configuration that specifies the amount of video RAM, the number of display heads, and the maximum resolution that a virtual machine can use. By selecting a higher vGPU profile, the administrator can increase the performance and stability of the high- frame-rate rendering application. References: [CompTIA Cloud+ CV0-003 Study Guide], Chapter 4, Objective 4.2: Given a scenario, troubleshoot common virtualization issues.

• Question 424:

  A systems administrator is planning to deploy a database cluster in a virtualization environment. The administrator needs to ensure the database nodes do not exist on the same physical host. Which of the following would best meet this requirement?

  A. Oversubscription

  B. Anti-affinity

  C. A firewall

  D. A separate cluster

  Correct Answer: B

  Explanation: Anti-affinity is the concept of ensuring that certain virtual machines or workloads do not run on the same physical host. This can improve the availability and performance of the system, as well as prevent a single point of failure. In this scenario, the systems administrator needs to ensure the database nodes do not exist on the same physical host, so anti-affinity would best meet this requirement. Oversubscription is the concept of allocating more resources to virtual machines than the physical host actually has, which can improve the utilization and efficiency of the system, but it does not guarantee the separation of the database nodes. A firewall is a device or software that controls the network traffic between different zones or segments, which can improve the security and isolation of the system, but it does not affect the placement of the database nodes. A separate cluster is a group of hosts that share common resources and policies, which can improve the scalability and manageability of the system, but it does not ensure the database nodes do not exist on the same physical host within the cluster. References: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 1, Cloud Architecture and Design, page 131.

• Question 425:

  A Cloud administrator needs to reduce storage costs. Which of the following would BEST help the administrator reach that goal?

  A. Enabling compression

  B. Implementing deduplication

  C. Using containers

  D. Rightsizing the VMS

  Correct Answer: B

  Explanation: The correct answer is B. Implementing deduplication would best help the administrator reduce storage costs. Deduplication is a technique that eliminates redundant copies of data and stores only one unique instance of the data. This can reduce the amount of storage space required and lower the storage costs. Deduplication can be applied at different levels, such as file-level, block-level, or object-level. Deduplication can also improve the performance and efficiency of backup and recovery operations. Enabling compression is another technique that can reduce storage costs, but it may not be as effective as deduplication, depending on the type and amount of data. Compression reduces the size of data by applying algorithms that remove or replace redundant or unnecessary bits. Compression can also affect the quality and accessibility of the data, depending on the compression ratio and method. Using containers and rightsizing the VMs are techniques that can reduce compute costs, but not necessarily storage costs. Containers are lightweight and portable units of software that run on a shared operating system and include only the necessary dependencies and libraries. Containers can reduce the overhead and resource consumption of virtual machines (VMs), which require a full operating system for each instance. Rightsizing the VMs means adjusting the CPU, memory, disk, and network resources of the VMs to match their workload requirements. Rightsizing the VMs can optimize their performance and utilization, and avoid overprovisioning or underprovisioning.

• Question 426:

  A company has applications that need to remain available in the event of the data center being unavailable. The company's cloud architect needs to find a solution to maintain business continuity. Which of following should the company implement?

  A. A DR solution for the application between different data centers

  B. An off-site backup solution with a third-party vendor

  C. laC techniques to recreate the system at a new provider

  D. An HA solution for the application inside the data center

  Correct Answer: A

  Explanation: A disaster recovery (DR) solution is a set of policies, procedures, and tools that enable an organization to restore or continue its critical functions in the event of a natural or human-induced disaster. A DR solution for the application between different data centers means that the application is replicated or backed up to another location that is geographically separated from the primary data center. This way, if the primary data center becomes unavailable due to a power outage, fire, flood, cyberattack, or any other cause, the application can be switched over to the secondary data center and resume its operations with minimal downtime and data loss. This solution ensures business continuity and high availability for the application and its users. References: CompTIA Cloud+ CV0- 003 Study Guide, Chapter 5: Maintaining a Cloud Environment, page 221-222; Disaster recovery planning guide.

• Question 427:

  An organization located in Asia connects to a cloud infrastructure hosted in North America and Europe. Sporadic slowness has been observed when using the PaaS and laaS components. A diagnostic using the following commands was run, and the following results were collected:

  

  Which of the following is the most likely reason for the latency?

  A. Service degradation on the ISP

  B. A DDoS attack on the organization's infrastructure

  C. Misconfiguration of the network security groups

  D. Switch failure at the organization

  Correct Answer: A

  Explanation: The most likely reason for the latency is service degradation on the ISP. The results show that the ping and traceroute commands have sporadic timeout and increased round-trip values when reaching the public IP address of the cloud provider. This indicates that there is a network issue between the organization and the cloud provider, which could be caused by service degradation on the ISP. Service degradation on the ISP means that the ISP is experiencing reduced performance or availability of its network services, which can affect the quality and speed of the data transmission. Service degradation on the ISP can be caused by various factors, such as congestion, routing problems, hardware failures, or maintenance activities. To resolve this issue, the systems administrator should contact the ISP and report the problem, and request a status update or a resolution plan. References: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 3, Objective 3.2: Given a scenario, troubleshoot network connectivity issues.

• Question 428:

  A cloud administrator used a deployment script to recreate a number of servers hosted in a public-cloud provider_ However, after the script completes, the administrator receives the following error when attempting to connect to one of the servers Via SSH from the administrators workstation: CHANGED. Which of the following IS the MOST likely cause of the issue?

  A. The DNS records need to be updated

  B. The cloud provider assigned a new IP address to the server.

  C. The fingerprint on the server's RSA key is different

  D. The administrator has not copied the public key to the server.

  Correct Answer: C

  This error indicates that the SSH client has detected a change in the server's RSA key, which is used to authenticate the server and establish a secure connection. The SSH client stores the fingerprints of the servers it has previously connected to in a file called known_hosts, which is usually located in the ~/.ssh directory. When the SSH client tries to connect to a server, it compares the fingerprint of the server's RSA key with the one stored in the known_hosts file. If they match, the connection proceeds. If they do not match, the SSH client warns the user of a possible man-in-the-middle attack or a host key change, and aborts the connection. The most likely cause of this error is that the deployment script has recreated the server with a new RSA key, which does not match the one stored in the known_hosts file. This can happen when a server is reinstalled, cloned, or migrated. To resolve this error, the administrator needs to remove or update the old fingerprint from the known_hosts file, and accept the new fingerprint when connecting to the server again. Alternatively, the administrator can use a tool or service that can synchronize or manage the RSA keys across multiple servers, such as AWS Key Management Service (AWS KMS) 1, Azure Key Vault 2, or HashiCorp Vault 3.

• Question 429:

  A cloud engineer is troubleshooting RSA key-based authentication from a local computer to a cloud-based server, which is running SSH service on a default port. The following file

  permissions are set on the authorized keys file:

  -rw-rw-rw-1 ubuntu ubuntu 391 Mar S 01:36 authorized _ keys

  Which Of the following security practices are the required actions the engineer Should take to gain access to the server? (Select TWO).

  A. Fix the file permissions with execute permissions to the owner of the file.

  B. Open port 21 access for the computer's public IP address.

  C. Fix the file permissions with read-only access to the owner Of the file.

  D. Open port 22 access for the computer's public IP address.

  E. Open port 21 access for 0.0.0.0/0 CIDR.

  F. open port 22 access for 0.0.0.0/0 CIDR.

  Correct Answer: CD

  The correct answer is C and D.

  C. Fix the file permissions with read-only access to the owner of the file. D. Open port 22 access for the computer's public IP address. The authorized_keys file on the server should have read-only access for the owner of the file, and no access for anyone else. This ensures that only the owner can read the public keys that are authorized to log in, and no one can modify or delete them. The file permissions can be fixed with the command chmod 400 ~/.ssh/authorized_keys on the server. This is a recommended security practice for SSH key-based authentication123. The computer that wants to log in to the server using SSH key-based authentication needs to have access to port 22 on the server, which is the default port for SSH service. This can be done by opening port 22 access for the computer's public IP address on the server's firewall or security group settings. This allows the computer to initiate an SSH connection to the server and authenticate with its private key. Opening port 21, which is used for FTP service, is not relevant or secure for SSH key-based authentication1.

• Question 430:

  A systems administrator is configuring a DNS server. Which of the following steps should a technician take to ensure confidentiality between the DNS server and an upstream DNS provider?

  A. Enable DNSSEC.

  B. Implement single sign-on.

  C. Configure DOH.

  D. Set up DNS over SSL.

  Correct Answer: C

  DNS (Domain Name System) is a service that translates human-friendly domain names into IP addresses that can be used to communicate over the Internet1. However, DNS queries and responses are usually sent in plain text, which means that anyone who can intercept the network traffic can see the domain names that the users are requesting. This poses a threat to the confidentiality and privacy of the users and their online activities2. To ensure confidentiality between the DNS server and an upstream DNS provider, a technician should configure DOH (DNS over HTTPS). DOH is a protocol that encrypts DNS queries and responses using HTTPS (Hypertext Transfer Protocol Secure), which is a secure version of HTTP that uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) to protect the data in transit3. By using DOH, the technician can prevent eavesdropping, tampering, or spoofing of DNS traffic by malicious actors3. The other options are not the best steps to ensure confidentiality between the DNS server and an upstream DNS provider: Option A: Enable DNSSEC (DNS Security Extensions). DNSSEC is a set of extensions that add digital signatures to DNS records, which can be used to verify the authenticity and integrity of the DNS data. DNSSEC can prevent DNS cache poisoning attacks, where an attacker inserts false DNS records into a DNS server's cache, redirecting users to malicious websites. However, DNSSEC does not encrypt or hide the DNS queries and responses, so it does not provide confidentiality for DNS traffic2. Option B: Implement single sign-on (SSO). SSO is a mechanism that allows users to access multiple services or applications with one set of credentials, such as a username and password. SSO can simplify the authentication process and reduce the risk of password compromise or phishing attacks. However, SSO does not affect the communication between the DNS server and an upstream DNS provider, so it does not provide confidentiality for DNS traffic. Option D: Set up DNS over SSL (DNS over Secure Sockets Layer). This option is not a valid protocol for securing DNS traffic. SSL is a deprecated protocol that has been replaced by TLS (Transport Layer Security), which is more secure and robust. The correct protocol for encrypting DNS traffic using SSL/TLS is DOH (DNS over HTTPS), as explained above.