A free study companion keyed to the officially published exam domains of CompTIA Linux+ (XK0-006): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. CompTIA Linux+ objectives
A free, source-cited study companion built on CompTIA's published XK0-006 objectives — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
A free Linux+ program blueprint pinned to current XK0-006, turning system management, services/users, security, automation, and troubleshooting into reproducible evidence inside a risk-controlled disposable Linux environment without claiming instructional completeness or an exam or employment outcome.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
5
Labs
5
Concept checks
12
Resource mix
1 official / 0 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners targeting XK0-006 who have general IT foundations and need one hands-on sequence across all five current Linux+ domains.
Completion emphasis: Complete all modules and safe VM labs, the integrated service-host capstone, a command/objective crosswalk, and a final gap review against the official page.
Required phases: Version, VM, command safety, and baseline, Filesystem, packages, processes, devices, and systemd, Users, groups, permissions, services, and scheduled access, Authentication, hardening, firewall, data, and audit, Shell scripting, scheduling, configuration, and orchestration, Symptoms, logs, hypotheses, recovery, and verification, Disposable Linux service-host capstone
Linux administration skills first
Support, cloud, operations, and career-change learners who want reviewable command, configuration, service, security, automation, recovery, and handoff evidence.
Required phases: Version, VM, command safety, and baseline, Filesystem, packages, processes, devices, and systemd, Users, groups, permissions, services, and scheduled access, Authentication, hardening, firewall, data, and audit, Shell scripting, scheduling, configuration, and orchestration, Symptoms, logs, hypotheses, recovery, and verification, Disposable Linux service-host capstone
Linux career-fit sprint
Learners deciding whether terminal-based systems, cloud operations, platform engineering, or DevOps-style work fits their interests and current foundation.
Completion emphasis: Complete the diagnostic plus navigation/process/service, user/permission, security, script, and fault-recovery labs; record whether to continue, build foundations, or choose another operations route.
Required phases: Version, VM, command safety, and baseline, Filesystem, packages, processes, devices, and systemd, Users, groups, permissions, services, and scheduled access, Authentication, hardening, firewall, data, and audit, Shell scripting, scheduling, configuration, and orchestration, Symptoms, logs, hypotheses, recovery, and verification
Start safely
Prerequisite diagnostic
Verify current version, general IT foundation, disposable environment, command safety, and recovery practices before intermediate Linux administration; this is not a formal prerequisite or pass prediction.
Can you explain filesystems, processes, services, users/groups, permissions, IP addressing, ports, packages, backups, and least privilege at a basic level?
Ready when: Yes, typically through equivalent A+/Network+ knowledge or prior general IT practice.
If not yet: Build general support and networking foundations before treating Linux+ as the next exam target.
Can you run a personally owned Linux virtual machine with snapshots, or do device constraints require a transcript/browser-shell alternative?
Ready when: Yes, with a local VM preferred for systemd, service, firewall, user, package, and fault exercises.
If not yet: Use sanitized command/output transcripts for active-change labs and label them observation-only; WSL/browser shells may not support every systemd or service step.
Can you read a command, identify its user/privilege, exact target path, expansion, effect, verification, and rollback before pressing Enter?
Ready when: Yes, with every destructive-looking command limited to a specific practice path or disposable VM.
If not yet: Complete the pwd/ls/cd/touch/cp/mv/mkdir permission warm-up and use echo-only command previews before sudo, rm, package, firewall, or service changes.
Can you create and name a known-good VM snapshot and back up each configuration file before editing it?
Ready when: Yes, with snapshot restore and file restore tested before deliberate faults.
If not yet: Do not perform active configuration/fault steps; use written alternatives until rollback is proven.
Can you keep host drives, work files, shared folders, production credentials, remote systems, and unrelated network services out of the lab?
Ready when: Yes, using fictional users, throwaway passwords, private/NAT networking, and no sensitive mounts.
If not yet: Remove shared mounts and real credentials or stay on the observation-only route.
Can you reserve repeated terminal sessions to type, predict, verify, break, recover, and document commands rather than only read them?
Ready when: Yes, with CompTIA's recommended experience treated as useful context even though no formal prerequisite is invented.
If not yet: Choose the steady pace or complete a Linux fundamentals month before scheduling an intermediate exam.
Plan, then adapt
Pace options
Steady
14 weeks 8-10 hours/week
A planning estimate for learners building their first sustained Linux practice: separate setup, system management, users/services, security, automation, troubleshooting, and capstone recovery.
Standard
10 weeks 10-14 hours/week
A planning estimate that covers one administration domain most weeks and reserves two weeks for the integrated host, contained faults, restore, handoff, and gaps.
Intensive
6 weeks 16-20 hours/week
For learners with existing Linux administration, cloud operations, or equivalent lab experience; do not compress unfamiliar storage, security, service, scripting, or recovery work.
Evidence-gated sequence
Program roadmap
1
Version, VM, command safety, and baseline
Pin XK0-006, assess foundations, build or select a disposable Linux environment, prove snapshot/config recovery, and establish command/evidence rules.
Exit evidence
Confirm current XK0-006 identity, domains, weights, and recommended-experience guidance on CompTIA's official page.
Create a known-good VM snapshot or choose a labeled observation-only route and document environment limitations.
Complete command/path/privilege, host-isolation, backup/restore, fictional-credential, and evidence-redaction checks.
2
Filesystem, packages, processes, devices, and systemd
Navigate and inspect the Linux system, manage software and process/service state, and record storage/device/configuration evidence without broad or destructive changes.
Correct every missed system-management check and create one fresh service/package/storage state scenario.
3
Users, groups, permissions, services, and scheduled access
Create and verify fictional identities, group-controlled files, service state, authentication, resource limits, and lifecycle cleanup in the disposable VM.
Retain fictional user/group/account/group-membership and specific project-directory ownership/permission evidence.
Install or use one free service in the VM, record package/config/unit/listening-port/log state, start/enable behavior, dependency, and cleanup.
Demonstrate least privilege, sudo scope, permission interpretation, service account, join/change/remove lifecycle, and rollback without host/shared-system impact.
4
Authentication, hardening, firewall, data, and audit
Harden access and service exposure, protect credentials/data, inspect security state, and verify controls inside the snapshot-backed VM.
Retain a reviewed script with quoted variables, strict/safe error handling where appropriate, validation, logging, meaningful exit status, rerun behavior, and no broad paths.
Retain manual and scheduled execution evidence, then remove/disable the test schedule and verify it no longer runs.
Explain infrastructure/configuration management, version control, containers/images/registries, orchestration, environment variables/secrets, and when a script is the wrong tool.
6
Symptoms, logs, hypotheses, recovery, and verification
Diagnose contained boot/service/process/storage/network/permission/resource issues through baseline comparison, logs, least-destructive tests, backups, fixes, and verified recovery.
Retain at least two fault records, including one service/configuration failure and one permission/resource/network/storage scenario, each inside the disposable VM.
For each, document symptom, scope, baseline, logs, ranked hypotheses, test, cause, fix, rollback, verification, and prevention.
Restore a configuration file and a known-good snapshot or equivalent, then verify service, network, storage, logs, schedule, users, and security state.
7
Disposable Linux service-host capstone
Build, secure, automate, monitor, break, recover, and hand off a fictional Linux service host inside a disposable VM with reproducible evidence across all five domains.
Complete the capstone and pass its target/path/privilege, configuration, service, security, automation, fault, restore, privacy, and consistency review.
Crosswalk all five domains to at least one command/configuration/evidence artifact and one corrected or confidently explained check.
Record remaining foundation/objective gaps and choose a continue, practice, defer, or exam-logistics-verification next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A personally owned disposable Linux virtual machine with local console and snapshots, or sanitized command/output alternatives labeled observation-only
A private/NAT lab network with no work, school, production, or unrelated devices and no sensitive host mounts
A text/versioned workspace for inventory, commands, configurations, scripts, outputs, changes, faults, restore evidence, and handoff
Optional
VirtualBox or another legitimately licensed local hypervisor plus a free current Linux distribution ISO
WSL or browser shell for read-only/basic shell practice, with systemd/service/firewall limitations documented
A local container runtime in the disposable VM for optional image/container observation using only trusted public images
Accounts and accessibility routes
Accounts
No online, cloud, vendor-training, or paid account is required for the core program.
Use only legitimately downloaded Linux distributions, hypervisors, packages, and container images from trusted official repositories.
Fictional local users and throwaway secrets stay inside the disposable VM and are removed before artifacts are shared.
Equivalent routes
Use sanitized command/configuration/output transcripts, annotated terminal steps, expected-state tables, and troubleshooting records when VM, device, motor, visual, or administrative constraints block execution.
Label every artifact executed, observed, simulated, or planned and never imply root/service/firewall/storage changes that were not performed.
Split VM setup, configuration, scripting, fault injection, recovery, and reflection across sessions without weakening snapshots, backups, path checks, or verification.
Safety baseline
Take a named known-good snapshot and back up each specific configuration before active changes; keep a local console available before firewall, network, SSH, boot, user, storage, or service work.
Before every sudo, rm, chmod/chown, package, service, firewall, mount, partition, script, scheduler, or redirection command, verify user, exact path/device, expansion, effect, backup, rollback, and expected output.
Never run broad destructive commands, operate on the host or shared/production systems, mount sensitive host paths, reuse real credentials/keys, or break the SSH service used for remote access.
Use private/NAT networking, specific practice paths, fictional users/secrets, trusted repositories/images, minimum privileges, and complete cleanup/restore verification.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A saved command/configuration/script/output/fault/restore record or clearly labeled accessibility alternative tied to the module objective map.
A plain-language explanation of intended state, command/privilege/path, observed state, evidence/log, mismatch, action, rollback, verification, and prevention.
All authored checks attempted, with each miss corrected against its cited source and applied to a fresh Linux administration scenario.
After a missed check
Identify whether the question tests system management, users/services, security, automation/orchestration, or troubleshooting before reviewing the answer.
Write why the distractor was plausible and which file/path, permission, process/service state, command output, log, network/storage fact, script behavior, or lifecycle step distinguishes it.
Recreate a safe variant in the disposable VM or annotated transcript, predict the output/state, verify it, and explain any mismatch.
Completing this policy demonstrates XK0-006 coverage and disposable-VM practice inside RoleMath; it does not predict a Linux+ score, replace recommended experience, or establish professional Linux administration.
Integrated practice
Disposable Linux service host build, automation, fault recovery, and handoff
Provision and document a fictional Linux service host inside a snapshot-backed VM, establish users/services/security/automation/monitoring, introduce contained faults, recover from file and snapshot backups, and leave a reproducible administrator handoff across all five Linux+ domains.
Workflow
Create a fresh personally owned Linux VM with NAT/private networking, no sensitive shared folders, current updates, a fictional hostname, local console, and a named clean baseline snapshot. Record distribution, kernel, resources, network mode, package source, and limitations.
Collect a read-only baseline: identity/groups, OS/kernel, CPU/memory, disks/filesystems/mounts/free space, interfaces/routes/DNS/listeners, packages, processes, systemd units, boot targets, logs/errors, scheduled jobs, security state, and time settings. Redact host-specific identifiers.
Write a fictional service-host brief and desired-state table for one small internal service. Include users/groups, directories, ownership/modes, package/service, ports, network exposure, logs, backup, schedule, security, dependencies, monitoring, owner, and recovery objective assumptions.
Create fictional admin/operator/service users and groups with throwaway passwords where needed. Build specific project/config/data/log/backup directories under a clearly named lab path, set least-privilege ownership/permissions, and verify allowed/denied access without touching system-wide unrelated paths.
Install or configure one free service from the distribution repository. Back up its original configuration, validate syntax where the service supports it, start/enable it, record unit/dependency/PID/listening-port/log/package/config state, and prove a local expected response or health check.
Document networking and storage safely: inspect address/route/DNS/listeners/firewall plus disks/filesystems/mounts/free space/inodes/usage. Create no real partitions; use a design table or disposable loopback-file exercise only after device/path verification and snapshot.
Create a throwaway SSH keypair, configure public-key access only inside the VM if practical, preserve console recovery, inspect root/password-auth settings, and record private-key/public-key/authorized-key permission expectations without sharing any private key.
Apply or design a host-firewall default-deny policy allowing only the required lab service from the private lab scope. Verify allowed and denied paths plus listener/firewall agreement; if executing, do so only with console access and a saved snapshot.
Write an idempotent administration script that inventories desired state, validates exact paths/inputs, creates missing lab directories/files safely, checks service status, records timestamped output, returns meaningful exit codes, and changes nothing on a second compliant run.
Review the script line by line, run it manually twice, compare outputs/state, test one invalid input/failure, and schedule it briefly with a user-level or controlled scheduler. Remove/disable the schedule and verify it stopped.
Create a container/orchestration comparison artifact: trusted image source, immutable image versus running container, volume/network/port/secrets/config, health, logs, resource limits, registry, update/rollback, and when a systemd service or configuration tool is preferable. Optional execution stays inside the VM.
Create change, backup, and restore records for the service/configuration/script. Copy specific files to the named backup path, record hashes/metadata, restore to a test location or service, validate content/syntax/permissions, and verify the service and scheduler state.
Preserve a post-build known-good snapshot, then introduce two faults one at a time: a backed-up invalid service configuration and a permission, resource, DNS/route, port/firewall, process, or scheduled-job scenario limited to the lab path/VM.
For each fault, document symptom, scope, baseline difference, relevant status/log/command output, ranked hypotheses, least-destructive tests, root cause, correction, rollback, verification, and preventive control. Restore known-good state before the next fault.
Restore one configuration from backup and the entire VM from the known-good snapshot or equivalent clone. Re-run the validation matrix for identities, permissions, packages, service, listener, firewall, network, storage, logs, script, schedule, backups, and security; record differences and residual gaps.
Write a change record for one safe improvement with purpose, exact commands/files, owner, impact, dependencies, risk, test, backup, rollback trigger, rollback, verification, communication, and cleanup.
Produce a shift-ready administrator handoff with desired/current state, topology, accounts/groups, packages, services/ports, config/log/backup paths, firewall, schedule, monitoring, known-good snapshot, validation commands, unresolved risks, forbidden host/production actions, and next safe step.
Crosswalk every inventory, user/service, security, automation, troubleshooting, restore, change, and handoff artifact to the five XK0-006 domain IDs; flag uncovered topics and record the next practice decision.
Retained artifacts
Fictional service-host brief, environment record, desired-state table, and read-only baseline
Users/groups/permissions plus package/service/network/storage/security configuration evidence
Idempotent administration script, tests, schedule/cleanup evidence, and container/orchestration comparison
Configuration/file backup and restore validation record
Two contained fault investigations and full snapshot-restore validation matrix
Change/rollback record and administrator handoff
Five-domain crosswalk and foundation/objective gap reflection
Review checklist
Desired state, users/groups, paths, permissions, packages, service, ports, firewall, network, storage, logs, script, schedule, backups, faults, restore, change, and handoff describe the same disposable VM without contradictions.
Every active command records user/privilege, exact target path/device, expected effect/output, backup, rollback, verification, and contains no unchecked broad expansion or host/shared-system target.
Snapshots and specific configuration backups are proven restorable; post-restore validation covers service, security, network/storage, logs, automation, users, and schedules.
No host or production change, broad destructive command, sensitive mount, real credential/private key, untrusted script/package/image, remote-lockout risk, or work/shared system appears in the project.
Scripts validate inputs/paths, quote variables, report failure, log safely, are idempotent where claimed, and leave no per-minute/test schedule running.
All five XK0-006 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
The packet does not claim exam success, official CompTIA training, professional system administration, production experience, or a RoleMath credential.
Safety boundary: Perform active work only inside a personally owned disposable VM with a local console, named snapshots, specific configuration backups, private/NAT networking, fictional users/secrets, and no sensitive host mounts. Verify user, privilege, exact path/device, expansion, effect, rollback, and output before every change. Never run broad destructive commands or alter a host, remote access path, work/shared system, or production service.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All five current XK0-006 domain modules have been covered and checked against CompTIA's official page.
Every domain lab has a saved disposable-VM artifact or clearly labeled observation/accessibility alternative.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh Linux administration scenario.
All active commands/configurations were confined to the documented VM/lab paths with snapshots/backups, rollback, cleanup, and verification.
The service-host capstone passes system, user/service, security, automation, troubleshooting, restore, change, privacy, safety, consistency, and five-domain coverage review.
The learner has recorded remaining foundation/objective gaps and a next decision; completion is not represented as an exam result, credential, administrator job readiness, or professional experience.
Portfolio candidates
A sanitized Linux host desired-state and baseline packet
Selected user/service/security configuration with verification output
An idempotent script with tests and scheduler cleanup
A contained fault investigation and restore verification
A change/rollback record and administrator handoff
A reflection explaining one corrected Linux assumption
Present the artifacts as self-directed XK0-006 disposable-VM lab work. Do not call them production administration, professional Linux experience, official CompTIA labs, job readiness, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 60 days.
Stop and re-verify when
CompTIA changes the active Linux+ exam code, XK0-006 scope, domain, published weight, lifecycle, pricing/renewal, or recommended-experience guidance.
The official page, Linux distribution, WSL, hypervisor, package repository, systemd, shell, scheduler, SSH, firewall, container, or other tool/resource changes URL, access, behavior, licensing, or safety.
A command/configuration no longer works on the documented distribution, uses a broader/destructive target, lacks rollback, or cannot remain inside an isolated disposable environment.
A lab or capstone step cannot produce the stated evidence through the VM or labeled alternative, or fails restore, idempotence, cleanup, privacy, or accessibility review.
Any module, lab, command, check, resource mapping, phase, or capstone fails technical, source, Linux-domain, beginner/intermediate, safety, privacy, accessibility, recommended-experience, or claims review.
Skills measured
The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. CompTIA Linux+ objectives
Linux+ is an intermediate certification: CompTIA recommends roughly 12 months of hands-on Linux experience and, for many career changers, earning A+ and Network+ first to build general IT footing before attempting it. Assuming you have that grounding, our default sequencing advice is heaviest-weight-first, because the published weights tell you where the exam spends its questions. That gives: System Management (23%) first, then Troubleshooting (22%), then Services and User Management (20%), then Security (18%), then Automation, Orchestration, and Scripting (17%). There is one honest dependency wrinkle worth naming: Troubleshooting is a capstone skill — you diagnose a system faster once you already know how it is managed, what services and users it runs, and how it is secured. By pure weight it comes second, and you can study it second to respect the weights, but do not expect it to fully click until the later domains have filled in; it is normal to loop back to it at the end. Automation sits last by weight and also builds naturally on everything before it, since a script mostly automates tasks the earlier domains taught you to do by hand. This is sequencing advice based on the published weights and how the topics depend on each other, not a claim about the science of learning — if a different order fits how you think, use it.
Start here. At 23% it is the heaviest domain, and it is the everyday foundation — the filesystem, packages, processes, and the systemd service manager — that every other domain quietly assumes you can already navigate from a terminal.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Linux+ objectives
This is the heaviest domain at 23%, and it is the 'live in the system from a terminal' domain. Before Linux+ asks you to run services, secure a host, script tasks, or diagnose a failure, it expects you to be fluent in the daily fabric of a Linux machine: moving around the filesystem, installing and inspecting software, watching processes, and managing the modern service manager that starts almost everything on a running system. Almost every scenario elsewhere on the exam is written in the commands and concepts this domain teaches, so if a later question ever feels like a foreign language, the gap is usually right here. For a career changer coming from a Windows or point-and-click background, this is the domain where the command line stops being intimidating and starts being home.
The first pillar is the filesystem and how Linux organizes everything as files under a single tree rooted at slash. You are expected to know your way around the standard layout — where configuration lives, where system binaries live, where logs and temporary files go, where a user's home sits — and to move, copy, create, and inspect files and directories with confidence. Just as important is understanding what a path means, the difference between absolute and relative paths, and how Linux treats devices, mounted disks, and even much of the kernel's live state as files you can read. The mental model to build is that in Linux almost everything is a file, and knowing where a file belongs is half of knowing what it does.
The second pillar is software management through package managers, which is how Linux installs, updates, and removes programs cleanly rather than hunting for installers. The two big families you should recognize are the Debian and Ubuntu world (using apt on top of dpkg packages) and the Red Hat and Fedora world (using dnf on top of rpm packages). The concepts that carry across both are repositories — trusted online catalogs your system pulls software from — and dependency resolution, where the package manager works out and installs the other pieces a program needs. Knowing which family a system belongs to, and the equivalent command in each, is a recurring exam and on-the-job skill, because a Linux administrator rarely gets to choose only one distribution.
The third pillar is processes: the running programs that make up a live system. You should understand that every process has an identifier and a parent, that processes have states and priorities, and that you can list them, find the ones consuming resources, adjust their priority, and stop a misbehaving one by sending it a signal. The related idea of running work in the foreground versus the background, and keeping a job alive after you log out, belongs here too. Seeing the system as a shifting population of processes rather than a static box is the shift in thinking this pillar rewards, and it is the direct precursor to the troubleshooting domain, where a runaway process is a classic culprit.
The fourth pillar is systemd, the init system and service manager that modern mainstream distributions use to boot the machine and manage long-running services. This is where you learn to start, stop, enable (so it launches at boot), disable, and check the status of a service through a single consistent tool, and to understand the unit files that describe each service. Systemd also governs targets (the rough equivalent of the old runlevels that define what state the system boots into) and ties into the system journal for logs. Because nearly every service in the later domains is started and supervised by systemd, comfort with it here pays off everywhere downstream — it is arguably the single most leveraged skill in the whole track.
The way to study this domain is to stop reading and start living in a shell, which is exactly what the lab below sets up: you get a genuinely free Linux environment and then navigate the filesystem, inspect packages, watch processes, and query systemd with your own hands. As you work, narrate what each command shows you — where am I, what is installed, what is running, what is systemd supervising — until moving around the system is automatic. And read the official CompTIA Linux+ objectives page for the exact topic list; this explanation deliberately paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
Lab: set up a free Linux shell and explore the filesystem, packages, processes, and systemd
Get a genuinely free Linux environment running, then use it to make the four pillars of this domain concrete: navigate the filesystem tree, inspect installed packages, watch live processes, and query the systemd service manager. This is the command-line comfort every other domain assumes, built with your own hands on a system you own.
Free tools
A free Linux environment — pick ONE: (a) Windows Subsystem for Linux (WSL), free from Microsoft, giving you an Ubuntu shell inside Windows; (b) a free Linux VM in VirtualBox (VirtualBox is free and open source; Ubuntu and Fedora ISOs are free downloads); or (c) a free browser-based Linux shell if you cannot install anything
A terminal (the shell that ships with any of the above) — no extra downloads
Optional: a plain-text notes file to record the commands and what each revealed
Steps
Set up your environment. On Windows 10/11, open PowerShell as administrator and run 'wsl --install', then reboot and let it finish setting up Ubuntu and asking you to create a username and password. Alternatively, install VirtualBox and boot a free Ubuntu or Fedora ISO in a new VM, or open a free browser-based Linux shell. Any one of these gives you a real Linux prompt.
Find out where you are and what you are on. Run 'pwd' to print your current directory, 'whoami' to see your username, and 'cat /etc/os-release' to read which distribution and version you are running (note whether it is Debian/Ubuntu-based or Red Hat/Fedora-based — that decides your package commands).
Explore the filesystem tree. Run 'ls /' to list the top-level directories, then 'ls -l /etc' to see configuration files and 'ls -l /var/log' to see logs. Move into your home directory with 'cd ~' and back to root with 'cd /'. Notice everything hangs off a single tree rooted at '/'.
Inspect installed software with your package manager. On Ubuntu/Debian: 'apt list --installed | head' to list packages and 'apt-cache policy bash' to see where 'bash' came from. On Fedora/Red Hat: 'dnf list installed | head' and 'dnf info bash'. You are reading the repository-and-dependency model this domain describes, without installing anything.
Watch the live process population. Run 'ps aux | head' to see a snapshot of running processes with their process IDs, then run 'top' (or 'htop' if present) to watch them update in real time; note the columns for CPU and memory. Press 'q' to quit 'top'. This is the shifting population of processes the domain wants you to see.
Query the systemd service manager (read-only). Run 'systemctl status' for an overview, then 'systemctl list-units --type=service --state=running' to see which services are currently running. Pick one, for example the SSH service, and run 'systemctl status ssh' (or 'sshd') to read whether it is active and enabled at boot.
Read a unit file to see how systemd describes a service: 'systemctl cat ssh' (or another service name from the running list) prints the unit definition — the same file systemd uses to start and supervise that service.
Look at the system journal that systemd feeds: run 'journalctl -n 20 --no-pager' to read the last 20 log lines. You are previewing the Troubleshooting domain's most important tool from inside System Management.
Optional and safe: create and remove a file to prove you can. Run 'touch ~/rolemath-test.txt', confirm it with 'ls -l ~/rolemath-test.txt', then remove exactly that one file with 'rm ~/rolemath-test.txt'. Only ever target a specific file you just created in your own home directory.
Write one plain sentence summarizing your machine: which distribution it is, where its config and logs live, one package you confirmed is installed, one process you saw running, and one service systemd is supervising. If you can say that from memory, System Management is no longer abstract.
What you should see
A working Linux prompt in a free environment you own; the filesystem tree listed from '/' with config in /etc and logs in /var/log; a list of installed packages and where one of them came from; a live, updating view of running processes with their IDs and resource use; and systemd reporting which services are running, whether one is enabled at boot, and the unit file that defines it. The command line has stopped being a mystery and become a place you can navigate.
This lab practices the filesystem navigation, package management, process management, and systemd service-management skills that Domain 1 (System Management) of the official XK0-006 objectives covers — see the official objectives page for the exam's own wording.
Stay safe & legal: Do everything inside a Linux environment you own — your own WSL install, your own VirtualBox VM, or a free browser-based shell. Never run these commands on a shared, work, or school system you do not control. The listing, viewing, and status commands here are read-only and safe. Never run destructive commands such as 'rm -rf /' or 'rm -rf' against broad paths; the only removal in this lab targets one specific file you just created in your own home directory. When in doubt, prefer a throwaway VM you can simply delete and rebuild.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 5 · domain 5 · 22% of the exam
Troubleshooting
Second in our suggested order by weight (22%), but a capstone in spirit — you diagnose a system faster once you already know how it is managed, run, and secured. Study it second to respect the weight, but expect to loop back to it after the later domains fill in.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Linux+ objectives
This is the second-heaviest domain at 22%, and it is the capstone: it takes everything from the other four domains and asks you to use it when something is broken and someone wants it fixed. That is the honest tension in its placement — by weight it comes second, but you diagnose a Linux system fastest once you already understand how it is managed, what services and users it runs, and how it is secured, so it is normal to study it second and then loop back once the later domains have filled in. It is also the most job-shaped domain on the exam, because diagnosing and fixing problems is a large share of what real Linux administration, cloud, and DevOps work actually is.
The backbone of the domain is a disciplined approach — a repeatable way of narrowing a problem instead of guessing. The habit worth internalizing is a loop: gather the symptoms and ask what changed, form a specific theory of the probable cause, test that one theory, act on it if confirmed, verify the system truly works again, and record what you found and did. The whole point is to replace flailing with a sequence that eliminates possibilities one tested theory at a time. On Linux this is especially powerful because the system is so transparent — almost every subsystem will tell you what is wrong if you know which file, log, or command to ask.
The single most important skill is reading logs, because a healthy Linux system narrates its own failures. On modern systemd-based distributions the central tool is journalctl, which queries the system journal — you can filter by service, by time window, by priority, and follow logs live as a problem happens. Alongside it live the traditional text logs under /var/log for services that write there. The exam-and-job skill is not memorizing every log path; it is the instinct to go to the logs first and to read an error message as a lead rather than a dead end. 'What does the log say?' is the most productive question in Linux troubleshooting, and it is exactly what this domain's lab drills.
A powerful lens for organizing the search is to think in subsystems, the same way the earlier domains carved up the machine. Is this a storage problem (a full disk, a filesystem that will not mount, permissions denying access)? A process or service problem (a unit that failed to start, a process consuming all the memory or CPU)? A network problem (no address, no route, name resolution failing)? A user or permission problem (an account that cannot log in, a file a service cannot read)? Isolating which subsystem a fault lives in collapses a huge search space into a small one. 'The service will not start' sends you to its status and logs; 'the disk is full' sends you to storage tools; each symptom points at a subsystem and its tools.
The domain then expects fluency with the diagnostic toolkit, most of which is already on every system. Service and process inspection through systemctl, journalctl, ps, and top; storage diagnosis through df (free space), du (what is using it), and the mount and filesystem tools; network checks through the ip, ss, ping, and name-resolution commands; and permission and ownership readouts. Crucially, the exam cares less about whether you can type a command than whether you can interpret its output — what a failed unit's status is telling you, what a disk at 100% means for a service that cannot write, what a permission-denied error reveals about ownership. Pattern recognition matters here: the faster you match a set of symptoms to a familiar cause, the faster you reach a tested theory rather than a guess.
The best way to study this domain is to practice the loop on a service you deliberately break and then fix, which is exactly what the lab below does: you read logs with journalctl, diagnose a service that will not start, and walk the isolate-test-verify sequence on your own system. Combine that with narrating your reasoning out loud — symptom, theory, test, result, next step — until it is automatic under pressure. And read the official CompTIA Linux+ objectives page for the exact topic list and its statement of the approach; this explanation paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
Learn it free
Official · Official exam objectives
CompTIA Linux+ (XK0-006) exam objectives (certification page)The authoritative topic list for the exam's second-heaviest domain — worth reading in full given its 22% weight, especially its statement of the troubleshooting approach. (captured 2026-06-12)
Lab: read logs with journalctl and diagnose a failed service
Walk the troubleshooting loop on a real service using only built-in tools: read the system journal, deliberately break a service in a safe and reversible way, diagnose why it will not start by reading its status and logs, then fix it and verify. This is the isolate-test-verify discipline made concrete on a system you own.
Free tools
Your free Linux environment from Domain 1 (a VirtualBox VM is ideal here since you will start and break a service; WSL works for the log-reading steps) — one you own
systemctl and journalctl — built into every systemd-based distribution, no download
df, du, ps, and top — built-in diagnostic tools for the storage and process checks
Steps
In your own Linux environment, get comfortable with the journal first. Run 'journalctl -n 30 --no-pager' to read the last 30 log lines, then 'journalctl -p err -b --no-pager' to show only error-priority messages from the current boot. Reading errors first is the fastest lead in Linux troubleshooting.
Follow the journal live in one terminal: 'journalctl -f'. Leave it running; you will watch new events appear as you cause them in the next steps. (Open a second terminal for the commands, or stop the follow with Ctrl+C when you need the prompt.)
Install a service to practice on if you do not already have one from Domain 2 — for example the SSH server (Ubuntu: 'sudo apt install -y openssh-server'; Fedora: 'sudo dnf install -y openssh-server'). Confirm it starts cleanly: 'sudo systemctl start ssh && systemctl status ssh' should show 'active (running)'. (Do this in a VirtualBox VM rather than older WSL — systemd service control is unreliable on WSL unless systemd is explicitly enabled.)
Now break it in a safe, reversible way to create a real diagnosis. Back up the config first so you can always restore it: 'sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak'. Then introduce an obvious error: 'echo "ThisIsNotAValidDirective yes" | sudo tee -a /etc/ssh/sshd_config'.
Try to restart the service and watch it fail: 'sudo systemctl restart ssh'. The command reports a failure. This is your symptom — a service that will not start.
Diagnose using the methodology. Read the status: 'systemctl status ssh' shows it as failed and hints at the cause. Then read the service's own logs: 'journalctl -u ssh -n 30 --no-pager' — you should see a message pointing at the bad line in the config file. The log named the problem; you did not have to guess.
Confirm your theory precisely with the service's own config test: 'sudo sshd -t' checks the SSH config and prints exactly which line it rejects. A specific error at your bad directive confirms the cause — that is the 'test one theory' step.
Act on the fix: restore the good config from your backup ('sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config') or remove the bad line you added with an editor. Restart the service: 'sudo systemctl restart ssh'.
Verify the fix truly worked — do not assume it. Run 'systemctl status ssh' (should be 'active (running)' again) and 'sudo sshd -t' (should print nothing, meaning the config is valid). Verification is a required step, not an optional one.
Practice a storage and process check while you are here: 'df -h' shows free space per filesystem (a disk at 100% is a classic cause of services that cannot write), and 'ps aux --sort=-%mem | head' shows the top memory consumers. Finish by writing two sentences: the symptom, the log line that revealed the cause, the fix, and how you verified it — that written trail is the 'document your findings' step.
What you should see
The system journal readable and filterable by errors and by service; a service that visibly fails to start after you introduce a bad config line; a status output and a 'journalctl -u' log that point straight at the offending line; a config-test command that names the exact error; and the service returning to 'active (running)' after you restore the config and verify it. You have run the full troubleshooting loop — symptom, theory, test, fix, verify, document — on a live service.
This lab practices the log-analysis (journalctl), service-diagnosis, and methodical isolate-test-verify approach, plus the storage and process checks, that Domain 5 (Troubleshooting) of the official XK0-006 objectives covers — see the official objectives page for the exam's own wording.
Stay safe & legal: Do this only on a Linux environment you own — a throwaway VirtualBox VM is ideal because you deliberately break a service. If you are working over SSH on a remote machine, do NOT break the SSH service you are connected through, or you may lock yourself out; use a local console or a different practice service instead. Always back up a config file before editing it (this lab does), and restore from that backup to recover. Never run destructive commands like 'rm -rf' against broad paths, and never break services on shared, work, or production systems.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 5 · domain 2 · 20% of the exam
Services and User Management
Third in our suggested order, at 20%. Once you can navigate the system and drive systemd from Domain 1, this domain is where you create the users a system serves and run the services it exists to provide — with permissions as the connective tissue between them.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Linux+ objectives
This is the 'who uses the system, and what does it serve' domain, and at 20% it is a substantial slice. It joins two closely related jobs a Linux administrator does constantly: managing the accounts and groups that identify the people and programs using a machine, and running the services — web servers, databases, name resolution, scheduled jobs — that the machine exists to provide. The connective tissue between them is the permission model, which decides which users and services are allowed to touch which files. For career changers this domain is very tangible: you are literally creating accounts and turning services on, which makes the abstract idea of 'administering a system' finally concrete.
The foundation is users and groups. Every account on a Linux system has a numeric user ID and belongs to one or more groups, and the system records these in a small set of well-known files (the account list, the group list, and the shadow file that holds password hashes). You are expected to be able to create, modify, and remove users and groups; understand the difference between an ordinary user, a system account that a service runs as, and the all-powerful root; and set a user's home directory and login shell. The exam wants you to reason about accounts as the identities that everything else grants or denies access to — the same 'least privilege' instinct that runs through the security domain starts here, in not handing out more account power than a person or service needs.
Closely tied to accounts is the permission model, which is where a lot of Linux's day-to-day security lives. Every file and directory has an owner, a group, and three sets of read/write/execute permissions — for the owner, the group, and everyone else — and you should be fluent reading and setting them both in symbolic form and as the numeric (octal) triples that appear everywhere in documentation. Beyond the basics sit the special permission bits and the mechanisms for granting carefully scoped administrative power, most importantly running a single command as another user through sudo rather than logging in as root. Understanding permissions well enough to explain why a service cannot read a file it needs is one of the most reused troubleshooting skills there is.
The other half of the domain is services in the substantive sense: the software that makes a server useful. You are expected to be familiar with the common categories and be able to recognize, install, and control them — web servers that answer HTTP requests, database servers that store structured data, name resolution and address-assignment services on the network side, mail and file-sharing services, and the print or logging services that support them. You do not need to master the configuration of every one, but you should know what each category is for and how to start, stop, and enable it. Because Domain 1 already taught you systemd, controlling a service here is a familiar motion applied to new software.
A recurring theme is that services run as accounts, which is exactly where this domain's two halves meet. A well-configured web or database server does not run as root; it runs as a dedicated, low-privilege system account so that if the service is compromised, the damage is contained. Scheduling belongs here too — the ability to run a task automatically on a timetable, whether through the classic cron scheduler or a systemd timer — because so much routine service work (backups, cleanup, report generation) is scheduled rather than run by hand. Seeing accounts, permissions, and services as one interlocking system, rather than three separate topics, is the maturity this domain is checking for.
The way to study this domain is to create an account and stand up a permissioned resource with your own hands, which is exactly what the lab below does: you add a user, set group-based file permissions, and start and enable a service, watching how identity and access fit together. As you work, keep asking the two questions this domain lives on — who is this user or service, and what is the least access it needs? And read the official CompTIA Linux+ objectives page for the exact topic list; this explanation paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
Lab: create a user, set group permissions, and start a service
Join the two halves of this domain by hand: create a new user and a shared group, use permissions to control who can read a directory, then start and enable a real service and confirm it is running. You will feel how identity, permissions, and services interlock — the everyday motion of administering a Linux host.
Free tools
Your free Linux environment from Domain 1 (WSL, a VirtualBox VM, or a browser-based shell) — must be one you own
A terminal with the ability to run 'sudo' (WSL and standard installs give your first user sudo access)
No downloads beyond a common service package the lab installs from your distribution's free repositories
Steps
In your own Linux environment, confirm you can act as administrator by running 'sudo whoami' — it should print 'root', proving sudo grants you scoped administrative power without logging in as root.
Create a group for a shared project: 'sudo groupadd projectteam'. Then create a new user and give them a home directory and a shell: 'sudo useradd -m -s /bin/bash alice' (this makes the account 'alice'). Set a password with 'sudo passwd alice' and choose one for the exercise.
Add the new user to the group: 'sudo usermod -aG projectteam alice'. Confirm the account and its groups with 'id alice' — you should see alice's user ID and the 'projectteam' group in the list.
Read where accounts are recorded: 'getent passwd alice' shows alice's entry (home directory and login shell), and 'getent group projectteam' shows the group and its members. This is the account and group data the domain describes.
Create a shared directory and set group-based permissions: 'sudo mkdir /srv/projectshare', then 'sudo chgrp projectteam /srv/projectshare' to set its group, then 'sudo chmod 770 /srv/projectshare' so the owner and the group have full access but everyone else has none.
Read the permissions you just set: 'ls -ld /srv/projectshare'. Read the rwx triples — owner and group can read/write/execute (enter) the directory, others cannot. That is the octal 770 you set, made visible, and it is least privilege applied to a folder.
Now the services half. Install a small, well-known service from your free repositories — for example the SSH server: on Ubuntu 'sudo apt update && sudo apt install -y openssh-server', on Fedora 'sudo dnf install -y openssh-server'.
Start the service and enable it at boot using the systemd skills from Domain 1: 'sudo systemctl start ssh' (or 'sshd' on Fedora) and 'sudo systemctl enable ssh'. Enabling means it will launch automatically on future boots.
Confirm it is running and note who it runs as: 'systemctl status ssh' should show 'active (running)'. Then run 'ps -o user,comm -C sshd' (or 'ps aux | grep sshd') and notice the main service process is supervised by the system, not tied to your personal login — services run as accounts, the theme this domain names.
Clean up on your own environment: stop the service with 'sudo systemctl stop ssh' if you do not want it running, remove the practice directory with 'sudo rm -r /srv/projectshare' (note the specific path — never a broad one), and, if you wish, remove the practice user with 'sudo userdel -r alice'. Removing accounts and resources you no longer need is itself a least-privilege habit.
What you should see
A new user 'alice' with a home directory, a login shell, and membership in a group you created; a shared directory whose permissions (770) let the owner and group in but keep everyone else out, readable in the 'ls -ld' output; and a real service that reports 'active (running)', is enabled to start at boot, and runs under a system account rather than your personal login. Identity, permissions, and services have clicked into one picture.
This lab practices the user and group management, file-permission, and service-control skills that Domain 2 (Services and User Management) of the official XK0-006 objectives covers — see the official objectives page for the exam's own wording.
Stay safe & legal: Run this only on a Linux environment you own (your WSL install or a throwaway VM). Creating users, setting permissions, and installing a service all use administrative rights, so a mistake on a shared or production system could lock people out or expose a service — never do this on a machine you do not control. Every 'rm' in this lab targets one specific path you created; never run 'rm -r' or 'rm -rf' against broad or system paths. Give the practice user a throwaway password and remove it when you finish.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 5 · domain 3 · 18% of the exam
Security
Fourth in our suggested order, at 18%. It applies the accounts, permissions, and services from the earlier domains with an adversary in mind — hardening access, filtering the network edge, and protecting data — and it is a natural bridge toward Security+ afterward.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Linux+ objectives
This is the 'keep the system from being abused' domain, and at 18% it is a meaningful slice that also serves as a natural bridge toward a security-focused path like Security+ afterward. Where the earlier domains taught you to manage, run, and serve a Linux host, this one asks how you defend it: hardening the ways people and programs get in, controlling what traffic reaches the machine, protecting data at rest and in transit, and layering the mandatory-access controls that contain a compromise. A lot of it is Domains 1 and 2 revisited with an adversary in mind — permissions, accounts, and services all become security surfaces here.
The starting point is access hardening, and the most important everyday tool is secure remote access over SSH. You are expected to understand how SSH lets you administer a machine over an encrypted channel, and — crucially — why key-based authentication is stronger than passwords: a keypair proves identity with a secret that never travels over the wire and cannot be guessed by brute force. Around that sit the hardening habits: disabling direct root login over SSH, preferring keys over passwords, changing or restricting where a service listens, and removing or disabling accounts and services you do not need. The instinct to reduce the attack surface — fewer open doors, fewer privileged accounts — is the through-line of the whole domain.
The network edge is the next layer: the host firewall that decides which traffic is allowed to reach the machine at all. You should recognize the common front-ends — the uncomplicated firewall (ufw) on Ubuntu-style systems and firewalld on Red Hat-style systems — and understand that both sit on top of the kernel's packet-filtering machinery. The concept the exam wants is default-deny thinking: allow only the specific services you intend to expose (say, SSH and a web port) and block the rest, so a service you forgot about is not silently reachable. This connects directly to the services domain — every service you start is a door, and the firewall decides whether that door is open to the network.
Data protection is the third strand: keeping information confidential and intact whether it is sitting on disk or moving across a network. On the disk side this includes filesystem and full-disk encryption so that a stolen drive does not surrender its contents, and the use of hashing and checksums to prove a file has not been tampered with. In transit, it is the encrypted channels — SSH and TLS — that protect data as it travels. The exam expects you to reason about which protection applies to a described situation: 'the laptop was stolen' points to disk encryption, while 'the data is intercepted on the network' points to encryption in transit.
The final layer is mandatory access control and broader hardening — the systems that go beyond ordinary file permissions to confine what a process can do even if it is running as a powerful account. The two you should recognize by name and purpose are SELinux (prominent on Red Hat-family systems) and AppArmor (prominent on Ubuntu-family systems); both enforce policies that constrain programs to only the resources they legitimately need, so a compromised web server cannot roam the whole filesystem. Alongside them sit auditing and logging (keeping a trustworthy record of security-relevant events) and the general discipline of patching promptly, all of which the exam frames as defense in depth: no single control is trusted to be perfect, so you stack several.
The best way to study this domain is to harden a real host with your own hands, which is exactly what the lab below does: you generate an SSH keypair, use key-based login, and inspect (and reason about) the host firewall. Doing it makes the case for keys over passwords and default-deny firewalling far more convincingly than any list of terms. As you study, keep asking the defender's questions — which security goal does this protect, what attack does this stop, and what can an attacker who gets one foothold still reach? And read the official CompTIA Linux+ objectives page for the exact topic list; this explanation paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
RoleMath glossary: firewallA cited definition of the network chokepoint this domain's firewall lab configures on a Linux host.
Lab: SSH key basics and inspecting the host firewall
Practice the two most reused Linux security habits by hand: generate an SSH keypair and understand why key-based authentication beats passwords, then inspect your host firewall and reason about default-deny rules. You will make access hardening and edge filtering concrete on a system you own.
Free tools
Your free Linux environment from Domain 1 (WSL, a VirtualBox VM, or a browser-based shell) — one you own
The OpenSSH client tools ('ssh-keygen', 'ssh') — built into virtually every Linux install and WSL
The host firewall front-end for your distribution: 'ufw' on Ubuntu/Debian or 'firewall-cmd' (firewalld) on Fedora/Red Hat — usually preinstalled or free from your repositories
Steps
In your own Linux environment, generate an SSH keypair: 'ssh-keygen -t ed25519 -C "rolemath-lab"'. When prompted, accept the default file location and, for practice, set a passphrase. This creates a private key (kept secret) and a public key (shareable).
Look at what you made: 'ls -l ~/.ssh' shows two files — 'id_ed25519' (the private key, permissions locked to you) and 'id_ed25519.pub' (the public key). Read the public one with 'cat ~/.ssh/id_ed25519.pub'; that single line is what you would place on a server to let this key log in.
Understand the model out loud: the private key never leaves your machine and never travels over the network, while the public key can be shared freely. Logging in proves you hold the private key without ever sending a password an attacker could capture or brute-force. That is why key-based authentication is the hardening default.
See how a server would grant your key access: the destination account's '~/.ssh/authorized_keys' file holds the public keys allowed to log in. On your own environment you can demonstrate this by appending your public key: 'cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys' and then 'chmod 600 ~/.ssh/authorized_keys'. Tight permissions on these files are part of the hardening.
Read the SSH server's hardening options (do not blindly change a shared machine): 'sudo grep -E "PermitRootLogin|PasswordAuthentication" /etc/ssh/sshd_config'. Reason about why a hardened host sets 'PermitRootLogin no' and prefers keys over passwords — every setting here shrinks the attack surface.
Now the firewall. Check its status. On Ubuntu/Debian: 'sudo ufw status verbose'. On Fedora/Red Hat: 'sudo firewall-cmd --state' then 'sudo firewall-cmd --list-all'. Read which services and ports are currently allowed.
Reason about default-deny. A hardened host allows only the doors it needs. For example, to allow SSH you would run (Ubuntu) 'sudo ufw allow ssh' or (Fedora) 'sudo firewall-cmd --add-service=ssh --permanent'. Read how each command names one specific service to permit while everything unlisted stays blocked — that is the default-deny posture the domain teaches.
Optional, on your own throwaway VM only: enable the firewall ('sudo ufw enable') after you have explicitly allowed SSH, so you do not lock yourself out. Then re-run the status command and see SSH permitted while other ports are denied. Skip this step on WSL or any environment where you are unsure.
Connect the dots to the services domain: list your listening services with 'sudo ss -tlnp' (which ports are open; sudo is needed to see the owning process names) and compare that to what the firewall allows. Any listening service that the firewall does not intend to expose is exactly the kind of forgotten door hardening closes.
Write two sentences: one explaining why your key-based login is harder to defeat than a password, and one naming which services your firewall allows and why default-deny makes the rest safe. If you can, the domain's core habits are yours.
What you should see
A generated SSH keypair with a locked-down private key and a shareable public key you can read; an understanding, made concrete, of why proving you hold a private key beats sending a password; the SSH server's hardening settings you can reason about; and a host firewall whose status you can read, allowing only named services while denying the rest. Access hardening and edge filtering are no longer abstract.
This lab practices the secure-remote-access, SSH-key, and host-firewall skills that Domain 3 (Security) of the official XK0-006 objectives covers, building on the accounts and services of Domain 2 — see the official objectives page for the exam's own wording.
Stay safe & legal: Do this only on a Linux environment you own. Generating keys and reading firewall status are safe and mostly read-only. Be careful enabling a firewall on a remote or headless machine: always allow SSH before enabling the firewall, or you can lock yourself out — this is why the enable step is optional and reserved for a throwaway VM. Keep your private key private and never paste real production keys or credentials into a practice environment. Do not point any of this at a system you do not own.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 5 of 5 · domain 4 · 17% of the exam
Automation, Orchestration, and Scripting
Last in our suggested order, at 17% — the lightest domain, and the one that builds most directly on everything before it, since a script mostly automates tasks the earlier domains taught you to do by hand. It is also the clearest on-ramp to a DevOps path.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Linux+ objectives
This is the 'stop doing it by hand' domain, and at 17% it is the lightest of the five — but for a career changer aiming at cloud or DevOps work, it may be the most career-defining, because automation is what separates a Linux user from a Linux engineer. It covers writing scripts to automate repetitive tasks, scheduling work to run on its own, using version control to track changes, and the higher-level ideas of configuration management, containers, and infrastructure as code. It sits last in our suggested order for a good reason: a script mostly automates the very tasks the earlier domains taught you to do by hand, so it lands best once those are familiar.
The foundation is shell scripting, and specifically bash — the default shell on most Linux systems. A shell script is simply a text file of commands the shell runs in order, but the exam expects you to go a step further into real programming constructs: variables to hold values, conditionals to make decisions ('if this file exists, do that'), loops to repeat work over a list, reading input and arguments, and exit codes to report success or failure. The mindset shift is from typing one command at a time to describing a whole procedure once, so it runs identically every time. Even modest scripting — a backup routine, a log-cleanup job, a health check — pays for itself quickly and is exactly what employers mean when they ask for automation skills.
Scheduling is the natural partner to scripting, because a script's value multiplies when it runs on its own. The classic tool is cron, which runs commands on a fixed timetable defined by a compact five-field schedule (minute, hour, day of month, month, day of week); the more modern alternative is a systemd timer. Either way, the concept the exam wants is unattended, repeatable execution: backups that happen every night, reports that generate every Monday, cleanup that runs every hour, all without a human remembering to start them. Combining a script you wrote with a schedule you set is the smallest complete unit of real automation, which is exactly why this domain's lab has you build both.
Version control, centered on Git, is the next strand — the discipline of tracking changes to files (scripts, configuration, infrastructure definitions) over time so you can see what changed, when, and why, and roll back when something breaks. You are expected to understand the everyday flow: putting files under version control, saving snapshots as commits with messages, viewing history, and working with remote repositories that teams share. For anyone heading toward DevOps this is not optional background; it is the substrate that modern infrastructure work runs on, because in a mature shop even the servers themselves are described in versioned text files.
The domain then rises to the orchestration and infrastructure ideas that give it its name. Configuration management tools apply a desired state to many machines consistently, so a fleet of servers ends up identically and correctly set up without hand-configuration. Containers package an application with its dependencies so it runs the same everywhere, and container orchestration coordinates many of them across many hosts. Infrastructure as code describes the servers, networks, and services themselves in text files that can be reviewed, versioned, and rebuilt identically. Linux+ does not ask you to master any single one of these tools; it asks you to understand what problem each category solves and how they fit together — the conceptual map of modern automated operations that a DevOps or cloud role assumes.
The way to study this domain is to write and schedule something small that actually runs, which is exactly what the lab below does: you write a real bash script with a variable and a loop, make it executable, run it, and then schedule it with cron. Doing it turns 'automation' from a buzzword into a file you created and a job that fires on its own. As you go further, put your scripts under Git and read about one configuration-management or container tool to sketch the bigger map. And read the official CompTIA Linux+ objectives page for the exact topic list; this explanation paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
Lab: write a bash script and schedule it with cron
Build the smallest complete unit of real automation with your own hands: write a bash script that uses a variable and a loop, make it executable and run it, then schedule it to run automatically with cron. You will turn 'automation' from a word into a file you wrote and a job that fires on its own.
Free tools
Your free Linux environment from Domain 1 (WSL, a VirtualBox VM, or a browser-based shell) — one you own
A text editor in the shell (nano is beginner-friendly; vim or a graphical editor also work) — all free and typically preinstalled
bash and cron (or 'crontab') — built into virtually every Linux install; on minimal systems install the free 'cron' package from your repositories
Steps
In your own Linux environment, make a working directory and move into it: 'mkdir -p ~/rolemath-scripts && cd ~/rolemath-scripts'.
Create a script file with a text editor: 'nano hello.sh'. In the editor, type a script that starts with the shebang line '#!/usr/bin/env bash', sets a variable ('NAME="RoleMath learner"'), prints a greeting using it ('echo "Hello, $NAME — script ran at $(date)"'), and then loops: 'for i in 1 2 3; do echo "Count $i"; done'. Save and exit (in nano, Ctrl+O then Enter, then Ctrl+X).
Make the script executable — a permission concept straight from Domain 2: 'chmod +x hello.sh'. Then confirm with 'ls -l hello.sh' that the execute bits are now set.
Run your script two ways: './hello.sh' (runs it because it is executable) and 'bash hello.sh' (runs it explicitly through bash). You should see your greeting with the current date and the three counted lines. You have just automated a small procedure.
Check the exit code that reports success: run 'echo $?' right after the script — a 0 means it succeeded. Exit codes are how scripts and schedulers know whether a job worked.
Make the script do something schedule-worthy: edit it so it appends a timestamped line to a log file instead of only printing — for example add 'echo "$(date): job ran" >> ~/rolemath-scripts/job.log'. Save, then run it once and confirm the line with 'cat ~/rolemath-scripts/job.log'.
Now schedule it with cron. Open your personal crontab with 'crontab -e' (choose nano if asked). Add a line to run the script every minute for the demo: '* * * * * /home/YOURUSER/rolemath-scripts/hello.sh' — replace YOURUSER with your username (find it with 'whoami') and use the full path. Save and exit.
Read the five time fields out loud so the schedule is not magic: minute, hour, day-of-month, month, day-of-week, with '*' meaning 'every'. So '* * * * *' means every minute; '0 2 * * *' would mean 2:00 AM daily. List your scheduled jobs with 'crontab -l' to confirm it is there.
Wait a couple of minutes, then check that cron ran it on its own: 'cat ~/rolemath-scripts/job.log' should now show several timestamped lines you did not trigger by hand. That is unattended, repeatable execution — the heart of automation.
Clean up the demo so it does not run forever: 'crontab -e' again and delete the line you added (or comment it out with a leading '#'), then save. Optionally remove the practice directory with 'rm -r ~/rolemath-scripts' (note the specific path). Leaving a per-minute job running is exactly the kind of thing you disable when you are done testing.
What you should see
An executable bash script that prints a greeting built from a variable and counts through a loop; an exit code of 0 confirming it succeeded; a log file that grows a new timestamped line every minute without you running anything; and a crontab you can list, edit, and clean up. You have written automation and watched a scheduler run it for you — the smallest complete piece of the DevOps skillset.
This lab practices the shell-scripting (variables, loops, exit codes) and task-scheduling skills that Domain 4 (Automation, Orchestration, and Scripting) of the official XK0-006 objectives covers — see the official objectives page for the exam's own wording.
Stay safe & legal: Do this only on a Linux environment you own. Scripts run with your permissions, so read every command before you run it and never paste a script from an untrusted source without understanding it. Schedule the per-minute demo job only long enough to see it work, then remove it so it does not run indefinitely. Every 'rm' here targets a specific path you created — never run 'rm -r' or 'rm -rf' against broad or system directories, and never schedule a destructive command.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying CompTIA Linux+builds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam voucher (standalone): Commonly listed around $358 USD for the single Linux+ (XK0-006) exam voucher — confirm the current price on the official CompTIA page before you buy Official CompTIA Linux+ certification page
Certification validity: 3 years, renewed through CompTIA's continuing-education (CE) program — upload CEUs, complete CertMaster CE, or pass a qualifying higher CompTIA exam; verify the current CEU requirement for Linux+ on the official CE page CompTIA CE renewal fees page
CE program fee: Around $150 USD per 3-year cycle — verify the current CE fees on the official CompTIA page CompTIA CE renewal fees page
A free, source-cited study companion built on CompTIA's published XK0-006 objectives — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by CompTIA.