Linux Foundation Certified System Administrator LFCS (LFCS) — Questions 175

513 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

A server has two network interfaces: eth0 (10.0.0.10/24) and eth1 (192.168.1.10/24). The server needs to act as a router for a subnet 172.16.0.0/24, forwarding packets between it and the 10.0.0.0/24 network. Which sysctl parameter must be set to a value of 1 to enable IP forwarding?

A.net.ipv4.conf.all.forwarding
B.net.core.forwarding
C.net.ipv4.tcp_forwarding
D.net.ipv4.ip_forward
AnswerD

This is the standard sysctl parameter to enable IP forwarding.

Why this answer

Option D is correct because `net.ipv4.ip_forward` is the primary sysctl parameter that controls IP forwarding at the kernel level on Linux systems. Setting it to 1 enables the kernel to forward packets between network interfaces, which is essential for the server to act as a router between the 172.16.0.0/24 and 10.0.0.0/24 subnets.

Exam trap

The trap here is that candidates may confuse the valid `net.ipv4.ip_forward` with the similarly named but non-existent `net.ipv4.conf.all.forwarding`, or mistakenly think that forwarding is controlled at the transport layer via a TCP-specific parameter.

How to eliminate wrong answers

Option A is wrong because `net.ipv4.conf.all.forwarding` is not a valid sysctl parameter; the correct parameter for per-interface or all-interface forwarding control is `net.ipv4.conf.all.forwarding` does not exist, and the proper parameter for enabling forwarding on all interfaces is `net.ipv4.conf.all.forwarding` is actually a valid parameter but it is an alias for `net.ipv4.ip_forward` in some kernel versions, however the standard and most commonly tested parameter is `net.ipv4.ip_forward`. Option B is wrong because `net.core.forwarding` is not a valid sysctl parameter; the `net.core` namespace deals with core networking parameters like `net.core.rmem_default` and `net.core.wmem_max`, not IP forwarding. Option C is wrong because `net.ipv4.tcp_forwarding` is not a valid sysctl parameter; TCP forwarding is not a kernel-level concept, and IP forwarding operates at the network layer (Layer 3), not the transport layer (Layer 4).

2
Multi-Selecthard

Which three of the following are valid reasons to use 'systemctl mask' instead of 'systemctl disable'? (Choose three.)

Select 3 answers
A.To hide the service from status commands.
B.To make the service completely unavailable to the system.
C.To ensure that even 'systemctl start' fails.
D.To prevent the service from being enabled via any dependency.
E.To prevent the service from being started manually.
AnswersC, D, E

Masking causes start to fail; disable does not.

Why this answer

Option C is correct because 'systemctl mask' creates a symlink from the unit file to /dev/null, which causes all attempts to start the service (including 'systemctl start') to fail silently. This is a stronger action than 'systemctl disable', which only removes the symlinks that enable automatic startup but still allows manual starting via 'systemctl start'.

Exam trap

The trap here is that candidates often confuse 'disable' with 'mask', thinking both prevent manual start, but only 'mask' ensures that even explicit 'systemctl start' commands fail.

3
MCQeasy

Refer to the exhibit. The output of 'iptables -L -n' shows the INPUT chain rules. What will happen to an SSH connection attempt from 10.0.0.1?

A.The connection will be accepted
B.The connection will be dropped by the first rule
C.The connection will be rate-limited
D.The connection will be dropped by the default policy
AnswerA

The ACCEPT rule matches the source 10.0.0.0/8, so the connection is allowed.

Why this answer

The exhibit shows iptables rules for the INPUT chain. The first rule explicitly accepts SSH (port 22) from 10.0.0.1, so the connection attempt from that source IP will be accepted. Since iptables processes rules sequentially and this rule matches, the packet is accepted immediately without checking subsequent rules or the default policy.

Exam trap

Linux Foundation often tests the sequential nature of iptables rule processing, where candidates mistakenly think the default policy applies before all rules are checked, or that a later rule could override an earlier match.

How to eliminate wrong answers

Option B is wrong because the first rule matches SSH from 10.0.0.1 and has a target of ACCEPT, not DROP, so the connection is accepted, not dropped. Option C is wrong because there is no rate-limiting rule (e.g., using the 'limit' module) in the exhibited chain; rate-limiting would require explicit rules with '--limit' or similar. Option D is wrong because the default policy only applies if no rule matches; here, the first rule matches and accepts the connection, so the default policy is never reached.

4
MCQmedium

A system administrator needs to create a new group named 'developers' with GID 1500 and add the user 'alice' to this group. Which set of commands accomplishes this?

A.newgrp -g 1500 developers; adduser alice developers
B.create group developers gid=1500; useradd -G developers alice
C.groupadd developers -g 1500; usermod -G developers alice
D.groupadd -g 1500 developers; usermod -aG developers alice
AnswerD

Correct: groupadd creates the group with GID 1500, usermod appends alice to the supplementary group.

Why this answer

First create the group with the specific GID using groupadd -g, then add the user to the group using usermod -aG.

5
MCQmedium

An administrator wants to ensure that a service starts automatically after a system crash. Which systemd command should be used?

A.systemctl daemon-reload
B.systemctl enable service
C.systemctl mask service
D.systemctl start service
AnswerB

Enables the service to start automatically at boot.

Why this answer

The `systemctl enable service` command creates the necessary symlinks in the systemd unit configuration directories (e.g., `/etc/systemd/system/multi-user.target.wants/`) so that the service is automatically started at boot. This includes recovery after a system crash, because the crash triggers a reboot, and the enabled service will be started as part of the normal boot process.

Exam trap

The trap here is that candidates confuse `systemctl start` (immediate, one-time start) with `systemctl enable` (persistent boot-time start), leading them to choose option D, which does not survive a reboot or crash.

How to eliminate wrong answers

Option A is wrong because `systemctl daemon-reload` only reloads the systemd manager configuration and unit files, but does not change the enablement state of any service; it cannot ensure a service starts after a crash. Option C is wrong because `systemctl mask service` creates a strong symlink to `/dev/null`, which prevents the service from being started manually or automatically, even by dependencies or boot; this is the opposite of what is needed. Option D is wrong because `systemctl start service` only starts the service immediately in the current session; it does not create any boot-time or crash-recovery enablement, so the service will not start automatically after a reboot or crash.

6
Multi-Selecteasy

Which TWO commands can be used to view logs for a specific systemd unit (e.g., sshd.service)?

Select 2 answers
A.tail -f /var/log/secure
B.systemctl status sshd.service
C.cat /var/log/messages | grep sshd
D.journalctl -u sshd.service
E.journalctl _SYSTEMD_UNIT=sshd.service
AnswersD, E

Standard way to view unit logs.

Why this answer

Both `journalctl -u sshd.service` and `journalctl _SYSTEMD_UNIT=sshd.service` are correct because `journalctl` is the native tool for querying the systemd journal, which stores logs for all systemd units. The `-u` flag filters by unit name, while `_SYSTEMD_UNIT=` is a journal field that directly matches the unit identifier, both providing the same filtered output for sshd.service.

Exam trap

The trap here is that candidates may think `systemctl status` is a log viewing command, but it only shows a brief snippet of recent logs and is not designed for comprehensive log retrieval, while `journalctl` is the correct tool for accessing the full journal.

7
MCQmedium

A security policy requires that a user's password must expire 90 days after last change, and the user must change it immediately on next login. The last password change was 30 days ago. Which set of commands achieves this?

A.chage -M 90 user1; chage -d 0 user1
B.chage -M 90 user1; chage -m 1 user1
C.chage -M 90 user1; chage -W 7 user1
D.chage -M 90 user1; chage -I 5 user1
AnswerA

-M sets max days; -d 0 forces immediate change on next login.

Why this answer

Option A is correct because chage -M 90 sets maximum days to 90, and chage -d 0 forces password change on next login. Option B sets warning days, not forced change. Option C sets inactivity period.

Option D sets minimum days before change.

8
MCQeasy

A developer reports that a custom daemon fails to start after a reboot. The daemon's unit file is located in /etc/systemd/system/custom.service. Which of the following is the most likely cause?

A.The service was not started manually after installation.
B.The service is not enabled.
C.The SELinux policy blocks the service.
D.A firewall rule is blocking inbound connections.
AnswerB

A service must be enabled with systemctl enable to start at boot.

Why this answer

Option A is correct because if the service is not enabled, it will not start automatically at boot. Option B is incorrect because starting the service manually after boot works. Option C is incorrect as SELinux would cause a different error.

Option D is incorrect because firewall rules do not prevent systemd from starting a service.

9
MCQmedium

A financial firm requires all internal SSH connections to be encrypted with at least 256-bit ciphers. An administrator is configuring the SSH server. Which configuration line should be added to /etc/ssh/sshd_config?

A.MACs hmac-sha2-256
B.KexAlgorithms diffie-hellman-group-exchange-sha256
C.Ciphers aes256-ctr
D.HostKeyAlgorithms ssh-rsa
AnswerC

Specifies allowed ciphers; aes256-ctr is 256-bit.

Why this answer

Option C is correct because the Ciphers directive in sshd_config explicitly controls the symmetric encryption algorithms used to encrypt SSH session data. The cipher aes256-ctr provides 256-bit encryption, meeting the firm's requirement for at least 256-bit ciphers. Other directives like MACs, KexAlgorithms, or HostKeyAlgorithms do not directly set the encryption cipher strength.

Exam trap

The trap here is that candidates confuse MACs, KexAlgorithms, or HostKeyAlgorithms with encryption ciphers, assuming any directive with '256' or 'sha256' implies 256-bit encryption, when only the Ciphers directive controls the symmetric encryption algorithm strength.

How to eliminate wrong answers

Option A is wrong because MACs (Message Authentication Codes) specify integrity-check algorithms like hmac-sha2-256, not encryption ciphers; they ensure data authenticity, not confidentiality. Option B is wrong because KexAlgorithms define key exchange methods (e.g., diffie-hellman-group-exchange-sha256) that negotiate session keys, but they do not determine the symmetric cipher used for encrypting the actual data stream. Option D is wrong because HostKeyAlgorithms specify which host key types (e.g., ssh-rsa) are accepted for server authentication, not the encryption cipher for the session.

10
MCQmedium

Refer to the exhibit. An administrator adds user 'frank' to the group 'projectx' by editing /etc/group directly and changing the line to 'projectx:x:500:carol,dave,frank'. After saving, the administrator runs 'groups frank' and sees only 'frank' in the output. Why does frank not appear in the group 'projectx'?

A.Editing /etc/group directly is not a valid method; 'usermod -aG' must be used instead.
B.The group 'projectx' has a GID conflict with another group.
C.The 'groups' command reads only from /etc/group and the change should appear immediately.
D.The user 'frank' is still logged into the same session; he must log out and log back in for the new group to be recognized.
AnswerD

Group membership is cached at login; re-login is required to refresh.

Why this answer

Option D is correct. Direct editing requires the user to log out and log back in for the new group to take effect. Option A is wrong because the GID is fine.

Option B is wrong because usermod wasn't used, but editing is valid if syntax is correct. Option C is wrong because groups command reads from current session's group list, not just /etc/group.

11
MCQhard

A storage administrator wants to create a software RAID 10 (1+0) array using six disks. Which mdadm command is appropriate?

A.mdadm --create /dev/md0 --level=10 --raid-devices=6 /dev/sda /dev/sdb /dev/sdc
B.mdadm --create /dev/md0 --level=10 --raid-devices=6 /dev/sd[abcdef]
C.mdadm --create /dev/md0 --level=1 --raid-devices=6 --chunk=64 /dev/sd[abcdef]
D.mdadm --create /dev/md0 --level=10 --raid-devices=4 /dev/sda /dev/sdb /dev/sdc /dev/sdd
AnswerB

Correct command.

Why this answer

Option B is correct because it uses the proper mdadm syntax to create a RAID 10 array with six disks. The --level=10 specifies RAID 10 (a striped mirror set), and --raid-devices=6 matches the number of disks provided via the /dev/sd[abcdef] glob, which expands to /dev/sda through /dev/sdf. This command correctly creates a RAID 10 array that combines striping and mirroring across all six devices.

Exam trap

The trap here is that candidates often confuse the required number of disks for RAID 10 (thinking any even number works, but the command must match --raid-devices to the actual device count) or mistakenly use RAID 1 (--level=1) when the question explicitly asks for RAID 10, leading them to pick option C.

How to eliminate wrong answers

Option A is wrong because it only lists three disks (/dev/sda, /dev/sdb, /dev/sdc) but specifies --raid-devices=6, which will cause mdadm to fail or prompt for missing devices; RAID 10 requires an even number of disks (at least 4) and the count must match the provided devices. Option C is wrong because it uses --level=1 (RAID 1, pure mirroring) instead of --level=10, and RAID 1 with six disks would create a single mirrored set, not the striped mirror of RAID 10; the --chunk=64 option is irrelevant for RAID 1. Option D is wrong because it specifies --raid-devices=4 but lists four disks, which would create a valid RAID 10 array but with only four disks, not the six disks required by the question.

12
MCQmedium

A server’s root filesystem on LVM is nearly full. The administrator has added a new 20GB disk and created a physical volume on it. They added the PV to the volume group containing root, then extended the root logical volume by 10GB. Next, they ran resize2fs on the mounted root filesystem. After the resize, the server continues to function. However, upon reboot, the system fails to boot and enters emergency mode. What is the most likely cause?

A.The GRUB configuration is missing the new kernel.
B.The /etc/fstab entry for root is incorrect.
C.The filesystem was not resized correctly.
D.The initramfs needs to be regenerated to include the new disk.
AnswerD

Correct: Adding a PV may require initramfs rebuild to ensure LVM tools are present.

Why this answer

Option B is correct because adding a new PV may change the order of LVM devices; the initramfs must include the LVM tools to mount root, and rebuilding it ensures the new PV is recognized. Option A is unlikely since resize2fs worked. Option C is not related to the disk addition.

Option D fstab is unchanged and should still work.

13
MCQeasy

What can be concluded from the log?

A.SSH server is masked
B.SSH server is running with errors
C.SSH server stopped normally
D.SSH server failed to start due to configuration error
AnswerD

Exit status 255 typically indicates a configuration problem.

Why this answer

The log shows that the SSH service failed to start because of a configuration error. Specifically, the log entry indicates a syntax error or invalid directive in the SSH daemon configuration file (typically /etc/ssh/sshd_config), which prevents the service from binding to the port and starting. This is a common issue when editing the configuration file manually, as the SSH daemon validates its configuration at startup and will refuse to run if any errors are found.

Exam trap

The trap here is that candidates often confuse a service that fails to start due to a configuration error with a service that is running but has errors, leading them to select option B instead of D.

How to eliminate wrong answers

Option A is wrong because a masked service would not produce a log entry about a configuration error; instead, systemctl status would show 'masked' and the service would be prevented from starting entirely. Option B is wrong because the log indicates a failure to start, not a running service with errors; a running SSH server with errors would show operational issues like failed authentication attempts or connection drops, not a startup failure. Option C is wrong because a normal stop would generate a clean shutdown message (e.g., 'Stopping OpenSSH server daemon') and the service would exit with status 0, not a configuration error.

14
MCQhard

A security policy requires that user 'svc_backup' have a password that never expires. Additionally, the account should be locked after 90 days of inactivity. Which set of commands achieves this?

A.chage -W 7 -I 90 svc_backup
B.chage -E 2025-01-01 -I 90 svc_backup
C.chage -M 99999 -I 90 svc_backup
D.chage -M 90 -I 90 svc_backup
AnswerC

-M 99999 effectively disables password expiration; -I 90 locks account after 90 days of inactivity.

Why this answer

Option C is correct because `chage -M 99999` sets the maximum password age to 99999 days, effectively preventing the password from ever expiring (since 99999 days far exceeds any practical lifespan). The `-I 90` flag sets the inactivity period to 90 days, meaning the account will be locked after 90 days of no login activity. This combination satisfies both security policy requirements: a non-expiring password and automatic lockout after 90 days of inactivity.

Exam trap

The trap here is that candidates often confuse `-I` (inactivity lock) with `-E` (account expiration) or assume that setting `-M 90` combined with `-I 90` will satisfy both requirements, but `-M 90` causes the password to expire, which violates the 'never expires' mandate.

How to eliminate wrong answers

Option A is wrong because `-W 7` sets a warning period of 7 days before password expiration, but it does not disable password expiration; the password will still expire based on the default maximum age (typically 99999 or a system-defined value), and `-I 90` alone does not prevent expiration. Option B is wrong because `-E 2025-01-01` sets an absolute account expiration date, which would lock the account on that date regardless of inactivity, and does not prevent password expiration; the policy requires the password to never expire, not the account to expire on a fixed date. Option D is wrong because `-M 90` sets the maximum password age to 90 days, meaning the password will expire after 90 days, contradicting the requirement that the password never expires; the `-I 90` inactivity lock would only apply after the password expires, not independently.

15
Multi-Selectmedium

Which THREE of the following are valid options for the `lsblk` command to display more detailed information about block devices? (Select THREE.)

Select 3 answers
A.-c
B.-o
C.-f
D.-g
E.-m
AnswersB, C, E

Allows specifying output columns.

Why this answer

Option B (-o) is correct because it allows users to specify custom output columns, such as NAME, SIZE, TYPE, MOUNTPOINT, etc., enabling detailed and tailored information about block devices. Option C (-f) is correct as it displays filesystem information, including FSTYPE, LABEL, UUID, and MOUNTPOINT, which is essential for identifying filesystem details. Option E (-m) is correct because it shows ownership and permissions (owner, group, mode) for each block device, providing security-related details beyond the default output.

Exam trap

The trap here is that candidates often confuse lsblk options with those from similar commands like 'ls' or 'df', leading them to select -c (thinking of column output) or -g (thinking of gigabytes), when in fact lsblk uses different flags for those purposes.

16
MCQmedium

A custom systemd service unit file has been created but the service fails to start with 'Exec format error'. What is the most likely cause?

A.The unit file has incorrect permissions
B.The user does not have permission to start the service
C.The service is disabled
D.The ExecStart command path is incorrect or missing shebang
AnswerD

An invalid executable or missing interpreter causes exec format error.

Why this answer

The 'Exec format error' in systemd indicates that the binary or script specified in the ExecStart directive cannot be executed, typically because the path is incorrect, the file is not executable, or (most commonly) the script lacks a valid shebang line (e.g., #!/bin/bash). Without a shebang, the kernel does not know which interpreter to use, causing an execve() failure.

Exam trap

Linux Foundation often tests the distinction between 'Exec format error' and other startup failures, trapping candidates who confuse permission issues (chmod +x) with the missing shebang requirement for interpreted scripts.

How to eliminate wrong answers

Option A is wrong because unit file permissions (e.g., 644) do not affect execution; systemd reads the unit file as root, and the error is about the ExecStart target, not the unit file itself. Option B is wrong because if the user lacked permission to start the service, systemctl would report 'Permission denied' or 'Access denied', not an 'Exec format error'. Option C is wrong because a disabled service simply means it won't start automatically at boot; attempting to start it manually with systemctl start would still work if the unit is correct, and the error would not be 'Exec format error'.

17
MCQeasy

After editing a service unit file, which command must be run for changes to take effect?

A.systemctl restart <service>
B.systemctl daemon-reload
C.systemctl reenable <service>
D.systemctl reload <service>
AnswerB

daemon-reload reloads all unit files, applying any changes.

Why this answer

When a service unit file is edited, systemd must be notified to reload its configuration from disk. The `systemctl daemon-reload` command instructs systemd to re-read all unit files, applying any changes to the unit definitions without requiring a full system reboot. This is necessary because systemd caches unit file contents in memory, and only a daemon-reload will update that cache.

Exam trap

The trap here is that candidates confuse restarting the service (which affects the running process) with reloading the systemd daemon (which updates the unit definition cache), leading them to choose `systemctl restart` instead of `systemctl daemon-reload`.

How to eliminate wrong answers

Option A is wrong because `systemctl restart <service>` only stops and starts the service using the currently loaded unit configuration; it does not cause systemd to re-read the unit file from disk, so any changes to the unit file itself are ignored. Option C is wrong because `systemctl reenable <service>` recreates symlinks in the systemd configuration directories but does not reload the unit definitions into systemd's running state. Option D is wrong because `systemctl reload <service>` sends a SIGHUP or equivalent signal to the service process to reload its own configuration files, not systemd's unit file definitions.

18
Multi-Selecthard

Which TWO of the following are correct statements about systemd journald configuration?

Select 2 answers
A.The 'MaxRetentionSec' directive sets the maximum time to retain journal entries.
B.The 'RuntimeMaxUse' directive applies to the journal stored in /var/log/journal.
C.The 'SystemMaxUse' directive in journald.conf limits the maximum disk space used by the journal.
D.The 'Compress' directive is set to 'no' by default.
E.The 'ForwardToSyslog' directive is set to 'yes' by default.
AnswersA, C

MaxRetentionSec specifies the maximum time (in seconds) that journal entries are kept. Older entries are deleted.

Why this answer

Option A is correct because the 'MaxRetentionSec' directive in journald.conf specifies the maximum time (in seconds) that journal entries are retained before they are deleted. This is a time-based retention policy, distinct from size-based limits, and is used to automatically prune old log entries to manage disk usage.

Exam trap

The trap here is that candidates often confuse 'RuntimeMaxUse' with persistent storage limits, or assume 'ForwardToSyslog' is enabled by default because of legacy syslog integration, but systemd journald isolates logs by default.

19
MCQhard

Which nmcli command creates a VLAN interface with tag 10 on device eth0?

A.nmcli connection add type vlan con-name vlan10 ifname eth0 id 10
B.nmcli connection add type vlan con-name vlan10 dev eth0 id 10
C.nmcli device add vlan con-name vlan10 dev eth0 id 10
D.nmcli connection add type vlan con-name vlan10 ifname eth0.10
AnswerB

This is the correct syntax to create a VLAN connection on eth0 with ID 10.

Why this answer

Option B is correct because the `nmcli connection add` command with `type vlan` requires the `dev` option to specify the parent interface (eth0) and the `id` option to set the VLAN tag (10). The `con-name` assigns a name to the connection profile, and the resulting interface will be named automatically (e.g., eth0.10) unless overridden by `ifname`. This creates a VLAN interface that tags frames with ID 10 on the parent device eth0.

Exam trap

The trap here is confusing `ifname` (which sets the resulting interface name) with `dev` (which specifies the parent device), leading candidates to incorrectly use `ifname eth0` instead of `dev eth0` when the intent is to attach the VLAN to the physical interface.

How to eliminate wrong answers

Option A is wrong because it uses `ifname eth0` instead of `dev eth0`; `ifname` specifies the resulting interface name, not the parent device, so this would attempt to create a VLAN interface named eth0 (which conflicts with the existing physical interface) rather than attaching it to eth0. Option C is wrong because `nmcli device add` is not a valid subcommand; the correct syntax uses `nmcli connection add` to create a connection profile for the VLAN. Option D is wrong because `ifname eth0.10` directly sets the interface name to eth0.10 but omits the `id 10` parameter; while the name implies VLAN 10, the command does not explicitly set the VLAN tag, and the `id` option is required for proper 802.1Q tagging.

20
Multi-Selectmedium

Which TWO commands can be used to list all users currently logged into the system?

Select 2 answers
A.w
B.last
C.users
D.id
E.who
AnswersA, E

Shows who is logged in and what they are doing.

Why this answer

The `w` command displays a list of currently logged-in users along with detailed information such as login time, idle time, JCPU, PCPU, and the current process. It reads from /var/run/utmp to show active sessions, making it a correct choice for listing current users.

Exam trap

The trap here is that candidates often confuse `last` (which shows historical logins) with `who` or `w` (which show current logins), or they overlook that `users` also lists current users but is not the intended answer in this specific pairing.

21
MCQeasy

A user wants to find all files in /var/log that have been modified within the last 2 days. Which command should they use?

A.find /var/log -mtime -2
B.find /var/log -mmin -2880
C.find /var/log -mtime +2
D.find /var/log -mtime 2
AnswerA

Finds files modified less than 2 days ago.

Why this answer

Option A is correct because the `find` command with `-mtime -2` searches for files whose content was last modified less than 2 days ago (i.e., within the last 48 hours). The minus sign before the number indicates 'less than' or 'within the last N days', which matches the user's requirement to find files modified within the last 2 days.

Exam trap

The trap here is that candidates often confuse the meaning of the plus (+) and minus (-) signs with `-mtime`, mistakenly thinking `+2` means 'within the last 2 days' or that `-mtime 2` (without sign) means 'within 2 days', when in fact the signs control the direction of the time comparison.

How to eliminate wrong answers

Option B is wrong because `-mmin -2880` would find files modified within the last 2880 minutes (which is exactly 2 days), but the question asks for files modified within the last 2 days, not exactly 2 days ago; however, the more precise issue is that `-mmin` counts minutes, not days, and while 2880 minutes equals 2 days, the command would work but is not the standard or expected answer for this context. Option C is wrong because `-mtime +2` finds files modified more than 2 days ago (greater than 48 hours), which is the opposite of what is needed. Option D is wrong because `-mtime 2` (without a plus or minus sign) finds files modified exactly 2 days ago (i.e., between 48 and 72 hours ago), not within the last 2 days.

22
Multi-Selectmedium

Which THREE of the following statements about Linux file permissions are correct?

Select 3 answers
A.The command 'chmod a+w file' removes write permission for all.
B.The command 'chmod 400 secret.txt' sets read-only permission for the owner only.
C.The command 'chmod 755 file' sets permissions to rwxr-xr-x.
D.The command 'chmod u+x script.sh' adds execute permission for the owner.
E.The command 'chmod 644 file' sets permissions to rw-rw-rw-.
AnswersB, C, D

400 is r-------- (owner read only).

Why this answer

Option B is correct because the numeric permission mode 400 corresponds to read (4) for the owner, with no permissions for the group or others (0 and 0). This sets the file's permissions to r--------, meaning only the owner can read the file, and no one can write or execute it.

Exam trap

The trap here is that candidates often confuse the numeric permission values (e.g., thinking 644 gives rw-rw-rw- instead of rw-r--r--) or misinterpret the symbolic mode syntax, such as assuming 'a+w' removes write permission when it actually adds it.

23
MCQhard

A DevOps engineer wants to list all running processes sorted by memory usage in descending order. Which command should be used?

A.ps aux --sort=-%mem
B.ps aux --sort=%mem
C.ps aux --sort=+mem
D.ps aux --sort=-%cpu
AnswerA

Sorts by memory in descending order.

Why this answer

Option A is correct because `ps aux` lists all running processes, and `--sort=-%mem` sorts them by memory usage in descending order (the minus sign indicates descending). This is the standard way to identify memory-heavy processes for troubleshooting or resource monitoring.

Exam trap

The trap here is that candidates often confuse `%mem` with `mem` or `%cpu` with `%mem`, and may overlook the minus sign for descending order, leading them to pick ascending sort options or the wrong resource metric.

How to eliminate wrong answers

Option B is wrong because `--sort=%mem` sorts by memory usage in ascending order (lowest first), not descending as required. Option C is wrong because `--sort=+mem` uses an invalid sort key; the correct key is `%mem` (with percent sign), and the plus sign is redundant but would still sort ascending if the key were valid. Option D is wrong because `--sort=-%cpu` sorts by CPU usage descending, not memory usage, which does not meet the requirement.

24
Multi-Selectmedium

Which THREE of the following commands can be used to view the contents of a compressed file named 'file.gz' without permanently decompressing it? (Choose exactly three.)

Select 3 answers
A.gzip file.gz
B.zmore file.gz
C.gunzip file.gz
D.zcat file.gz
E.zless file.gz
AnswersB, D, E

Correct: displays with more.

Why this answer

Option B is correct because `zmore` is a utility that allows you to view the contents of a compressed file (such as `file.gz`) page by page without permanently decompressing it. It internally decompresses the file on the fly and pipes the output through `more`, making it ideal for inspecting large compressed files without modifying the original archive.

Exam trap

The trap here is that candidates mistakenly think `gunzip` or `gzip` can be used to view file contents without permanent decompression, confusing compression/decompression commands with viewing utilities like `zcat`, `zmore`, and `zless`.

25
Multi-Selectmedium

Which THREE commands can display the current CPU utilization statistics on a Linux system?

Select 3 answers
A.free
B.top
C.sar -u
D.mpstat -P ALL
E.uptime
AnswersB, C, D

Displays CPU usage dynamically.

Why this answer

The `top` command (option B) provides a real-time, dynamic view of system processes, including CPU utilization statistics such as user, system, idle, and I/O wait percentages. It is a standard tool for monitoring current CPU performance on Linux systems.

Exam trap

The trap here is that candidates may confuse `free` or `uptime` with CPU monitoring tools, but `free` is strictly memory-focused and `uptime` only shows load averages, not actual CPU utilization percentages.

26
MCQhard

An e-commerce company runs a critical application on a Linux server that occasionally becomes unresponsive. The server has 64GB RAM and runs a Java application. The operations team notices that during peak hours, the system becomes very slow and eventually the application crashes with 'OutOfMemoryError'. After restart, it works fine for a while. They suspect a memory leak but also want to ensure the system does not go down during peak hours. The system uses systemd to manage the Java service. The administrator needs to implement a solution that: (1) automatically restarts the service if it becomes unresponsive, (2) limits the memory usage of the service to prevent OOM kills on the system, and (3) provides early warning of high memory usage. Which of the following approaches best meets these requirements?

A.Set up a cron job to run every minute that checks memory usage with free and if > 90%, restart the service with systemctl restart. Also configure MemoryMax=32G in the systemd unit.
B.Configure sysctl vm.overcommit_memory=2 to prevent overcommit, and allocate huge pages for Java. Also set Restart=always in the systemd unit.
C.Use ulimit -v 33554432 in the service script to limit virtual memory, and set Restart=always. Also configure a cron job to send alerts when dmesg shows OOM.
D.Configure systemd service with WatchdogSec=30, Restart=on-failure, MemoryMax=32G. Also set up a log watcher that alerts when memory usage exceeds 28G via journalctl and a custom script.
AnswerD

Watchdog ensures restart if unresponsive, MemoryMax limits memory, log watcher provides early warning.

Why this answer

Option D is correct because it uses systemd's WatchdogSec to detect unresponsiveness and Restart=on-failure to automatically restart the service, while MemoryMax=32G enforces a hard memory limit via cgroups to prevent OOM kills. The custom log watcher provides early warning by alerting when memory usage exceeds 28G, satisfying all three requirements.

Exam trap

The trap here is that candidates often confuse ulimit or sysctl settings with cgroup-based memory limits, or assume cron-based polling is sufficient for unresponsiveness detection, overlooking systemd's built-in WatchdogSec mechanism.

How to eliminate wrong answers

Option A is wrong because using a cron job to check memory usage every minute is inefficient and may miss transient spikes, and MemoryMax=32G alone does not provide early warning. Option B is wrong because sysctl vm.overcommit_memory=2 and huge pages do not limit memory usage or provide automatic restart on unresponsiveness; Restart=always only restarts on exit, not on hang. Option C is wrong because ulimit -v limits virtual memory but does not prevent the Java process from exhausting physical memory and causing system-wide OOM; it also lacks early warning and WatchdogSec for unresponsiveness detection.

27
MCQeasy

Which legacy command can still be used to view the IPv4 routing table on a modern Linux system?

A.ip route show
B.route -n
C.arp -a
D.netstat -r
AnswerD

netstat -r is a legacy command that still works on most systems.

Why this answer

Option D is correct because `netstat -r` is a legacy command that reads the kernel routing table from `/proc/net/route` and displays it in a human-readable format. It remains available on modern Linux systems for backward compatibility, even though its use is discouraged in favor of `ip route`. The `-r` flag specifically instructs `netstat` to show the routing table.

Exam trap

The trap here is that candidates often confuse 'legacy command' with 'modern command' and pick `ip route show` (Option A) because it is the current standard, but the question explicitly asks for a legacy command that still works.

How to eliminate wrong answers

Option A is wrong because `ip route show` is the modern, recommended command from the `iproute2` suite, not a legacy command. Option B is wrong because `route -n` is itself a legacy command (from the `net-tools` package) and is not the correct answer here; the question asks for a legacy command that can still be used, and `route -n` is also legacy but the correct answer is `netstat -r`. Option C is wrong because `arp -a` displays the ARP cache (mapping IP addresses to MAC addresses), not the IPv4 routing table.

28
MCQhard

You are a senior Linux administrator for a large data center. A junior admin reports that a newly deployed application server (192.168.100.50/24, default gateway 192.168.100.1) cannot communicate with a legacy server (192.168.200.50/24, default gateway 192.168.200.1). The two subnets are connected via a router (192.168.100.1 and 192.168.200.1). From the app server, you can ping the legacy server's IP successfully. However, when you try to establish an SSH session from the app server to the legacy server, it times out. You check the legacy server's firewall (ufw) and find that it allows SSH (port 22) from the entire 192.168.0.0/16 range. You also confirm that the SSH daemon is running and listening on 0.0.0.0:22. What is the most likely cause?

A.The router is dropping TCP packets due to ACLs.
B.The legacy server's firewall is not allowing SSH; the rule might be misconfigured.
C.The app server's firewall (ufw) is blocking incoming SSH responses.
D.The legacy server's SSH service is not listening on the correct interface.
AnswerC

Since SSH is a TCP connection, the app server sends SYN, and the legacy server replies with SYN-ACK. If the app server's ufw does not allow related/established connections or has a rule that blocks new incoming connections, the SYN-ACK will be dropped, causing a timeout. This is a common misconfiguration.

Why this answer

The app server can ping the legacy server successfully, which confirms that ICMP traffic (Layer 3) passes through the router and that the legacy server's firewall allows ICMP. However, SSH (TCP port 22) fails because the app server's own firewall (ufw) is blocking the incoming SSH response packets (SYN-ACK) from the legacy server. Since the SSH client initiates the connection from the app server, the response packets must be allowed by the app server's firewall; if ufw on the app server blocks established or related incoming traffic, the TCP handshake cannot complete, resulting in a timeout.

Exam trap

The trap here is that candidates assume the problem must be on the target server (firewall or SSH service) because the symptom is a timeout, but the ping success proves Layer 3 connectivity, shifting the issue to the client-side firewall blocking the TCP handshake response.

How to eliminate wrong answers

Option A is wrong because the app server can ping the legacy server successfully, which proves that the router is forwarding packets between subnets and that no ACL is blocking ICMP; if the router were dropping TCP packets due to ACLs, the ping would also likely fail or at least the router's behavior would be inconsistent. Option B is wrong because the legacy server's firewall explicitly allows SSH from the entire 192.168.0.0/16 range, which includes the app server's IP (192.168.100.50), and the SSH daemon is confirmed running and listening on 0.0.0.0:22, so the firewall is not the issue. Option D is wrong because the SSH daemon is listening on 0.0.0.0:22, which means it accepts connections on all interfaces, including the one with IP 192.168.200.50; there is no interface-specific misconfiguration.

29
MCQeasy

A service is using a port that conflicts with another application. Which command can be used to identify which process is listening on a specific TCP port?

A.ss -tulpn | grep :port
B.All of the above
C.lsof -i :port
D.netstat -tulpn | grep :port
AnswerB

All listed commands can show listening processes.

Why this answer

Option B is correct because all three commands—ss, lsof, and netstat—can be used to identify which process is listening on a specific TCP port. The ss command is the modern replacement for netstat and uses kernel netlink to display socket information, while lsof lists open files including network sockets, and netstat reads /proc/net files. Each command with the appropriate flags (ss -tulpn, lsof -i :port, netstat -tulpn) will show the PID and process name associated with a listening port, making 'All of the above' the accurate answer.

Exam trap

The trap here is that candidates often assume only one command (like netstat or ss) is correct, but the LFCS exam expects you to recognize that multiple tools can achieve the same result, and 'All of the above' is the comprehensive answer when all options are technically valid.

How to eliminate wrong answers

Option A is wrong because it is presented as a single correct answer, but it is not the only command that can identify the process; ss is valid, but the question asks for 'which command' and the correct answer is that all listed options work. Option C is wrong because lsof -i :port is a valid command for this task, so claiming it is incorrect would be a mistake; the trap is that candidates might think lsof is not suitable, but it is. Option D is wrong because netstat -tulpn | grep :port is also a valid command, though deprecated in some distributions; excluding it would be incorrect as it still functions on most systems.

30
MCQmedium

An admin needs to change the primary group of user 'alice' from 'grp1' to 'grp2', but alice should still be a member of 'grp1' as a supplementary group. Which command accomplishes this?

A.usermod -s /bin/bash alice
B.usermod -g grp2 -aG grp1 alice
C.usermod -g grp2 alice
D.usermod -G grp2 alice
AnswerB

Correctly sets primary group to grp2 and adds grp1 as a supplementary group without affecting other groups.

Why this answer

Option C is correct. usermod -g changes the primary group to grp2, and -aG grp1 adds grp1 as a supplementary group without removing other groups.

31
MCQeasy

A system administrator is setting up a high-availability cluster using shared storage. Which filesystem is best suited for this environment where multiple nodes need simultaneous read-write access to the same filesystem?

A.Btrfs
B.GFS2
C.XFS
D.ext4
AnswerB

GFS2 is a shared-disk filesystem for Linux clusters.

Why this answer

GFS2 (Global File System 2) is a shared-disk cluster filesystem designed for high-availability environments where multiple nodes require simultaneous read-write access to the same filesystem. It uses a distributed lock manager (DLM) to coordinate access across nodes, ensuring data consistency without requiring a single metadata server. This makes it ideal for active-active cluster configurations with shared block storage.

Exam trap

The trap here is that candidates often confuse a filesystem's ability to be mounted on multiple nodes (e.g., via NFS) with true cluster-aware filesystem support, or they assume that any journaling filesystem like XFS or ext4 can be used on shared storage without a distributed lock manager.

How to eliminate wrong answers

Option A (Btrfs) is wrong because it is a copy-on-write filesystem designed for single-node use with features like snapshots and checksums, but it lacks a distributed lock manager and cannot coordinate concurrent read-write access from multiple nodes. Option C (XFS) is wrong because it is a high-performance 64-bit journaling filesystem for single-node environments; while it supports large files and parallel I/O, it does not have cluster-aware locking mechanisms. Option D (ext4) is wrong because it is a general-purpose journaling filesystem for single hosts and provides no support for shared storage or multi-node concurrent access, making it unsuitable for cluster filesystems.

32
MCQeasy

A system administrator needs to permanently configure a network interface named ens33 with a static IPv4 address of 192.168.1.100/24 and a default gateway of 192.168.1.1 on a system using NetworkManager. Which command should the administrator use to achieve this?

A.nmcli connection modify 'ens33' ipv4.addresses 192.168.1.100/24 ipv4.gateway 192.168.1.1 ipv4.method manual
B.ip addr add 192.168.1.100/24 dev ens33
C.ifconfig ens33 192.168.1.100 netmask 255.255.255.0 up
D.route add default gw 192.168.1.1 ens33
AnswerA

This permanently configures the static IP and gateway using NetworkManager.

Why this answer

Option A is correct because it uses the `nmcli` command to modify the NetworkManager connection profile for interface ens33, setting a static IPv4 address with CIDR notation and a default gateway, and explicitly setting the method to 'manual' to ensure the configuration persists across reboots. NetworkManager is the default network service on modern Linux distributions, and `nmcli` is the proper tool for permanent configuration changes.

Exam trap

The trap here is that candidates often choose temporary commands like `ip addr add` or `ifconfig` because they work immediately, but the LFCS exam specifically tests the ability to make permanent changes using the system's network management service (NetworkManager) rather than transient runtime commands.

How to eliminate wrong answers

Option B is wrong because `ip addr add` only adds an IP address temporarily to the interface; it does not persist after a reboot and does not configure a default gateway or set the addressing method to manual. Option C is wrong because `ifconfig` is deprecated and does not provide persistent configuration; any changes made with it are lost on reboot, and it does not interact with NetworkManager. Option D is wrong because `route add default gw` only adds a temporary default route; it does not set a static IP address, does not persist across reboots, and does not use NetworkManager's configuration system.

33
Multi-Selecteasy

Which TWO commands can display the current environment variables?

Select 2 answers
A.set
B.echo $HOME
C.env
D.export
E.printenv
AnswersC, E

env displays all environment variables.

Why this answer

The `env` command (option C) is correct because it displays all current environment variables along with their values. It is a standard Unix/Linux command specifically designed for this purpose, and it is commonly used in scripting and troubleshooting to inspect the environment.

Exam trap

The trap here is that candidates often confuse `set` (which shows all shell variables) with `env` (which shows only environment variables), or they think `echo $HOME` is a way to list all variables, when it only shows one specific variable.

34
MCQeasy

A system administrator needs to ensure the Apache httpd service starts automatically on system boot. Which command should they use?

A.systemctl enable httpd
B.systemctl start httpd
C.systemctl disable httpd
D.systemctl reload httpd
AnswerA

systemctl enable creates symlinks for automatic start at boot.

Why this answer

The `systemctl enable httpd` command creates the necessary symlinks in the systemd unit configuration directories (typically `/etc/systemd/system/multi-user.target.wants/`) to ensure the Apache httpd service starts automatically at boot time. This is the correct approach because `enable` configures the service to be started on system startup, whereas `start` only runs it immediately without affecting boot behavior.

Exam trap

The trap here is confusing `systemctl start` (immediate runtime action) with `systemctl enable` (persistent boot-time configuration), leading candidates to choose the command that works now but fails after a reboot.

How to eliminate wrong answers

Option B is wrong because `systemctl start httpd` starts the service immediately in the current session but does not configure it to start on boot; it only affects the runtime state. Option C is wrong because `systemctl disable httpd` removes the boot-time symlinks, preventing the service from starting automatically at boot, which is the opposite of what is required. Option D is wrong because `systemctl reload httpd` sends a SIGHUP signal to the httpd process to reload its configuration without restarting, which has no effect on boot-time behavior.

35
MCQmedium

After adding a new SCSI disk to a server running Linux, the system fails to boot with the error: 'Kernel panic - not syncing: VFS: Unable to mount root fs'. The root filesystem is on LVM. What is the most likely cause?

A.The /etc/fstab entry for the new disk is missing.
B.The GRUB configuration is incorrect.
C.The new disk's partition table is corrupt.
D.The initramfs was not regenerated after the disk addition, missing LVM tools.
AnswerD

Correct: initramfs needs to include LVM support; adding disk may change device order and require initramfs rebuild.

Why this answer

Option A is correct because adding a disk may change device ordering; the initramfs must include LVM tools to mount root. If the initramfs is not rebuilt, it may lack the necessary modules. Option B is about the new disk, but root is on LVM and still missing.

Option C fstab for new disk is irrelevant. Option D GRUB config is not typically affected by disk addition.

36
Multi-Selectmedium

Which TWO of the following are valid ways to mount a filesystem with the 'noexec' option to prevent execution of binaries?

Select 2 answers
A.mount -o noexec /dev/sdb1 /mnt/data
B.Add 'exec' to the fourth field of /etc/fstab for the entry.
C.Add 'defaults' to the fourth field of /etc/fstab for the entry.
D.mount --bind /mnt/data1 /mnt/data2
E.Add 'noexec' to the fourth field of /etc/fstab for the entry.
AnswersA, E

Correct: mount with noexec option.

Why this answer

Options A and D are correct. Option A uses mount -o at command line. Option D uses fstab with 'noexec' option.

Option B uses mount --bind which doesn't set noexec by itself. Option C uses 'defaults' which does not include noexec. Option E uses 'exec' which is opposite.

37
MCQeasy

A system administrator is troubleshooting a DHCP issue on a Linux client. After running 'dhclient -r eth0' and then 'dhclient eth0', the interface does not get an IP address. What command can be used to ensure the DHCP client process is fully released and restarted?

A.dhclient -s 10.0.0.1 eth0
B.dhclient -r eth0 && dhclient -v eth0
C.killall dhclient && dhclient eth0
D.dhclient -x eth0 && dhclient eth0
AnswerD

'-x' gracefully stops DHCP client, releasing the lease.

Why this answer

Option D is correct because `dhclient -x eth0` explicitly releases the current lease and terminates the DHCP client process for that interface, ensuring a clean state before restarting with `dhclient eth0`. This avoids issues where a stale process or lease file prevents a fresh DHCP handshake, which can occur with `-r` alone if the client daemon remains running.

Exam trap

The trap here is that candidates assume `-r` (release) followed by a new dhclient invocation is sufficient, but they overlook that the dhclient daemon may still be running and holding onto the old lease, whereas `-x` explicitly terminates the process and clears the lease state.

How to eliminate wrong answers

Option A is wrong because `dhclient -s 10.0.0.1 eth0` forces the client to send requests only to a specific DHCP server IP, which does not release or restart the client process; it merely overrides server discovery. Option B is wrong because `dhclient -r eth0` only releases the current lease but does not terminate the dhclient process, so the subsequent `dhclient eth0` may fail if the daemon is still holding state or a stale lease file. Option C is wrong because `killall dhclient` kills all dhclient processes indiscriminately, which can disrupt other interfaces or leave the system in an inconsistent state; it is not the proper way to release a lease and restart a specific interface.

38
MCQhard

Based on the journalctl output, what is the most likely cause of the service failure?

A.Another process is already using port 8080.
B.The service configuration file has a syntax error.
C.The system is out of memory.
D.The service is trying to write to a read-only filesystem.
AnswerA

The repeated 'Address already in use' errors clearly indicate a port conflict.

Why this answer

The journalctl output shows a bind error on port 8080 with 'Address already in use'. This indicates that another process is already listening on that port, preventing the service from starting. In systemd, such a failure is logged with the specific errno EADDRINUSE, which directly points to a port conflict.

Exam trap

The trap here is that candidates may confuse a bind error with a configuration syntax error, but the specific 'Address already in use' message uniquely identifies a port conflict, not a parsing issue.

How to eliminate wrong answers

Option B is wrong because a syntax error in the service configuration file would typically produce a parse error or 'Failed to parse' message in journalctl, not a bind error. Option C is wrong because an out-of-memory condition would manifest as an OOM killer event or memory allocation failure, not a specific port bind error. Option D is wrong because a read-only filesystem would produce a 'Read-only file system' error (EROFS) when attempting to write, not an 'Address already in use' error.

39
MCQhard

A developer needs to extract the third column from a CSV file where columns are separated by commas, but some fields contain commas within double quotes. Which command correctly handles this?

A.cut -d',' -f3 file.csv
B.awk -F',' '{ print $3 }' file.csv
C.awk 'BEGIN { FPAT = "[^,]*|\\"[^\\"]+\\"" } { print $3 }' file.csv
D.sed 's/[^,]*,[^,]*,\\([^,]*\\).*/\1/' file.csv
AnswerC

FPAT regex matches non-comma sequences or quoted strings.

Why this answer

Option C is correct because it uses `awk` with the `FPAT` variable to define a field pattern that correctly handles commas inside double-quoted fields. The pattern `[^,]*|\"[^\"]+\"` matches either a sequence of non-comma characters or a double-quoted string (including any commas within it), ensuring that the third column is extracted accurately even when fields contain embedded commas.

Exam trap

The trap here is that candidates often default to using `cut` or simple `awk` with a delimiter, not realizing that CSV files with quoted fields require a pattern-based field definition like `FPAT` to correctly parse embedded commas.

How to eliminate wrong answers

Option A is wrong because `cut -d',' -f3` splits fields solely on commas without any awareness of quoting, so it will incorrectly treat commas inside double-quoted fields as delimiters, breaking the column structure. Option B is wrong because `awk -F','` also uses a simple comma delimiter and does not handle quoted fields, leading to the same issue as `cut`. Option D is wrong because the `sed` command uses a regex that assumes fields are separated by commas and does not account for quoted fields containing commas; it will fail to correctly isolate the third column when such fields are present.

40
MCQhard

Refer to the exhibit. The output of 'ps aux' shows a process named 'process_hog' with PID 1234 consuming 99.5% CPU. The process is stuck in an infinite loop and does not respond to SIGTERM. Which signal should be used to forcefully terminate it?

A.kill -2 1234
B.kill -9 1234
C.kill -15 1234
D.kill -19 1234
AnswerB

SIGKILL is the ultimate signal that forcefully terminates the process.

Why this answer

Option B is correct because SIGKILL (9) cannot be caught or ignored and will terminate the process immediately. Option A is wrong because SIGTERM (15) was already attempted and ignored. Option C is wrong because SIGSTOP (19) suspends, does not terminate.

Option D is wrong because SIGINT (2) is typically not effective for background processes and may also be ignored.

41
MCQmedium

During boot, the system drops into a shell with message 'ERROR: No suitable file system found'. Filesystem corruption is suspected. Which sequence of actions should the admin take to attempt recovery?

A.Run xfs_repair -n /dev/sda.
B.Determine the root device, then run 'fsck -y /dev/sda1'.
C.Run e2fsck /dev/sda1 from the emergency shell.
D.Mount the root filesystem manually, then run fsck.
AnswerB

Fsck is filesystem-agnostic and with -y repairs automatically.

Why this answer

When the system drops into an emergency shell with 'ERROR: No suitable file system found', the admin must first identify the root device (e.g., using `blkid` or `lsblk`) and then run `fsck -y /dev/sda1` to attempt automatic repair of the corrupted filesystem. The `-y` flag answers 'yes' to all prompts, which is appropriate in a recovery scenario where the goal is to get the system bootable. This approach is filesystem-agnostic and works for common Linux filesystems like ext4, XFS, or btrfs, though specific tools (e.g., `xfs_repair` for XFS) may be needed if `fsck` is not suitable.

Exam trap

The trap here is that candidates assume the filesystem is ext4 and jump to `e2fsck` (option C), or they try to mount first (option D), not realizing that `fsck` is the generic, safe first step and that the emergency shell requires identifying the root device before any repair command.

How to eliminate wrong answers

Option A is wrong because `xfs_repair -n` only performs a dry-run (no actual repair) and is specific to XFS filesystems; the error message does not specify the filesystem type, so a generic `fsck` is safer. Option C is wrong because `e2fsck` is specific to ext2/ext3/ext4 filesystems and may fail or cause damage if the root device is not ext-family; also, the emergency shell may not have the `e2fsck` command available. Option D is wrong because attempting to mount a corrupted filesystem before running `fsck` can cause further damage or hang the system; `fsck` must be run on the unmounted device.

42
MCQhard

You are managing a Linux server that hosts a critical web application. The server is running low on disk space in the root filesystem, and you need to free up space urgently. You run 'df -h' and see that /dev/sda1 is mounted on / and is 95% full. You also notice that /var/log/messages is over 2 GB in size. The application writes logs to /var/log/app.log, which is also large. The server has a separate /var partition that has plenty of free space. The application must continue running with minimal downtime. You need to compress and rotate logs without losing any data, and ensure that the root filesystem has at least 10% free space. Which of the following actions should you take first to achieve this goal?

A.Delete /var/log/app.log and /var/log/messages to free space quickly.
B.Stop the application, truncate /var/log/app.log, then restart the application.
C.Use logrotate with the 'copytruncate' option to rotate /var/log/app.log and move the rotated file to /var/old_logs/.
D.Compress /var/log/app.log using gzip and keep it in place.
AnswerC

This rotates the log without interrupting the application and moves it to a partition with space, freeing root.

Why this answer

Option C is correct because logrotate with the 'copytruncate' option allows the application to continue writing to the same file descriptor while the current log is copied and then truncated to zero length. This avoids any application downtime and the rotated log can be moved to the separate /var partition (which has free space) for compression or archiving, freeing space on the root filesystem without data loss.

Exam trap

The trap here is that candidates often choose to delete or truncate logs directly, not realizing that running processes hold file descriptors and that truncation does not immediately free disk space until the file descriptor is closed, or they overlook the 'copytruncate' option which allows zero-downtime rotation.

How to eliminate wrong answers

Option A is wrong because deleting log files while the application is running can cause the application to lose its file handle, potentially crash or stop logging, and data is permanently lost. Option B is wrong because stopping the application causes downtime, which violates the 'minimal downtime' requirement, and truncating the file in place does not free disk space until the file descriptor is released (the space is still held by the running process). Option D is wrong because compressing the log file in place does not free space on the root filesystem (the compressed file still occupies space on /), and the application may still be writing to the file, causing data loss or corruption.

43
MCQhard

Based on the exhibit, what is the most likely cause of the blocked task?

A.CPU starvation
B.Memory leak
C.Disk I/O bottleneck or hung storage
D.Network congestion
AnswerC

The task is blocked on I/O, typical of a slow or failing disk.

Why this answer

The exhibit shows a process in 'D' state (uninterruptible sleep), which typically indicates the process is waiting for I/O completion from a block device. When a task is blocked in this state for an extended period, it is most likely due to a disk I/O bottleneck or hung storage, as the kernel cannot interrupt this wait. CPU starvation (run queue) and memory leaks (OOM or swapping) produce different process states, making disk I/O the primary suspect.

Exam trap

The trap here is that candidates confuse a process in 'D' state (uninterruptible sleep, I/O wait) with a process that is simply sleeping or waiting on CPU, leading them to incorrectly choose CPU starvation or memory issues instead of recognizing the classic symptom of a disk I/O bottleneck.

How to eliminate wrong answers

Option A is wrong because CPU starvation manifests as processes in 'R' state (runnable) or high load averages with low CPU idle, not as a task stuck in uninterruptible sleep ('D' state). Option B is wrong because a memory leak typically leads to high memory usage, swapping, or OOM killer activity, which would show processes in 'S' (interruptible sleep) or 'R' state, not a blocked 'D' state. Option D is wrong because network congestion causes socket waits and timeouts, reflected in 'S' state or network-related kernel threads, not a task blocked on block I/O in 'D' state.

44
MCQmedium

An administrator wants to terminate a process with PID 1234 and all its child processes. Which command should be used?

A.pkill -P 1234
B.kill -9 -1234
C.kill -15 1234
D.kill -9 1234
AnswerB

Sends SIGKILL to the entire process group.

Why this answer

Option B is correct because the `kill` command with a negative PID (e.g., `kill -9 -1234`) sends the signal to the process group identified by the absolute value of the PID. Since process group IDs typically equal the PID of the group leader, using `-1234` targets the entire process group, terminating PID 1234 and all its child processes. The `-9` (SIGKILL) ensures immediate termination without cleanup.

Exam trap

The trap here is that candidates often assume `kill -9 1234` terminates the entire process tree, but it only kills the specified process, leaving child processes orphaned; the negative PID syntax is the correct way to target a process group.

How to eliminate wrong answers

Option A is wrong because `pkill -P 1234` kills processes whose parent PID is 1234, not the process itself or its entire process tree; it only targets direct children, not grandchildren or the parent. Option C is wrong because `kill -15 1234` sends SIGTERM to PID 1234 only, allowing it to terminate gracefully but does not affect child processes. Option D is wrong because `kill -9 1234` sends SIGKILL to PID 1234 alone, leaving child processes orphaned (they may be reparented to init) rather than terminating them.

45
MCQhard

A systemd-networkd managed interface enp1s0 needs to be configured with a static IP address 192.168.1.100/24 and a default gateway via 192.168.1.1. Which .network file configuration is correct?

A.[Match] Interface=enp1s0 [Network] StaticIP=192.168.1.100/24 Gateway=192.168.1.1
B.[Link] Name=enp1s0 [Network] IPAddress=192.168.1.100/24 Gateway=192.168.1.1
C.[Match] Name=enp1s0 [Network] Address=192.168.1.100/24 Gateway=192.168.1.1
D.[Match] Name=enp1s0 [Network] Address=192.168.1.100/24 DefaultGateway=192.168.1.1
AnswerC

Correct syntax for static IP and gateway.

Why this answer

Option C is correct because systemd-networkd uses the `[Match]` section with `Name=` to match the interface, and the `[Network]` section with `Address=` to assign a static IP address and `Gateway=` to set the default gateway. The syntax `Address=192.168.1.100/24` is the proper directive for defining a static IP address in a .network file, and `Gateway=192.168.1.1` correctly specifies the default gateway.

Exam trap

The trap here is that candidates confuse the `[Match]` section key `Name=` with `Interface=` (which is used in other tools like ifcfg files) and mistakenly use `DefaultGateway=` (a valid directive in some network configuration systems like Netplan) instead of the correct `Gateway=` in systemd-networkd.

How to eliminate wrong answers

Option A is wrong because it uses `Interface=` in the `[Match]` section (the correct key is `Name=`) and `StaticIP=` in the `[Network]` section (the correct key is `Address=`). Option B is wrong because it uses `[Link]` instead of `[Match]` to identify the interface, and `IPAddress=` is not a valid directive in the `[Network]` section (the correct directive is `Address=`). Option D is wrong because it uses `DefaultGateway=` instead of the correct `Gateway=` directive for setting the default gateway in systemd-networkd.

46
Multi-Selectmedium

Which TWO commands can be used to display the groups to which the current user belongs? (Select exactly two.)

Select 2 answers
A.cat /etc/group
B.groupmems -l
C.id
D.getent group
E.groups
AnswersC, E

Displays user identity including group memberships.

Why this answer

The `id` command (option C) displays the current user's UID, GID, and all supplementary group memberships. When run without arguments, it shows the effective user and group IDs along with all groups the user belongs to, making it a direct and reliable way to list group membership.

Exam trap

The trap here is that candidates often confuse commands that list all system groups (like `cat /etc/group` or `getent group`) with commands that specifically show only the groups of the current user, leading them to select options A or D as correct.

47
MCQeasy

Refer to the exhibit. User 'alice' cannot log in. What is the most likely problem?

A.The shadow file is missing alice's entry
B.The user's UID or GID is not unique
C.The home directory ownership is incorrect
D.The login shell /bin/bash does not exist
AnswerC

Home directory should be owned by alice:alice, not root:root.

Why this answer

Option B is correct because the home directory is owned by root, not alice. Many systems use PAM modules like pam_umask that require the home directory to be owned by the user. Option A: shadow entry seems valid (x indicates password in shadow).

Option C: shell is /bin/bash which is valid. Option D: UID exists and matches; GID is 1001, group may exist but missing group entry affects group permissions, not login directly.

48
MCQeasy

A junior admin runs 'systemctl restart httpd' but the httpd service fails to start. Which command should the admin use first to diagnose the problem?

A.journalctl -u httpd
B.systemctl show httpd
C.systemctl list-units --type=service
D.systemctl status httpd
AnswerD

Provides service status, recent logs, and error info directly.

Why this answer

Option D is correct because `systemctl status httpd` provides a concise summary of the service's current state, including whether it is active, the last log entries, and the exit code or failure reason. This is the first diagnostic step recommended by systemd documentation to quickly identify common issues like configuration errors, missing dependencies, or permission problems.

Exam trap

The trap here is that candidates often jump to `journalctl -u httpd` thinking they need the full log, but the LFCS exam expects `systemctl status` as the first diagnostic command because it provides a quick, human-readable summary of the failure reason.

How to eliminate wrong answers

Option A is wrong because `journalctl -u httpd` shows the full journal log for the httpd unit, which is useful for deeper investigation but is not the first command to run; it can be overwhelming and may require filtering. Option B is wrong because `systemctl show httpd` displays all unit properties (e.g., environment, resource limits) but does not directly indicate why the service failed to start. Option C is wrong because `systemctl list-units --type=service` lists all loaded service units and their states, but it does not provide specific failure details for httpd.

49
MCQmedium

A system administrator is setting up a new backup server. The server has two 4TB disks /dev/sda and /dev/sdb. The administrator decides to create a RAID1 array and then an LVM volume group on top of the RAID device. After creating the RAID1 array /dev/md0, they create a physical volume, volume group named vg_backup, and a logical volume lv_data of size 2TB. Then they format with ext4 and mount at /backup. During testing, they realize that the backup data volume will likely exceed 2TB eventually. They want to expand the filesystem to use all available space in the RAID array. What is the correct procedure?

A.lvextend -l +100%FREE /dev/vg_backup/lv_data, resize2fs /dev/vg_backup/lv_data.
B.Unmount /backup, lvextend -l +100%FREE /dev/vg_backup/lv_data, resize2fs /dev/vg_backup/lv_data, mount /backup.
C.Create a new logical volume and mount it separately.
D.Add new disk to RAID array, then extend LVM.
AnswerA

Correct: Online extension without unmount.

Why this answer

Option B is correct because lvextend -l +100%FREE extends the logical volume to use all free space in the volume group, and resize2fs can grow the ext4 filesystem online (without unmounting). Option A unmounts unnecessarily. Option C adds a new disk which is not needed.

Option D creates a separate volume but does not consolidate space.

50
MCQmedium

Refer to the exhibit. Which device is the root filesystem mounted from?

A./dev/sda2
B./dev/sdb
C./dev/sdb1
D./dev/sda1
AnswerA

Mounted on /.

Why this answer

Option B is correct because the MOUNTPOINT column shows '/' for /dev/sda2. Option A is /boot. Option C is /home.

Option D is the whole disk sdb, not a partition.

51
MCQhard

You are a systems administrator for a company that runs a critical application on a Linux server with two network interfaces: eth0 (public IP 203.0.113.10/24, gateway 203.0.113.1) and eth1 (private IP 10.0.1.10/24, no gateway). The server must be accessible via SSH (port 22) from the internet, but only from a specific management subnet 198.51.100.0/24. Additionally, the server should be able to access the internet for package updates, but no other inbound traffic from the internet is allowed. The local firewall is iptables. After implementing rules, you find that the server cannot reach the internet (e.g., ping 8.8.8.8 fails), but SSH from the management subnet works. What is the most likely cause?

A.The server's DNS resolver is not configured
B.The SSH rule is misconfigured and accidentally blocks all traffic
C.The iptables rules do not include a rule to allow established and related connections
D.The default policy on the INPUT chain is DROP
AnswerC

Without a state tracking rule, return traffic for outbound connections is blocked, breaking internet access.

Why this answer

Option C is correct because iptables is stateful: by default, the INPUT chain processes only the first packet of a connection. Without a rule allowing established and related connections (e.g., `-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`), return traffic from the server's outbound internet requests (e.g., ping to 8.8.8.8) is blocked by the INPUT chain, causing the failure. SSH from the management subnet works because the initial SYN packet is allowed, but the server's outbound traffic fails because the response packets are not recognized as part of an allowed flow.

Exam trap

The trap here is that candidates assume a default DROP policy on INPUT is the root cause, but they overlook that stateful filtering requires an explicit rule for return traffic, which is a classic LFCS and iptables nuance.

How to eliminate wrong answers

Option A is wrong because DNS resolution is irrelevant to a direct ping to 8.8.8.8 (an IP address), and the question states the server cannot reach the internet at all, not just resolve names. Option B is wrong because if the SSH rule were misconfigured and accidentally blocked all traffic, SSH from the management subnet would also fail, but the question confirms SSH works. Option D is wrong because a default DROP policy on the INPUT chain would still allow SSH from the management subnet if an explicit ACCEPT rule exists for that traffic; the issue is specifically that outbound-initiated traffic's return packets are not matched by any rule, not the default policy itself.

52
MCQhard

You are a Linux administrator at a mid-sized company. The company runs a critical PostgreSQL database on a server running CentOS 7. The database stores its data on a 500GB logical volume (lv_pgdata) in volume group vg_pg. The filesystem is XFS. Recently, the database team reports that write performance is degrading, and the disk is nearly full (95% usage). You have added a new 200GB SSD to the server, and you need to increase the storage capacity and improve write performance for the database. The database can tolerate a brief downtime (less than 5 minutes) for maintenance. You want to use LVM to add the new SSD as a physical volume, extend the volume group, and then extend the logical volume and filesystem. Additionally, you want to improve write performance by placing the frequently written database transaction log on a separate faster storage. However, the database configuration expects the transaction log to be in a subdirectory of the data directory. You have the following options: A. Create a new logical volume for the transaction log, format it as XFS, mount it on the data directory's subdirectory, and move the log files. B. Add the SSD as a PV, extend vg_pg, extend lv_pgdata, and then use LVM's pvmove to move all extents to the SSD. C. Add the SSD as a PV, create a new VG, create a new LV for the transaction log, format as ext4, mount, and reconfigure the database. D. Use LVM's striping (RAID 0) across the existing HDD and new SSD to improve performance, then extend the filesystem. Which option best meets the requirements of increasing capacity and improving write performance with minimal downtime?

A.Add the SSD as a PV, extend vg_pg, extend lv_pgdata and resize the filesystem for capacity. Then create a new LV on the SSD, format as XFS, mount it on the transaction log subdirectory, move the log files, and update the database configuration to point to the new location.
B.Add the SSD as a PV, extend vg_pg, extend lv_pgdata and resize the filesystem for capacity. Then use pvmove to move all data to the SSD, leaving the HDD unused.
C.Use LVM's striping (RAID 0) across the existing HDD and new SSD to improve performance, then extend the filesystem.
D.Add the SSD as a PV, create a new VG and LV for the transaction log, format as ext4, mount, and reconfigure the database to use the new location.
AnswerA

This increases capacity and isolates log writes to SSD, improving performance with minimal downtime.

Why this answer

Option A is correct because it directly addresses both requirements: increasing capacity by extending the existing logical volume and filesystem using the new SSD as a PV, and improving write performance by isolating the database transaction log onto the faster SSD via a separate LV mounted on the expected subdirectory. This approach minimizes downtime (under 5 minutes) by performing the resize and mount operations quickly, and it respects the database's configuration expectation that the transaction log resides in a subdirectory of the data directory.

Exam trap

The trap here is that candidates may confuse 'improving performance' with 'moving all data to the SSD' (Option B) or 'striping across devices' (Option C), failing to recognize that isolating the write-intensive transaction log onto the faster SSD is a more targeted and effective performance optimization that also preserves the existing capacity increase.

How to eliminate wrong answers

Option B is wrong because pvmove moves all extents to the SSD, leaving the HDD unused, which fails to increase total storage capacity (the HDD is not utilized) and does not isolate the transaction log for performance gains. Option C is wrong because striping (RAID 0) across HDD and SSD would tie performance to the slower HDD, negating the SSD's speed advantage, and it does not address isolating the transaction log; additionally, extending an existing striped LV with a new device requires complex reconfiguration and risks data loss. Option D is wrong because creating a new VG and formatting the transaction log LV as ext4 introduces unnecessary complexity and potential compatibility issues (the existing filesystem is XFS), and it does not increase the capacity of the data logical volume, only adding a separate volume for logs.

53
MCQhard

A user 'alice' cannot log in via SSH. The administrator checks /etc/passwd and sees: alice:x:1002:1002::/home/alice:/sbin/nologin. Which command should be used to allow alice to log in with a bash shell?

A.usermod -d /home/alice alice
B.usermod -u 1002 alice
C.usermod -s /bin/bash alice
D.useradd -m -s /bin/bash alice
AnswerC

usermod -s changes the login shell to /bin/bash, allowing interactive login.

Why this answer

Option C is correct because the /sbin/nologin shell in the /etc/passwd entry prevents alice from logging in via SSH. The usermod -s /bin/bash alice command changes alice's login shell to /bin/bash, allowing interactive SSH sessions. This directly addresses the shell restriction without altering other account properties.

Exam trap

The trap here is that candidates may confuse the shell field with other fields like home directory or UID, or attempt to recreate the user with useradd instead of modifying the existing account with usermod.

How to eliminate wrong answers

Option A is wrong because usermod -d /home/alice alice changes the home directory, but alice's home directory is already /home/alice, and this does not affect the login shell restriction. Option B is wrong because usermod -u 1002 alice changes the UID to 1002, which is already alice's UID, and has no impact on the shell or login ability. Option D is wrong because useradd -m -s /bin/bash alice attempts to create a new user 'alice', which will fail if the user already exists, and it does not modify the existing user's shell.

54
MCQmedium

A system administrator notices that a web server process (PID 1234) is consuming excessive CPU. They want to trace its system calls to identify the cause. Which command should be used?

A.ltrace -p 1234
B.perf record -p 1234
C.gdb -p 1234
D.strace -p 1234
AnswerD

Attaches and traces system calls, ideal for this scenario.

Why this answer

The correct command is `strace -p 1234`, which attaches to the running process (PID 1234) and intercepts all system calls (e.g., read, write, open) made by that process. This allows the administrator to see exactly what the web server is doing at the kernel level, such as excessive file I/O or network operations, which can pinpoint the cause of high CPU usage. Other tools like ltrace, perf, or gdb serve different purposes (library calls, profiling, debugging) and do not directly trace system calls.

Exam trap

The trap here is that candidates confuse `strace` (system calls) with `ltrace` (library calls), as both trace function calls but at different layers of the software stack, leading them to pick the wrong tool for kernel-level analysis.

How to eliminate wrong answers

Option A is wrong because `ltrace -p 1234` traces library calls (e.g., functions from libc), not system calls; it would show calls like `malloc` or `printf` but miss kernel-level operations like `read` or `write`. Option B is wrong because `perf record -p 1234` is a performance profiling tool that samples hardware events (e.g., CPU cycles, cache misses) and does not trace individual system calls; it provides statistical analysis, not a per-call log. Option C is wrong because `gdb -p 1234` is a debugger that allows interactive inspection of the process's memory and execution, but it is not designed for tracing system calls and would require manual breakpoints and significant overhead.

55
Drag & Dropmedium

Order the steps to recover a forgotten root password on a Linux system using single-user mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Single-user mode gives root shell; remounting rw allows password change.

56
MCQhard

A cron job runs a script every hour but sometimes fails because the script cannot find commands like 'tar' and 'gzip'. The script works when run manually from a terminal. What is the best fix?

A.Run the cron job as root.
B.Modify the script to source the user's .bashrc.
C.Use absolute paths for all commands in the script.
D.Add a PATH statement to the cron job definition.
AnswerC

Absolute paths ensure the script finds the commands regardless of the environment's PATH.

Why this answer

Option C is correct because cron jobs run in a minimal environment with a restricted PATH (often just /usr/bin:/bin). When the script uses commands like 'tar' and 'gzip' without absolute paths, the shell cannot locate them. Using absolute paths (e.g., /bin/tar, /bin/gzip) ensures the script always finds the commands regardless of the environment.

Exam trap

The trap here is that candidates think adding a PATH to the cron job definition (Option D) is the best fix, but the LFCS exam emphasizes absolute paths as the more robust and portable solution for scripts run by cron.

How to eliminate wrong answers

Option A is wrong because running as root does not fix the PATH issue; root also has a minimal PATH in cron and this unnecessarily escalates privileges. Option B is wrong because sourcing .bashrc may not work reliably in cron (non-interactive shell) and .bashrc often contains interactive-only aliases or functions that can break the script. Option D is wrong because adding a PATH statement to the cron job definition (e.g., PATH=/usr/local/bin:/usr/bin:/bin) is a valid alternative but is not the 'best fix' — absolute paths are more explicit, avoid dependency on the cron environment, and are the recommended best practice for scripts run by cron.

57
MCQmedium

Refer to the exhibit. A server is configured with two network interfaces. A user on the 192.168.2.0/24 network reports that they cannot reach the server at IP 10.0.0.5. What is the most likely cause based on the routing table?

A.There is no route on the server to the 192.168.2.0/24 network.
B.The default gateway is misconfigured; it should be 192.168.1.1.
C.The server's IP address 10.0.0.5 is not in the same subnet as the default gateway.
D.The firewall on eth0 is blocking incoming traffic.
AnswerA

Without a return route, the server cannot send replies to the 192.168.2.0/24 network.

Why this answer

The routing table on the server does not contain a route for the 192.168.2.0/24 network. When the user on that network sends traffic to 10.0.0.5, the server can receive it, but any reply traffic from the server to the 192.168.2.0/24 source address will be dropped because the server has no matching route. Without a route to the source network, the server cannot send return packets, making communication fail.

Exam trap

Linux Foundation often tests the misconception that a missing route only affects outbound traffic, but the trap here is that the server can receive packets from the 192.168.2.0/24 network but cannot reply, causing a one-way communication failure that users perceive as 'cannot reach the server'.

How to eliminate wrong answers

Option B is wrong because the default gateway is correctly set to 192.168.1.1, which is on the same subnet as the server's eth0 IP (10.0.0.5/24); changing it to 192.168.1.1 would be redundant or incorrect as that address is already the gateway. Option C is wrong because the server's IP 10.0.0.5 and the default gateway 192.168.1.1 are both in the 10.0.0.0/24 subnet (assuming a /24 netmask), so they are in the same subnet; the issue is not subnet mismatch. Option D is wrong because the problem is a routing issue, not a firewall one; even if the firewall on eth0 were blocking traffic, the user's inability to reach the server would typically manifest as a timeout or connection refused, but the core cause here is the missing return route.

58
MCQmedium

Refer to the exhibit. How many days of logs are retained before deletion?

A.7
B.365
C.30
D.14
AnswerD

Correct: rotate 14 with daily cycle = 14 days.

Why this answer

The correct answer is D (14 days) because the exhibit shows a log rotation configuration using `logrotate` with a `rotate 14` directive, which retains 14 rotated log files before deletion. The `daily` or `weekly` frequency determines how often rotation occurs, but the `rotate` count directly specifies the number of archived logs kept, not the total time span.

Exam trap

The trap here is that candidates may misinterpret the `rotate` value as the number of days of retention, but it actually specifies the number of rotated archives to keep, and the actual time span depends on the rotation frequency (e.g., daily, weekly).

How to eliminate wrong answers

Option A is wrong because 7 days would correspond to a `rotate 7` directive, which is not present in the exhibit. Option B is wrong because 365 days is an arbitrary large number that does not match any standard logrotate retention setting; it might be confused with yearly rotation but is not indicated. Option C is wrong because 30 days is a common retention period for some logs, but the exhibit explicitly shows `rotate 14`, which means 14 rotated files are kept, not 30.

59
MCQeasy

A Linux administrator needs to view the UUID and filesystem type of all block devices. Which command provides this information?

A.blkid
B./proc/partitions
C.ls -l /dev
D.fdisk -l
AnswerA

Correct command.

Why this answer

The `blkid` command is the correct tool because it directly queries the kernel's block device attributes via the libblkid library, displaying the UUID, filesystem type (e.g., ext4, xfs), and other metadata (like LABEL or PARTUUID) for all block devices. It reads from the `/dev/disk/by-uuid/` symlinks and the kernel's device mapper, making it the standard utility for this specific task.

Exam trap

The trap here is that candidates confuse `fdisk -l` (which shows partition table info) with `blkid` (which shows filesystem metadata), assuming the partition type code (e.g., 0x83) is equivalent to the filesystem type.

How to eliminate wrong answers

Option B is wrong because `/proc/partitions` only lists partition major/minor numbers, block size, and partition name—it does not show UUIDs or filesystem types. Option C is wrong because `ls -l /dev` lists device node files (e.g., /dev/sda) with their major/minor numbers and permissions, but it never displays filesystem metadata like UUID or type. Option D is wrong because `fdisk -l` shows partition table layout (start/end sectors, partition IDs) but does not query the filesystem for UUID or type; it only reads the MBR or GPT partition table, not the filesystem superblock.

60
MCQhard

You are a systems administrator for a company that runs a high-traffic web application on a Linux server with 32 GB of RAM and 8 CPU cores. The application uses Apache with mod_php and MySQL. Recently, the server has been experiencing intermittent slowdowns, especially during peak hours. Monitoring tools show that the CPU usage spikes to 100% for several minutes and then returns to normal. The 'top' command shows that the 'mysqld' process is often the top CPU consumer during these spikes. You notice that the MySQL slow query log contains many entries with long execution times. The database is heavily used by the web application for read-heavy workloads. After analyzing the situation, you suspect that the issue is related to MySQL configuration. Which of the following actions is most likely to resolve the performance issue?

A.Increase the maximum number of connections (max_connections) to 500.
B.Enable the MySQL slow query log and analyze the queries.
C.Increase the MySQL query cache size (query_cache_size) to 256 MB.
D.Increase the InnoDB buffer pool size to 20 GB.
AnswerC

The query cache stores results of SELECT queries, so repeated queries can be served from cache, reducing CPU usage and avoiding execution of the same queries.

Why this answer

Option C is correct because increasing the query cache size can significantly improve performance for read-heavy workloads with repeated identical queries, as it caches the result set of SELECT queries. The symptoms—CPU spikes from mysqld, many slow queries, and a read-heavy workload—indicate that the query cache is likely too small or disabled, causing MySQL to repeatedly execute expensive queries instead of serving cached results. A larger query cache reduces disk I/O and CPU usage for repeated queries, directly addressing the intermittent slowdowns.

Exam trap

The trap here is that candidates often assume increasing the InnoDB buffer pool size (option D) is always the best fix for MySQL performance, but the question's specific context of read-heavy workloads with repeated queries and CPU spikes makes query cache tuning more directly impactful, while a too-large buffer pool can cause memory pressure.

How to eliminate wrong answers

Option A is wrong because increasing max_connections to 500 would allow more concurrent connections, but the server has only 32 GB RAM and 8 CPU cores; too many connections can lead to context switching overhead and memory exhaustion, worsening the CPU spikes. Option B is wrong because the slow query log is already enabled and contains many entries; analyzing it further would only confirm the problem without providing a direct fix. Option D is wrong because increasing the InnoDB buffer pool size to 20 GB (over half of 32 GB RAM) could starve the OS and Apache of memory, causing swapping and further slowdowns; while a larger buffer pool helps with data caching, the read-heavy workload with repeated queries benefits more from query caching.

61
Multi-Selecthard

Which THREE of the following are valid methods to mount an NFS filesystem on a client?

Select 3 answers
A.echo 'server:/export /mnt nfs defaults 0 0' >> /etc/fstab && mount -a
B.mount -o hard,intr server:/export /mnt
C.mount -t cifs server:/share /mnt
D.mount -t nfs server:/export /mnt
E.mount -t nfs4 server:/export /mnt
AnswersB, D, E

Correct: NFS mount with options.

Why this answer

Option B is correct because the `mount` command with `-o hard,intr` specifies NFS-specific mount options: `hard` ensures that NFS operations retry indefinitely until the server responds, and `intr` allows signals to interrupt a hung NFS operation. The command `mount -o hard,intr server:/export /mnt` uses the default NFS version (typically NFSv3) and is a valid method to mount an NFS filesystem on a client.

Exam trap

The trap here is that candidates may confuse NFS with CIFS/SMB (option C) or forget that `mount -t nfs4` is a valid alternative to `mount -t nfs` for NFSv4 exports, while option A is a valid configuration method but not a direct mount command as the question implies.

62
MCQeasy

A system administrator needs to create a user 'john' with a home directory in /data/users and an expiry date of 2025-12-31. Which command accomplishes this?

A.useradd -d /data/users -c 2025-12-31 john
B.adduser --home /data/users --expiredate 2025-12-31 john
C.useradd -d /data/users -e 2025-12-31 john
D.useradd -m -e 2025-12-31 john
AnswerC

Correctly sets home directory and expiry.

Why this answer

Option C is correct because the `useradd` command with `-d /data/users` sets the home directory to the specified path, and `-e 2025-12-31` sets the account expiry date in YYYY-MM-DD format. The `-e` flag directly corresponds to the `EXPIRE_DATE` field in `/etc/shadow`, which controls when the account becomes locked.

Exam trap

The trap here is that candidates confuse `-c` (comment) with `-e` (expiry) or assume `adduser` supports the same long options as `useradd`, leading them to pick A or B, while D is tempting because it includes `-m` but misses the required `-d` to specify the custom path.

How to eliminate wrong answers

Option A is wrong because `-c` is used for the GECOS comment field (e.g., full name), not for setting an expiry date; using `-c 2025-12-31` would incorrectly store that string as the user's comment. Option B is wrong because `adduser` is a Perl script that does not accept `--home` or `--expiredate` flags; it uses different syntax (e.g., `--home` is not a valid long option, and the correct flag for expiry in `adduser` is `--expiredate` but it is not supported in standard LFCS distributions). Option D is wrong because while `-e 2025-12-31` is correct for expiry, `-m` creates the home directory in the default location (e.g., `/home/john`) rather than `/data/users`, and no `-d` is provided to override the path.

63
MCQhard

You are a system administrator for a company with a strict security policy: user accounts must be disabled after 90 days of inactivity. The tool used is the chage command with the -I (inactive) option. User 'bob' has been on leave and cannot log in. You run 'chage -l bob' and see: Last password change: Jan 10, 2024; Password expires: Apr 09, 2024; Account expires: never; Minimum number of days between password change: 0; Maximum number of days between password change: 90; Number of days of warning before password expires: 7; Number of days of inactivity after password expires: 90. Bob tells you he tried to log in today (date is July 15, 2024) and received 'Your account has expired; contact your system administrator'. You need to restore Bob's account access immediately while still enforcing the inactivity lock for future periods. What should you do?

A.Run 'chage -M 99999 bob' to set password to never expire, then 'passwd bob' to set a new password, and finally 'chage -d 0 bob'.
B.Run 'chage -E -1 bob' to clear account expiration, then 'chage -I 90 bob' to set inactivity period, then instruct Bob to change his password immediately.
C.Run 'passwd bob' to reset his password, then 'chage -d 0 bob' to force password change on next login.
D.Delete Bob's user account with 'userdel -r bob' and recreate it with 'useradd bob', then assign him to his groups and restore his data from backup.
AnswerB

This correctly removes the account expiration and resets the inactivity timer. Bob can then log in with his current password (which will force a change if password is expired) or reset it.

Why this answer

Option A is correct because chage -E -1 bob removes any account expiration date (setting it to never), and chage -I 90 bob re-sets the inactivity period to 90 days after password expiry. This allows Bob to log in after resetting his password (since his password has already expired), and future inactivity will be tracked. Option B only resets the password but does not address the expired account; the account may still be locked due to inactivity.

Option C resets the password and changes the maximum password age, but does not clear the account expiration or inactivity counter. Option D creates a new user with a clean slate, which is overkill and loses Bob's home directory, files, and group memberships.

64
Multi-Selectmedium

Which TWO options in /etc/shadow are correctly described?

Select 2 answers
A.The password expiration date is stored in the third field
B.The minimum number of days between password changes is the fourth field
C.The account expiration date is the sixth field
D.The number of days since Jan 1, 1970 until the account expires is stored in the seventh field
E.The maximum number of days a password is valid is the fifth field
AnswersB, E

Field 4 is minimum days (pass_min days).

Why this answer

Options B and E are correct. The shadow file has 9 fields: login name, encrypted password, last changed, minimum, maximum, warning, inactivity, expiration, reserved. Option B: maximum days between password changes is field 5.

Option E: minimum days between password changes is field 4. Option A: password expiration date is not directly stored; it's calculated from last change + max. Option C: account expiration date is field 8, not 6.

Option D: days since Jan 1, 1970 when account expires is indeed in field 8 but that's the account expiration field, not password change.

65
MCQhard

A system administrator wants to kill a process with PID 1234 that is not responding to SIGTERM. Which command will forcefully terminate it?

A.kill -1 1234
B.kill -15 1234
C.kill -SIGTERM 1234
D.kill -9 1234
AnswerD

Sends SIGKILL, forcing termination.

Why this answer

Option D is correct because kill -9 (SIGKILL) sends signal 9, which cannot be caught, blocked, or ignored by the process. Unlike SIGTERM (signal 15), SIGKILL forces the kernel to immediately terminate the process without allowing it to clean up, making it the appropriate choice when a process is unresponsive to SIGTERM.

Exam trap

The trap here is that candidates often confuse signal numbers or assume that SIGTERM (signal 15) is always sufficient, not realizing that a process can mask or ignore it, while SIGKILL (signal 9) is the only signal that cannot be handled.

How to eliminate wrong answers

Option A is wrong because kill -1 sends SIGHUP (hangup signal), which typically causes a process to reload its configuration or terminate gracefully, not forcefully terminate. Option B is wrong because kill -15 sends SIGTERM, which is the default polite termination signal that the process can catch and ignore, so it is ineffective when the process is not responding to SIGTERM. Option C is wrong because kill -SIGTERM is equivalent to kill -15, sending the same signal that the process is already ignoring, so it will not forcefully terminate it.

66
MCQeasy

An administrator deploys a new custom service using a unit file called myapp.service. The service needs to start automatically at system boot. Which command should the administrator run to achieve this?

A.systemctl start myapp.service
B.systemctl enable myapp.service
C.systemctl add-wants myapp.service
D.systemctl daemon-reload myapp.service
AnswerB

Creates symlinks to start the service at boot.

Why this answer

The `systemctl enable` command creates the necessary symlinks in the systemd unit configuration directories (e.g., `/etc/systemd/system/multi-user.target.wants/`) to ensure the service is started automatically at boot. This is the correct method to enable a service to start on boot in a systemd-based Linux system.

Exam trap

The trap here is that candidates confuse `systemctl start` (which runs the service now) with `systemctl enable` (which configures automatic startup at boot), leading them to select option A incorrectly.

How to eliminate wrong answers

Option A is wrong because `systemctl start` immediately starts the service but does not configure it to start automatically at boot; it only affects the current session. Option C is wrong because `systemctl add-wants` is not a valid systemd command; the correct command to add a dependency is `systemctl add-wants` is not recognized, and the proper way to enable a service is via `systemctl enable`. Option D is wrong because `systemctl daemon-reload` reloads systemd manager configuration but does not enable a service for boot-time startup; it is used after modifying unit files.

67
MCQmedium

An administrator has added a new disk (/dev/sdb) to a Linux system. The disk is to be used as a physical volume in an existing volume group 'vg_data'. Which sequence of commands should be executed to make the disk available to the volume group?

A.fdisk /dev/sdb; pvcreate /dev/sdb; vgextend vg_data /dev/sdb
B.pvcreate /dev/sdb; vgextend vg_data /dev/sdb
C.pvcreate /dev/sdb; vgcreate vg_data /dev/sdb
D.vgcreate /dev/sdb; vgextend vg_data /dev/sdb
AnswerB

Correct sequence: pvcreate then vgextend.

Why this answer

Option B is correct because it first initializes the disk as a physical volume using `pvcreate`, which writes LVM metadata to /dev/sdb, and then extends the existing volume group 'vg_data' with `vgextend`, adding the new PV to the VG. This is the standard two-step process for adding a new disk to an existing LVM volume group.

Exam trap

The trap here is that candidates may think partitioning (fdisk) is required before LVM operations, or confuse `vgcreate` (which creates a new VG) with `vgextend` (which adds to an existing VG), leading them to pick options that either perform unnecessary steps or use the wrong command for the task.

How to eliminate wrong answers

Option A is wrong because `fdisk /dev/sdb` is unnecessary and potentially harmful; LVM does not require partitioning for a PV (though partitions can be used), and running fdisk without creating a partition would leave the disk without a filesystem table, but the real issue is that `pvcreate` would then fail if the disk has a partition table or the command sequence is redundant. Option C is wrong because `vgcreate` creates a new volume group, but the question specifies the disk should be added to an *existing* volume group 'vg_data', so using `vgcreate` would either fail (if 'vg_data' already exists) or create a second VG with the same name, which is incorrect. Option D is wrong because `vgcreate` is used to create a new VG, not to add a disk to an existing one, and the order is reversed: `pvcreate` must precede `vgextend`; running `vgcreate /dev/sdb` is syntactically invalid as `vgcreate` expects a VG name followed by PVs, not a device path.

68
MCQeasy

A user wants to continuously monitor the last 20 lines of a log file that is being written to by a running service. Which command achieves this?

A.head -20 /var/log/syslog
B.less /var/log/syslog
C.tail -f /var/log/syslog
D.cat /var/log/syslog
AnswerC

tail -f displays the last lines and updates in real time.

Why this answer

Option C is correct because the `tail -f` command displays the last 10 lines of a file by default and then continues to output new lines as they are appended, making it ideal for real-time monitoring of a growing log file. The `-20` option is not specified here, but `tail -f` without a line count still shows the last 10 lines and follows updates; if exactly 20 lines were required, the command would be `tail -20 -f /var/log/syslog`. The `-f` flag (follow) keeps the file open and polls for changes, typically using inotify on Linux, to output new data immediately.

Exam trap

The trap here is that candidates often confuse `tail -f` with `tail -n 20` (which shows the last 20 lines but does not follow) or mistakenly think `head` can monitor the end of a file, leading them to choose option A or B without recognizing the need for the `-f` flag to achieve continuous monitoring.

How to eliminate wrong answers

Option A is wrong because `head -20` displays the first 20 lines of the file, not the last lines, and it does not continuously monitor for new entries. Option B is wrong because `less` opens the file for interactive viewing and does not automatically follow new lines unless used with the `+F` option (which enables follow mode), but the plain `less` command does not provide continuous monitoring. Option D is wrong because `cat` outputs the entire file content to the terminal and then exits, with no ability to watch for updates or limit output to the last lines.

69
MCQmedium

A system administrator needs to ensure that all users in the 'developers' group have read and write access to a shared project directory /project/data, but new files created in that directory should belong to the 'developers' group automatically. Which command sequence achieves this goal?

A.setfacl -m g:developers:rwx /project/data && chmod 2775 /project/data
B.chown root:developers /project/data && chmod u+s /project/data
C.chmod g+s /project/data && chown root:developers /project/data
D.chown :developers /project/data && chmod g+s /project/data
AnswerD

chown :developers sets the group to developers; chmod g+s sets the SGID bit so new files inherit the group.

Why this answer

Option D is correct because `chown :developers /project/data` changes the group ownership of the directory to 'developers', and `chmod g+s /project/data` sets the setgid bit on the directory. The setgid bit ensures that new files created inside inherit the directory's group ('developers') instead of the creator's primary group, and the group ownership gives all members of 'developers' read and write access based on the directory's permissions (e.g., 775).

Exam trap

The trap here is that candidates confuse the setuid bit (u+s) with the setgid bit (g+s), or they forget that group ownership must be explicitly set to 'developers' for inheritance to work, leading them to choose options that set the wrong sticky bit or omit the group change.

How to eliminate wrong answers

Option A is wrong because `setfacl -m g:developers:rwx` grants read, write, and execute access via ACL, but `chmod 2775` sets the setgid bit (2) and permissions 775, which does not automatically assign new files to the 'developers' group—the setgid bit is set, but the group ownership of the directory must be 'developers' for inheritance to work, and this command does not change the group. Option B is wrong because `chown root:developers` sets the group to 'developers', but `chmod u+s` sets the setuid bit (not setgid), which affects the user owner, not group inheritance; new files will not automatically belong to the 'developers' group. Option C is wrong because `chmod g+s` sets the setgid bit, but `chown root:developers` changes the group to 'developers'—however, the order is reversed: the setgid bit should be set after changing group ownership to ensure proper inheritance, though technically the commands would work if executed in any order; the primary issue is that the setgid bit is set before the group change, which is not a functional error but the sequence is less logical; more importantly, the option does not include the necessary permissions (e.g., 2775) to guarantee read/write access for the group, relying on default umask, which may not grant write access.

70
MCQhard

Based on the exhibit, which process will be affected if the root user runs 'kill 5678'?

A.The www-data process with PID 5678
B.The root process (PID 1234)
C.All www-data processes
D.No process, because root cannot kill www-data processes
AnswerA

kill 5678 terminates the process with that PID.

Why this answer

The 'kill 5678' command sends the default SIGTERM (signal 15) to the process with PID 5678. Since the root user has the CAP_KILL capability and is not subject to the ordinary permission checks that restrict non-root users, root can send signals to any process, including those owned by www-data. Therefore, the www-data process with PID 5678 will be terminated.

Exam trap

The trap here is that candidates may mistakenly believe root cannot kill processes owned by other users, or they may confuse the PID argument with a process name, thinking 'kill 5678' affects all processes of a given user or name.

How to eliminate wrong answers

Option B is wrong because 'kill 5678' targets the process with PID 5678, not PID 1234; the root process (PID 1234) is unaffected unless it coincidentally has PID 5678. Option C is wrong because 'kill 5678' sends a signal only to the specific process with PID 5678, not to all www-data processes; to target all www-data processes, one would need to use a command like 'killall www-data' or 'pkill -u www-data'. Option D is wrong because root can indeed kill any process on the system, including those owned by www-data, due to the superuser's unrestricted signal capability.

71
MCQeasy

An administrator needs to check the UUID of a filesystem on /dev/sdb1. Which command should be used?

A.df -h /dev/sdb1
B.mount | grep sdb1
C.blkid /dev/sdb1
D.fdisk -l /dev/sdb1
AnswerC

blkid displays UUID, type, and LABEL of filesystems.

Why this answer

The `blkid` command is specifically designed to locate and display block device attributes, including the UUID and filesystem type. Running `blkid /dev/sdb1` queries the device's superblock and outputs its UUID, making it the correct tool for this task.

Exam trap

The trap here is that candidates confuse `blkid` with `fdisk -l` or `df -h`, assuming those commands also display filesystem UUIDs, but only `blkid` (or `lsblk -f`) directly queries the superblock for this attribute.

How to eliminate wrong answers

Option A is wrong because `df -h` shows disk usage and mount points, not UUIDs; it reads from the mounted filesystem table, not the raw device superblock. Option B is wrong because `mount | grep sdb1` lists only current mount information (device, mount point, filesystem type, options) and does not display UUIDs. Option D is wrong because `fdisk -l` displays partition table geometry and partition types (e.g., Linux filesystem), but it does not show the UUID of the filesystem within the partition.

72
MCQmedium

You are managing a Linux server that hosts web applications. Developers often need to access the server via SSH using their personal accounts. You have been asked to create a new user 'devops' who will have sudo privileges to restart services. The user 'devops' should be a member of the 'sudo' group and also have a secondary group 'devs' for file access. The user's home directory should be /home/devops. You need to create this user with a password that is set to expire immediately so that the user must choose a new password upon first login. Which command would you use to accomplish this?

A.useradd -m -g sudo -G devs devops && passwd -e devops
B.useradd -m -g devs -G sudo devops && chage -d 0 devops
C.useradd -m -G sudo,devs -p '' devops && passwd -d devops
D.useradd -m -g sudo -G devs -p $(openssl passwd -1 temp) -e 0 devops
AnswerB

Creates user with primary group devs, supplementary group sudo, and forces password change at first login.

Why this answer

Option D is correct. useradd -m creates home, -g devs sets primary group to devs, -G sudo sets supplementary groups, and chage -d 0 forces immediate password change. Option A: -e 0 sets account expiry. Option B: -p '' sets empty password, not secure.

Option C: passwd -e is not a standard command.

73
MCQmedium

A user 'dba' tries to login via SSH and fails. Based on the exhibit, what is the most likely cause?

A.The file /home/dba/file.txt is corrupt.
B.The user 'dba' has an invalid login shell.
C.The user 'dba' is not in the 'docker' group.
D.The home directory /home/dba does not have correct permissions.
AnswerB

/bin/false prevents login.

Why this answer

Option B is correct because the exhibit shows that the user 'dba' has an invalid login shell (e.g., /sbin/nologin or /bin/false). When the login shell is set to a non-interactive shell, SSH authentication succeeds but the session immediately closes, preventing the user from logging in. This is a common configuration for system accounts or users who should not have interactive shell access.

Exam trap

The trap here is that candidates often assume SSH login failures are always due to authentication (password/key) or file permissions, but the LFCS exam frequently tests the subtle point that an invalid login shell causes a successful authentication followed by an immediate session termination, which appears as a login failure.

How to eliminate wrong answers

Option A is wrong because a corrupt file in the user's home directory does not prevent SSH login; SSH authentication and session establishment occur before any user files are accessed. Option C is wrong because group membership (e.g., 'docker') is irrelevant to SSH login; SSH only checks the user's authentication credentials and shell validity. Option D is wrong because incorrect home directory permissions would cause issues after login (e.g., unable to read .bashrc), but they do not prevent the SSH authentication process itself; SSH only requires the home directory to exist and be accessible for reading the user's SSH configuration files like ~/.ssh/authorized_keys.

74
MCQeasy

A system administrator needs to find all files in /var/log that have been modified in the last 24 hours. Which command accomplishes this?

A.find /var/log -mtime 0
B.find /var/log -newer /var/log/syslog
C.find /var/log -mtime -1
D.find /var/log -mtime 1
AnswerC

Correctly finds files modified less than 1 day ago, i.e., within the last 24 hours.

Why this answer

Option C is correct because `find /var/log -mtime -1` finds files modified less than 1 day ago (i.e., within the last 24 hours). The `-mtime` option with a negative number (`-1`) matches files whose content was modified less than n*24 hours ago, which is exactly what the question requires.

Exam trap

The trap here is confusing `-mtime -1` (modified less than 24 hours ago) with `-mtime 1` (modified between 24 and 48 hours ago) or `-mtime 0` (modified exactly 24 hours ago), leading candidates to pick the wrong numeric argument.

How to eliminate wrong answers

Option A is wrong because `-mtime 0` finds files modified exactly 24 hours ago (i.e., between 24 and 48 hours ago), not within the last 24 hours. Option B is wrong because `-newer /var/log/syslog` compares modification times against a specific file, not a time range, and assumes `/var/log/syslog` exists and was last modified exactly 24 hours ago, which is unreliable. Option D is wrong because `-mtime 1` finds files modified between 24 and 48 hours ago, not within the last 24 hours.

75
MCQhard

Refer to the exhibit. Assuming today is Feb 20, 2025, what happens when 'bob' attempts to log in today?

A.Login is denied because the password has expired
B.Login is successful, but a warning message is displayed that password will expire soon
C.Login is denied because the account expired on Mar 01
D.Login is successful without warnings
AnswerD

Both account and password are still valid; no warning period yet.

Why this answer

Option D is correct. Account expiration is Mar 01, 2025, which is in the future, so account is not yet expired. Password expires on Apr 15, also future.

Warning period started after Jan 15+81 days? Actually warning starts 7 days before expiration, which would be around Apr 8, not yet. So login should succeed. Option A: Account expires Mar 01, not yet.

Option B and C are incorrect because conditions are not met.

Page 1 of 7

Page 2

All pages