Linux Foundation Certified System Administrator LFCS (LFCS) — Questions 76150

513 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQeasy

The command 'ss -tuln' shows port 80 is listening on a server, but a remote client cannot connect via HTTP. What is the most likely cause?

A.The HTTP service is not running
B.The client has a misconfigured default gateway
C.The server's /etc/hosts file is misconfigured
D.A firewall is blocking incoming TCP port 80
AnswerD

Firewalls commonly block ports; even if the service listens, external access may be blocked.

Why this answer

The `ss -tuln` command shows that port 80 is in the LISTEN state, which means the HTTP service (e.g., Apache or Nginx) is bound to the port and ready to accept connections. Since the server is listening but the remote client cannot connect, the most likely cause is a firewall (such as iptables, nftables, or a cloud security group) that is blocking incoming TCP SYN packets destined for port 80, preventing the three-way handshake from completing.

Exam trap

The trap here is that candidates see 'listening' on port 80 and assume the service is fully accessible, forgetting that a firewall can silently drop incoming packets even when the service is up and listening.

How to eliminate wrong answers

Option A is wrong because if the HTTP service were not running, `ss -tuln` would not show port 80 in the LISTEN state; the command output explicitly confirms the service is running. Option B is wrong because a misconfigured default gateway on the client would prevent the client from reaching any remote network, not just port 80 on this specific server; the client can likely reach other services or the server itself via other ports. Option C is wrong because the `/etc/hosts` file is used for local hostname resolution and does not affect network connectivity at the transport layer; a misconfigured hosts file would cause a DNS-like resolution failure, not a TCP connection timeout or reset.

77
MCQmedium

A system administrator is troubleshooting a user's report that a command 'myapp' is not found. The administrator checks the PATH variable and sees it includes /usr/local/bin. The administrator verifies that the binary 'myapp' exists in /usr/local/bin with permissions 755. However, running 'myapp' still fails with 'command not found'. What is the most likely cause?

A.The user's PATH does not include /usr/local/bin
B.The binary is a shell script missing a shebang
C.The shell's hash table is stale; run 'hash -r'
D.The binary does not have execute permission for the user
AnswerC

Correct: the shell caches command locations, and may not have updated after the binary was added.

Why this answer

Option C is correct because the shell caches the locations of executables in a hash table to avoid searching PATH repeatedly. When a new binary is added to a directory already in PATH, the shell may still have a stale entry (or no entry) for that command, causing it to report 'command not found' even though the binary exists. Running 'hash -r' clears the entire hash table, forcing the shell to re-scan PATH on the next invocation.

Exam trap

Linux Foundation often tests the concept that the shell's hash table can cause 'command not found' errors even when the binary exists and permissions are correct, leading candidates to incorrectly focus on PATH or permissions.

How to eliminate wrong answers

Option A is wrong because the administrator checked the PATH variable and confirmed it includes /usr/local/bin, so the user's PATH does include that directory. Option B is wrong because a missing shebang would cause the script to be interpreted by the current shell (which might fail or behave unexpectedly), but it would not produce a 'command not found' error; the shell would still attempt to execute it. Option D is wrong because the administrator verified the binary has permissions 755, which grants execute permission to the owner, group, and others, so the user does have execute permission.

78
MCQhard

You are a systems administrator at a company that uses a centralized LDAP server for authentication, but also maintains local users for emergency access. Recently, the compliance team mandated that all service accounts must have passwords that expire every 90 days. You have a local service account 'svc_backup' with UID 2000 and GID 2000. The account is used by a backup script that runs nightly. You have updated the password aging policy but the account still shows 'Password expires : never' when you run 'chage -l svc_backup'. You suspect that the account was created without an expiry date. Which command would you use to force the password to expire 90 days from now and also ensure that the account's password is changed at the next login?

A.usermod -e $(date -d '+90 days' +%Y-%m-%d) svc_backup
B.chage -M 90 -d 0 svc_backup
C.passwd -x 90 svc_backup
D.chage -W 7 -I 30 svc_backup
AnswerB

Sets max password age to 90 days and forces password change at next login.

Why this answer

Option A is correct. chage -M 90 sets maximum days to 90, and -d 0 forces immediate password change. Option B uses passwd -x which sets max days but does not force immediate change. Option C sets account expiry, not password expiry.

Option D sets warning and inactive days but does not enforce max days or immediate change.

79
MCQmedium

A service is configured to run as a specific user. Which directive in the [Service] section sets the user?

A.RunAs
B.User
C.Account
D.UserID
AnswerB

User= specifies the service's user.

Why this answer

In systemd service units, the directive to specify the user under which the service process runs is `User=` within the `[Service]` section. This directive sets the Unix user account (by name or UID) that the service's main PID will execute as, ensuring proper privilege separation and security.

Exam trap

The trap here is that candidates may confuse systemd's `User=` with the `RunAs` keyword from other operating systems (like Windows services or Solaris) or with generic terms like `Account`, leading them to pick a plausible-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because `RunAs` is not a valid systemd directive; it is a concept from other init systems like Solaris SMF or some Docker configurations. Option C is wrong because `Account` is not a systemd directive; it might be confused with the `Account=` field in PAM or NSS contexts but has no place in a systemd service unit. Option D is wrong because `UserID` is not a valid systemd directive; systemd uses `User=` for the username and `Group=` for the group, not a literal 'UserID' key.

80
MCQeasy

A service named webserver.service is failing to start. The administrator wants to see the most recent error messages related to this service. Which command provides this information?

A.journalctl -u webserver.service
B.systemctl status webserver.service --full
C.systemctl list-units --type=service | grep webserver
D.systemctl is-active webserver.service
AnswerA

Shows logs for the unit, including recent errors.

Why this answer

The `journalctl -u webserver.service` command queries the systemd journal for all log entries associated with the specified unit, showing the most recent error messages in reverse chronological order. This is the standard way to view detailed, time-stamped error logs for a failing service, as `journalctl` provides access to the binary journal that captures stdout, stderr, and syslog messages from the service.

Exam trap

The trap here is that candidates confuse `systemctl status` (which shows a brief log snippet) with `journalctl -u` (which provides the full, searchable journal), assuming the status command gives complete error history when it only shows a truncated view.

How to eliminate wrong answers

Option B is wrong because `systemctl status webserver.service --full` shows the current state, recent log lines (usually the last 10), and unit metadata, but it does not display the full journal history or allow filtering by priority; it truncates output and is not designed for deep error inspection. Option C is wrong because `systemctl list-units --type=service | grep webserver` only lists loaded service units and their states (active/inactive), not any error messages or logs. Option D is wrong because `systemctl is-active webserver.service` simply returns a single word (active, inactive, failed) indicating the service's current state, with no error details whatsoever.

81
MCQmedium

A disk in a RAID5 array fails. The array is assembled using mdadm. Which is the correct procedure to replace the failed disk with a new one?

A.Physically replace the disk, then run 'mdadm --add /dev/md0 /dev/sdb'.
B.Run 'mdadm --replace /dev/md0 /dev/sdb' with the new disk path.
C.Run 'mdadm --fail /dev/md0 /dev/sdb', then 'mdadm --remove /dev/md0 /dev/sdb', then physically replace, then 'mdadm --add /dev/md0 /dev/sdb'.
D.Hot-swap the disk and the array automatically recovers.
AnswerC

Correct step-by-step procedure.

Why this answer

Option C is correct because it follows the proper mdadm procedure for replacing a failed disk in a RAID5 array. First, you must mark the disk as failed with 'mdadm --fail' to ensure the array stops using it, then remove it with 'mdadm --remove' to detach it from the array. After physically replacing the disk, you add the new disk with 'mdadm --add', which triggers a rebuild of the array from the remaining disks' parity data.

Exam trap

The trap here is that candidates assume a hot-swap or a single '--add' command is sufficient, but the LFCS exam expects the full three-step procedure to ensure the array state is properly managed before introducing a new disk.

How to eliminate wrong answers

Option A is wrong because it omits the critical steps of failing and removing the old disk before adding the new one; simply adding a new disk without first failing the old one can cause conflicts or data corruption. Option B is wrong because 'mdadm --replace' is not a valid mdadm command; the correct approach uses '--fail', '--remove', and '--add' sequentially. Option D is wrong because RAID5 does not automatically recover from a hot-swap; you must manually fail, remove, and add the disk, and the array rebuilds only after the new disk is added.

82
Matchingmedium

Match each file system type to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose Linux file system

High-performance for large files

Copy-on-write with snapshots

Virtual memory paging

Temporary file system in RAM

Why these pairings

Common file systems used in Linux environments.

83
MCQmedium

A DevOps engineer wants to measure how long a specific command takes to execute. Which command should be used?

A.date
B.uptime
C.wall
D.time
AnswerD

Measures the execution time of a command.

Why this answer

Option D is correct because the `time` command is specifically designed to measure the execution duration of a command, reporting real time, user CPU time, and system CPU time. It wraps the target command and tracks the elapsed wall-clock time and resource usage, making it the precise tool for benchmarking command performance.

Exam trap

The trap here is that candidates may confuse `time` with `date` or `uptime` because they all display time-related information, but only `time` measures the execution duration of a specific command.

How to eliminate wrong answers

Option A is wrong because `date` displays or sets the system date and time, but does not measure the duration of a command's execution. Option B is wrong because `uptime` shows how long the system has been running since last boot, along with load averages, not the execution time of a specific command. Option C is wrong because `wall` sends a message to all logged-in users' terminals and has no timing functionality.

84
MCQeasy

To display the current runlevel on a system using SysV init, which command should be used?

A.who -r
B.runlevel
C.systemctl get-default
D.init 3
AnswerB

'runlevel' is the correct command for SysV init.

Why this answer

The `runlevel` command is the standard tool for displaying the current runlevel on a system using SysV init. It outputs the previous and current runlevels, with 'N' indicating no previous runlevel. This command directly queries the SysV init process (PID 1) to retrieve the runlevel state.

Exam trap

The trap here is that candidates may confuse `who -r` (which also shows runlevel) with the more direct `runlevel` command, or mistakenly think `systemctl get-default` applies to SysV init systems, when it is specific to systemd.

How to eliminate wrong answers

Option A is wrong because `who -r` displays the current runlevel and process history on systems using SysV init, but it is not the primary or most direct command; the question specifically asks for the command that should be used, and `runlevel` is the canonical choice. Option C is wrong because `systemctl get-default` is used on systems with systemd to show the default target (e.g., multi-user.target), not the current runlevel, and it does not apply to SysV init. Option D is wrong because `init 3` changes the runlevel to 3, not displays the current runlevel; it is a command to switch runlevels, not query the current state.

85
MCQeasy

A system administrator wants to ensure that network interfaces receive predictable names based on firmware/BIOS topology rather than kernel enumeration. Which naming scheme should be enabled in GRUB?

A.net.ifnames=0
B.ifrename=enable
C.net.ifnames=1
D.biosdevname=0
AnswerA

Enables predictable naming based on firmware topology.

Why this answer

Option A is correct because setting `net.ifnames=0` in GRUB disables the predictable network interface naming scheme (based on firmware/BIOS topology) and reverts to the traditional kernel enumeration (e.g., eth0, eth1). This is the standard kernel parameter used to control systemd's udev naming policy, ensuring names like enp0s3 or ens33 are replaced with legacy names.

Exam trap

The trap here is that candidates confuse `net.ifnames=0` with enabling predictable naming, when in fact it disables it, and they may also mistake `biosdevname=0` as the correct parameter for enabling topology-based names, whereas biosdevname is a separate, older scheme from Dell.

How to eliminate wrong answers

Option B is wrong because `ifrename=enable` is not a valid GRUB kernel parameter; ifrename is a separate tool (part of the wireless-tools package) for renaming interfaces, not a kernel boot parameter. Option C is wrong because `net.ifnames=1` enables predictable naming (the default behavior), which is the opposite of what the question asks (the admin wants predictable names based on topology, not kernel enumeration). Option D is wrong because `biosdevname=0` disables the biosdevname naming scheme (which uses BIOS-provided names like em1 or p1p1), but the question specifically asks for predictable names based on firmware/BIOS topology, and biosdevname is a separate mechanism from systemd's predictable naming; setting it to 0 would disable that scheme, not enable the desired behavior.

86
MCQhard

A system administrator receives a report that a server with an ext4 filesystem becomes unresponsive when a particular process writes a large file. The root filesystem is not full. Which of the following is the most likely cause?

A.The journal size is too large and causes excessive disk writes.
B.The filesystem is mounted with the 'noatime' option, causing frequent access time updates.
C.The filesystem has experienced a corruption; running 'fsck' may resolve the issue.
D.The hard disk has developed bad sectors that affect only that file's location.
AnswerC

Corruption can cause I/O hangs.

Why this answer

Option C is correct because filesystem corruption can cause the system to hang when a process attempts to write to a damaged area, even if the filesystem is not full. The ext4 journal may replay inconsistent metadata, leading to an I/O stall. Running 'fsck' can detect and repair such corruption, restoring normal operation.

Exam trap

The trap here is that candidates assume a full filesystem is the only cause of write-related hangs, overlooking that filesystem corruption can cause the kernel to stall on journal replay or metadata operations even when space is available.

How to eliminate wrong answers

Option A is wrong because a journal that is too large does not cause excessive disk writes; ext4's journal size is fixed at creation (default 128 MB) and only records metadata changes, not data writes, so it would not cause unresponsiveness from a large file write. Option B is wrong because mounting with 'noatime' disables access time updates, which reduces disk writes, not increases them; this option would improve performance, not cause unresponsiveness. Option D is wrong because bad sectors are handled by the disk's internal remapping (via S.M.A.R.T.) and would typically cause I/O errors or read/write failures, not system-wide unresponsiveness; the filesystem would report errors for that specific file, not hang the entire server.

87
MCQeasy

Which command will display all groups a specific user belongs to, including both primary and supplementary groups?

A.cat /etc/passwd | grep username
B.groups username
C.id -g username
D.grep username /etc/group
AnswerB

Correct: displays all groups.

Why this answer

Option C is correct: groups command lists all groups for a user. Option A lists only primary group. Option B lists supplementary groups from /etc/group but not primary if not listed.

Option D is incorrect: the id command with -Gn shows group names, which is also correct but option C is simpler. However, both C and D are technically correct? Let's see: id -Gn also lists all groups. I need to make only one correct.

I'll adjust: Option C: groups, Option D: id -g (only primary). So make D wrong. Actually id -g shows primary GID only.

So D is wrong. That's fine.

88
MCQmedium

Refer to the exhibit. The administrator wants to extend the /data filesystem by an additional 10GB. The volume group vg_data has only 1GB of free physical extents. Which action should be taken first?

A.Delete the /backup logical volume to free space.
B.Add /dev/sdc as a physical volume and extend vg_data.
C.Reduce the size of /backup to free space in vg_data.
D.Create a new logical volume from the free space in vg_data.
AnswerB

Correct first step.

Why this answer

The /data filesystem needs an additional 10GB, but vg_data has only 1GB of free physical extents. To extend the logical volume, the volume group must have sufficient free physical extents. Adding /dev/sdc as a physical volume and extending vg_data increases the pool of physical extents, making the required space available.

This is the correct first step because you cannot extend a logical volume beyond the available free extents in its volume group.

Exam trap

Linux Foundation often tests the misconception that you can extend a logical volume without first ensuring the volume group has enough free physical extents, leading candidates to choose options that attempt to manipulate existing volumes (like shrinking or deleting) instead of adding new storage capacity.

How to eliminate wrong answers

Option A is wrong because deleting the /backup logical volume would free space in vg_data, but it is a destructive action that removes the filesystem and data; the question asks for the first action to extend /data, not to destroy another volume. Option C is wrong because reducing the size of /backup requires that the filesystem and logical volume support shrinking (e.g., ext4 with resize2fs, or XFS which cannot be shrunk), and even if possible, it would only free a limited amount of space, not necessarily 10GB, and is more complex than adding a new physical volume. Option D is wrong because creating a new logical volume from the free space in vg_data would consume the only 1GB available, leaving no space to extend /data; the goal is to extend /data, not create a separate volume.

89
MCQmedium

Refer to the exhibit. The administrator receives alerts that the root filesystem is almost full. Which command could free up space by removing old log files?

A.find /var/log -name '*.log' -mtime +30 -delete
B.truncate -s 0 /var/log/syslog
C.rm -rf /var/log/*
D.du -sh /var/log
AnswerA

Removes old log files safely.

Why this answer

Option A is correct because the `find` command with `-name '*.log'` targets log files, `-mtime +30` selects files modified more than 30 days ago, and `-delete` removes them. This safely frees space by purging only old logs, preserving recent logs needed for troubleshooting.

Exam trap

Linux Foundation often tests the distinction between commands that merely display disk usage (like `du`) versus those that actually remove files, and the danger of using `rm -rf` with wildcards on system directories like /var/log.

How to eliminate wrong answers

Option B is wrong because `truncate -s 0 /var/log/syslog` empties a single log file but does not remove old log files; it only clears the current syslog, which may still be needed and does not address multiple old log files. Option C is wrong because `rm -rf /var/log/*` deletes all files in /var/log, including critical logs and possibly active log files, which could break logging services and cause data loss. Option D is wrong because `du -sh /var/log` only shows disk usage of the directory; it does not free any space or remove any files.

90
Drag & Dropmedium

Order the steps to troubleshoot a DNS resolution issue from a Linux client.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First check DNS config, then test resolution, then connectivity, then firewall.

91
MCQhard

A system administrator is managing a production web server running CentOS 7. The server hosts a critical application that depends on the 'httpd' package. Recently, the administrator attempted to install an updated version of httpd using 'yum update httpd', but the update failed with a dependency error: 'Error: Package: httpd-2.4.6-97.el7.centos.x86_64 requires libapr-1.so.0()(64bit)'. The administrator verifies that the apr package is installed (apr-1.5.2-6.el7.x86_64) and that the required library file exists at /usr/lib64/libapr-1.so.0. Despite this, yum continues to fail with the same error. After checking the yum repository configuration, the administrator notices that the base repository lists 'mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os' and the 'baseurl' is commented out. The system's /etc/yum.conf has 'keepcache=1'. What is the most likely cause of the dependency error, and which command should the administrator run to resolve it?

A.The yum cache is corrupted; delete /var/cache/yum manually and run 'yum makecache'.
B.The dependency is satisfied but yum's dependency resolver has a bug; use 'rpm -Uvh httpd.rpm --nodeps' to bypass dependency check.
C.The repository metadata is stale; run 'yum clean all' then 'yum update'.
D.The installed apr package is from a different version than what httpd expects; install a newer apr from a different repository.
AnswerC

Cleaning metadata refreshes dependency resolution, likely resolving the false error.

Why this answer

Option A is correct. The dependency error despite the library being present suggests stale repository metadata. yum clean all clears the cache and forces fresh metadata download, which often resolves such false positives. Option B is incorrect because the apr version provides the required library.

Option C is similar to A but manual deletion is unnecessary. Option D bypasses dependency checks and risks breaking the system.

92
MCQhard

A system with systemd experiences a service that fails to start due to a 'Failed to start' error with status 203/EXEC. What is the most likely cause?

A.The system has run out of memory
B.The service unit file has a missing or incorrect ExecStart command
C.The service is already running
D.The service requires a dependency that hasn't started
AnswerB

EXEC means the executable could not be found or executed.

Why this answer

Status 203/EXEC in systemd indicates that the service manager failed to execute the command specified in the service unit file. The most common cause is a missing or incorrect ExecStart directive, such as a typo in the binary path, a missing executable, or incorrect syntax. This error is specific to execution failures, not resource or dependency issues.

Exam trap

The trap here is that candidates confuse status 203/EXEC with a generic 'service failed to start' and incorrectly attribute it to dependencies or resource exhaustion, rather than recognizing it as a specific indicator of an exec() failure in the ExecStart directive.

How to eliminate wrong answers

Option A is wrong because out-of-memory conditions typically cause OOM kills (status 137/SIGKILL) or systemd service cgroup memory limit violations, not status 203/EXEC. Option C is wrong because if the service is already running, systemd would report a 'start-limit-hit' or 'already running' error, not an EXEC failure. Option D is wrong because dependency failures result in status 203/EXEC only if the dependency itself causes the ExecStart to fail; normally, unmet dependencies produce 'dependency failed' or 'timeout' errors, not an EXEC code.

93
Multi-Selecthard

Which THREE of the following are valid methods to temporarily switch to a different user account without logging out entirely? (Choose three.)

Select 3 answers
A.sudo -u username -s
B.su - username
C.newgrp groupname
D.login username
E.runuser -l username -c 'bash'
AnswersA, B, E

Launches a shell as the specified user with sudo.

Why this answer

Options A, B, and D are correct. su - username starts a login shell as that user. sudo -u username -s launches a shell as that user. runuser is a command that runs a program as another user (used in scripts). Option C (newgrp) changes the group, not user. Option E (login) requires a full login.

94
Multi-Selectmedium

Which two commands produce output that includes the current runlevel or target? (Choose two.)

Select 2 answers
A.systemctl list-units --type=target
B.systemctl show-environment
C.runlevel
D.who -r
E.systemctl get-default
AnswersC, D

Displays previous and current runlevel.

Why this answer

The `runlevel` command displays the previous and current runlevel from the `/var/run/utmp` file, making it a direct way to see the current runlevel. The `who -r` command reads the same utmp file and prints the current runlevel along with the time of the last runlevel change, so both commands produce output that includes the current runlevel or target.

Exam trap

The trap here is that candidates often pick `systemctl get-default` (option E) thinking it shows the current target, but it only shows the default target for the next boot, not the currently active target, which is a common confusion between persistent default and runtime state.

95
MCQmedium

An administrator needs to configure software RAID 5 on three disks /dev/sda, /dev/sdb, /dev/sdc with a spare disk /dev/sdd. Which command correctly creates the RAID array?

A.mdadm --create /dev/md0 --level=5 --raid-devices=3 --spare-devices=1 /dev/sda /dev/sdb /dev/sdc /dev/sdd
B.mdadm --create /dev/md0 --level=5 --raid-devices=4 /dev/sda /dev/sdb /dev/sdc /dev/sdd
C.mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/sda /dev/sdb /dev/sdc
D.mdadm --create /dev/md0 --level=5 --raid-devices=3 --spare-devices=1 /dev/sda /dev/sdb /dev/sdc --spare /dev/sdd
AnswerA

Correct command.

Why this answer

Option A is correct because it uses the `--spare-devices=1` flag to designate `/dev/sdd` as a hot spare, while `--raid-devices=3` specifies that only three disks form the active RAID 5 array. The spare disk is listed after the active disks, which is the correct syntax for `mdadm --create`.

Exam trap

The trap here is that candidates often confuse `--raid-devices` with the total number of disks provided, leading them to set `--raid-devices=4` (option B) when they intend to include a spare, or they forget to specify the spare at all (option C).

How to eliminate wrong answers

Option B is wrong because `--raid-devices=4` tells mdadm to use all four disks as active members of the RAID 5 array, leaving no spare disk; this creates a four-disk RAID 5 instead of a three-disk RAID 5 with a spare. Option C is wrong because it omits the spare disk entirely, so `/dev/sdd` is not included in the command and no spare is configured. Option D is wrong because it incorrectly uses both `--spare-devices=1` and a separate `--spare` flag, which is redundant and syntactically invalid; mdadm expects the spare devices to be listed after the active devices, not with a separate `--spare` option.

96
Matchingmedium

Match each Linux permission type to its symbolic representation.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

r

w

x

s (owner execute)

t (other execute)

Why these pairings

These are standard permission symbols in Linux.

97
MCQhard

An administrator is configuring network bonding on a RHEL 7 server with two physical NICs (eth0 and eth1) to provide redundancy. The bond interface bond0 is configured with mode 1 (active-backup). The administrator uses the following configuration in /etc/sysconfig/network-scripts/ifcfg-bond0: BONDING_OPTS="miimon=100 mode=1". The slave interfaces are configured with MASTER=bond0 and SLAVE=yes. After restarting the network service, the bond interface comes up with the active link on eth0. To test failover, the administrator disconnects the cable from eth0. The bond interface does not fail over to eth1. The administrator checks /proc/net/bonding/bond0 and sees that both slaves are listed but eth0 is still marked as active even though the cable is disconnected. What is the most likely reason for the failover failure?

A.Add arp_interval=1000 and arp_ip_target=192.168.1.1 to BONDING_OPTS.
B.Change bonding mode to mode 4 (802.3ad load balancing).
C.Remove one slave and re-add it to force a failover.
D.Check /var/log/messages for bonding driver errors.
AnswerA

ARP monitoring can detect link failures when MII monitoring fails.

Why this answer

Option A is correct because in mode 1 (active-backup), the bonding driver uses MII monitoring (miimon) to detect link state changes via the physical carrier signal. However, some switches or NICs do not properly report carrier loss when a cable is disconnected, causing miimon to miss the failure. Adding arp_interval and arp_ip_target forces the bonding driver to use ARP-based monitoring, which actively probes a target IP to verify link availability, thus detecting failures that miimon cannot see.

Exam trap

The trap here is that candidates assume miimon always detects physical disconnection, but the exam tests the understanding that carrier detection can fail, requiring ARP monitoring as a fallback for reliable failover.

How to eliminate wrong answers

Option B is wrong because mode 4 (802.3ad) requires switch support for LACP and is designed for load balancing, not redundancy; it does not solve the miimon detection issue. Option C is wrong because removing and re-adding a slave does not address the root cause—the driver still relies on miimon, which is failing to detect the link loss. Option D is wrong because checking logs for bonding driver errors is a diagnostic step, not a configuration fix; the issue is a missing monitoring mechanism, not a driver error.

98
MCQeasy

A system administrator needs to ensure that a Linux server can communicate with other hosts on the same subnet. Which command should be used to verify the IP address and netmask configuration?

A.netstat -rn
B.route -n
C.ifconfig
D.ip addr show
AnswerD

ip addr show is the modern command to display IP addresses and netmasks.

Why this answer

The `ip addr show` command is the modern, recommended tool in Linux for viewing IP addresses and netmasks (prefix lengths) assigned to network interfaces. It directly displays the configuration needed to verify subnet communication, unlike legacy tools that may not show the netmask clearly or mix routing information.

Exam trap

The trap here is that candidates often choose `ifconfig` out of habit, not realizing it is deprecated and may be missing on minimal installations, while `ip addr show` is the current standard and always available in modern Linux distributions.

How to eliminate wrong answers

Option A is wrong because `netstat -rn` displays the kernel routing table, not IP address or netmask configuration. Option B is wrong because `route -n` also shows the routing table, not interface IP/netmask details. Option C is wrong because `ifconfig` is deprecated and may not be installed by default on modern distributions; it can show IP and netmask but is less reliable and lacks the structured output of `ip`.

99
MCQeasy

To permanently disable IPv6 on a network interface, which configuration should be added to /etc/sysctl.conf?

A.net.ipv6.conf.all.disable=1
B.ipv6.disable=1
C.net.ipv6.conf.eth0.disable_ipv6 = 1
D.net.ipv6.conf.all.disable_ipv6 = 1
AnswerD

This disables IPv6 on all interfaces system-wide.

Why this answer

Option D is correct because the sysctl parameter `net.ipv6.conf.all.disable_ipv6 = 1` is the proper kernel interface to globally disable IPv6 on all network interfaces. This setting is applied via the sysctl system, which reads `/etc/sysctl.conf` at boot to configure kernel parameters. The key must use the exact `disable_ipv6` suffix (not `disable`) and the `all` scope ensures the setting applies to every interface, including future ones.

Exam trap

The trap here is that candidates confuse the sysctl parameter name `disable_ipv6` with the simpler `disable` (Option A) or mix up sysctl settings with kernel boot parameters like `ipv6.disable=1` (Option B), while also overlooking that `all` is the correct scope for a permanent, interface-agnostic configuration in `/etc/sysctl.conf`.

How to eliminate wrong answers

Option A is wrong because `net.ipv6.conf.all.disable=1` uses an incorrect parameter name; the correct sysctl key ends with `disable_ipv6`, not `disable`. Option B is wrong because `ipv6.disable=1` is a kernel boot parameter (passed via GRUB command line), not a sysctl setting that belongs in `/etc/sysctl.conf`. Option C is wrong because while `net.ipv6.conf.eth0.disable_ipv6 = 1` is a valid sysctl key, it only disables IPv6 on the specific interface `eth0`, not permanently across all interfaces as the question requires; the question asks for a configuration to disable IPv6 on 'a network interface' but the context of `/etc/sysctl.conf` and the 'permanently' keyword implies a global or interface-agnostic setting, and the correct answer uses `all` to cover all interfaces.

100
MCQeasy

A user wants to set the permissions of a file to 'rwxr-xr--'. Which octal permission value should they use with chmod?

A.754
B.755
C.754
D.744
AnswerA, C

Correct: rwxr-xr-- corresponds to 754.

Why this answer

The permissions 'rwxr-xr--' correspond to owner: rwx (7), group: r-x (5), others: r-- (4). The octal value 754 is derived by summing the binary bits for each triad: read (4), write (2), execute (1). Thus, chmod 754 sets the exact permissions requested.

Exam trap

The trap here is that candidates often confuse the order of the octal digits (owner, group, others) or miscompute the group/others values, leading them to pick 755 (granting extra execute) or 744 (missing group execute).

How to eliminate wrong answers

Option B (755) is wrong because it sets others to r-x (5) instead of r-- (4), granting execute permission to others unnecessarily. Option D (744) is wrong because it sets group to r-- (4) instead of r-x (5), denying group execute permission. Option A and C are identical and both correct; the duplication is an artifact of the answer choices.

101
MCQhard

Which iptables command allows incoming SSH traffic only from the 10.0.0.0/8 network?

A.iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
B.Edited: Option A: only ACCEPT, Option B: default DROP with ACCEPT (but missing state tracking for return traffic), Option C: ACCEPT from network then DROP others, Option D: completely wrong command.

Why this answer

Option D is correct because it adds a rule to accept SSH from the source network, then sets the default policy to DROP (or assumes a subsequent DROP rule). Option A is incorrect because it does not block other sources. Option B is incorrect because order matters; default policy DROP without an ACCEPT rule blocks everything.

Option C is incorrect because it accepts all SSH regardless of source.

102
MCQmedium

An administrator needs to create a user 'john' with a home directory in /data/home/john, a UID of 1500, and membership in the group 'developers' as a secondary group. The group 'developers' already exists. Which single command accomplishes this?

A.adduser --uid 1500 --home /data/home/john --group developers john
B.useradd john; usermod -u 1500 -d /data/home/john -G developers john
C.useradd -u 1500 -d /data/home/john -g developers john
D.useradd -u 1500 -d /data/home/john -G developers john
AnswerD

Correct: all options in one useradd.

Why this answer

Option B is correct: useradd -u -d -G all in one command. Option A uses usermod which requires the user to exist first. Option C uses adduser which is distribution-specific and may not support all flags.

Option D is missing the secondary group flag.

103
MCQhard

A technician configured a new network interface eth1 on a CentOS 7 server but the interface does not obtain an IPv4 address via DHCP. Which of the following is the most likely cause?

A.The interface MTU is set too high
B.SELinux is blocking dhclient
C.NetworkManager is not managing the interface (NM_CONTROLLED=no)
D.Firewalld is blocking DHCP ports (67/68)
AnswerC

When NM_CONTROLLED=no, NetworkManager ignores the interface, so DHCP is not attempted.

Why this answer

Option C is correct because when NM_CONTROLLED=no is set in the interface configuration file (/etc/sysconfig/network-scripts/ifcfg-eth1), NetworkManager will not manage that interface. Since dhclient is typically invoked by NetworkManager (or by legacy network scripts only if NM_CONTROLLED=yes), the interface will not automatically obtain an IPv4 address via DHCP. On CentOS 7, NetworkManager is the default network service, and disabling its control prevents DHCP client activation.

Exam trap

The trap here is that candidates often assume firewall or SELinux is the culprit for DHCP failures, but the most common cause on CentOS 7 is the NM_CONTROLLED=no setting, which disables NetworkManager's DHCP client management.

How to eliminate wrong answers

Option A is wrong because MTU (Maximum Transmission Unit) being set too high does not prevent DHCP from obtaining an address; DHCP uses Layer 2 broadcast frames and Layer 3 UDP packets, and MTU issues typically cause fragmentation or packet loss, not a complete failure to acquire an IP. Option B is wrong because SELinux does not block dhclient by default; dhclient runs in the dhcpc_t domain, and SELinux policies allow it to send and receive DHCP packets on ports 67/68. Option D is wrong because firewalld blocking DHCP ports (67/68) would prevent DHCP discovery and offer packets from reaching the client, but the question states the interface does not obtain an IPv4 address via DHCP—firewalld could cause this, but it is less likely than the direct configuration issue of NM_CONTROLLED=no, which is a common misconfiguration on CentOS 7.

104
Multi-Selecteasy

A system administrator needs to identify all available block devices on a Linux server. Which two commands can be used to accomplish this? (Choose two.)

Select 2 answers
A.blkid
B.mount
C.lsblk
D.df -h
E.fdisk -l
AnswersC, E

Lists all block devices.

Why this answer

The `lsblk` command lists all available block devices (e.g., disks, partitions, LVM volumes) by reading the sysfs filesystem, providing a tree-like view of device hierarchy. The `fdisk -l` command displays the partition table for all block devices, showing detailed information about disk geometry and partitions. Both commands are standard tools for identifying block devices on a Linux system.

Exam trap

The trap here is that candidates often confuse `blkid` with `lsblk` because of similar names, but `blkid` only shows devices with filesystem metadata, not all block devices, making it incomplete for this task.

105
MCQmedium

A system administrator notices that a new 500GB SSD (/dev/sdb) is not being recognized by the system after installation. The server uses UEFI and GPT partitioning. Which command should the administrator run first to verify that the disk is detected by the kernel?

A.fdisk -l /dev/sdb
B.lsblk
C.cat /proc/cpuinfo
D.lsusb
AnswerB

lsblk lists all block devices, including /dev/sdb, and does not require root.

Why this answer

The `lsblk` command lists all block devices recognized by the kernel, including those without a filesystem or partition table. Since the disk is new and not yet partitioned, `lsblk` will show it if the kernel has detected it, making it the correct first diagnostic step.

Exam trap

The trap here is that candidates often jump to `fdisk -l` as the first command, but it requires the device to already be recognized and may produce misleading errors if the disk is not detected, whereas `lsblk` directly shows kernel-level recognition without needing a partition table.

How to eliminate wrong answers

Option A is wrong because `fdisk -l /dev/sdb` will fail or show an error if the disk is not detected by the kernel, and it requires the device node to exist; it is not a reliable first check for kernel detection. Option C is wrong because `cat /proc/cpuinfo` displays CPU information, not storage device detection. Option D is wrong because `lsusb` lists USB devices only, and a 500GB SSD is likely connected via SATA or NVMe, not USB.

106
MCQmedium

A service requires read-write access to a specific directory that is mounted from an NFS share. The directory is mounted via fstab with the option 'noauto'. The service starts before the mount is available. Which configuration change should be made in the service unit file to ensure the service only starts after the mount is mounted?

A.Add After=mnt-nfs.mount and Requires=mnt-nfs.mount
B.Add Before=mnt-nfs.mount and Requires=mnt-nfs.mount
C.Add Wants=mnt-nfs.mount and After=mnt-nfs.mount
D.Add After=mnt-nfs.mount and BindsTo=mnt-nfs.mount
AnswerA

This ensures the service starts after the mount and fails if the mount fails.

Why this answer

Option A is correct because the service requires the NFS mount to be available before it starts. The `After=mnt-nfs.mount` directive ensures the service unit is ordered after the mount unit, and `Requires=mnt-nfs.mount` makes the mount a hard dependency: if the mount fails or is not active, the service will not start. This combination is necessary because the mount is defined with `noauto` in fstab, meaning it is not automatically mounted at boot; the mount unit must be explicitly started (e.g., by a dependency or another unit) before the service.

Exam trap

The trap here is that candidates often confuse `Wants` with `Requires` or forget that `After` alone does not activate the mount unit, leading them to choose option C or D, which either provide weak dependencies or incorrect ordering.

How to eliminate wrong answers

Option B is wrong because `Before=mnt-nfs.mount` would order the service to start before the mount, which is the opposite of what is needed. Option C is wrong because `Wants=mnt-nfs.mount` is a weaker dependency (soft dependency) that does not enforce the mount to be active; the service could start even if the mount fails, which does not guarantee read-write access. Option D is wrong because `BindsTo=mnt-nfs.mount` creates a stronger binding where the service stops if the mount stops, but it does not include `Requires` to ensure the mount is started; additionally, `BindsTo` alone does not imply ordering, so the service might start before the mount without `After`.

107
Matchingmedium

Match each Linux command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Search text using patterns

Stream editor for text manipulation

Pattern scanning and processing language

Search for files in a directory hierarchy

Build and execute command lines from input

Why these pairings

These are powerful text processing and file search commands.

108
MCQeasy

An administrator wants to change the primary group of user 'jane' from 'staff' to 'developers'. Which command accomplishes this?

A.usermod -g developers jane
B.usermod -G developers jane
C.groupmod -g developers jane
D.chgrp developers jane
AnswerA

Correct: -g sets the primary group.

Why this answer

Option A is correct because usermod -g changes the primary group. Option B adds a secondary group. Option C changes the group name, not user's group.

Option D is a non-existent command.

109
MCQmedium

Based on the exhibit, what is the correct interpretation?

A.The service is inactive
B.The configuration file is corrupt
C.The service is running but the unit file has been modified recently and needs reloading
D.The service is failing
AnswerC

Active (running) and warning indicate unit file change.

Why this answer

The 'daemon-reload' notice in the systemctl status output indicates that the unit file has been modified on disk but systemd has not yet reloaded its configuration. Running 'systemctl daemon-reload' will re-read the unit files and apply the changes, which is why option C is correct.

Exam trap

Linux Foundation often tests the distinction between a service that is running but has a pending configuration reload versus a service that has failed or is inactive, causing candidates to misinterpret the 'daemon-reload' notice as an error.

How to eliminate wrong answers

Option A is wrong because the output shows the service is 'active (running)', not inactive. Option B is wrong because a corrupt configuration file would typically cause a failure to start or a syntax error, not a 'daemon-reload' notice; the unit file is valid but has been changed. Option D is wrong because the service is running successfully with no indication of failure; the 'daemon-reload' notice is a warning about a pending reload, not a failure state.

110
Multi-Selecthard

Which two commands can add an existing user to a supplementary group?

Select 2 answers
A.useradd -G
B.gpasswd -a
C.addgroup
D.groupmod
E.usermod -aG
AnswersB, E

Adds user to a group.

Why this answer

usermod -aG appends a user to a group, gpasswd -a adds a user to a group.

111
Multi-Selectmedium

Which TWO directives are typically used in a systemd service unit file to configure dependencies?

Select 2 answers
A.After
B.Wants
C.Before
D.Alias
E.Requires
AnswersB, E

Creates a weak dependency.

Why this answer

B is correct because the `Wants` directive in a systemd service unit file specifies a weaker dependency: the listed units are started if possible, but the current unit will still activate even if they fail. E is correct because the `Requires` directive creates a stronger dependency: the listed units must be successfully started for the current unit to start; if they fail, the current unit is deactivated. Both are fundamental for defining service dependencies in systemd.

Exam trap

The trap here is that candidates often confuse ordering directives (`After`, `Before`) with dependency directives (`Wants`, `Requires`), mistakenly thinking that specifying an order also implies a dependency, but systemd treats them as separate concepts that must be explicitly combined.

112
MCQhard

A Linux server is unable to resolve the hostname 'app.internal.example.com' but can resolve other names. The /etc/nsswitch.conf file contains: hosts: files mdns4_minimal [NOTFOUND=return] dns. The /etc/hosts file does not list the hostname. Which configuration change would most likely resolve the issue?

A.Change the hosts line to: hosts: dns files mdns4_minimal
B.Configure /etc/resolv.conf to use a different DNS server
C.Remove the mdns4_minimal entry or change it to 'mdns4' without the NOTFOUND=return
D.Add the hostname to the local multicast DNS configuration
AnswerC

Removing the return policy allows fallback to DNS.

Why this answer

The issue is that mdns4_minimal with [NOTFOUND=return] causes the resolver to stop after a failed mDNS query, preventing it from falling back to DNS. Since the hostname is not in /etc/hosts and not reachable via mDNS, the resolver returns 'not found' immediately without querying DNS. Removing the mdns4_minimal entry or changing it to 'mdns4' (without the NOTFOUND=return) allows the resolver to proceed to DNS if mDNS fails.

Exam trap

The trap here is that candidates assume the issue is with DNS configuration or order, but the real problem is the [NOTFOUND=return] action on mdns4_minimal, which prematurely terminates the resolution chain for non-.local hostnames.

How to eliminate wrong answers

Option A is wrong because changing the order to 'dns files mdns4_minimal' would still leave the mdns4_minimal with [NOTFOUND=return] in place, so if mDNS fails, the resolver still returns immediately without consulting DNS. Option B is wrong because the server can resolve other names, indicating that the DNS server in /etc/resolv.conf is working correctly; the problem is specific to the resolution order and fallback behavior, not the DNS server itself. Option D is wrong because adding the hostname to multicast DNS configuration would only help if the hostname is served via mDNS on the local link, but the hostname 'app.internal.example.com' is likely a standard DNS name, not a .local mDNS name, so mDNS would not resolve it anyway.

113
MCQhard

An administrator notices that the system clock is drifting significantly. To synchronize time using NTP, which command should be used to immediately sync with a server?

A.ntpdate -u pool.ntp.org
B.chronyd -q
C.ntpd -g
D.timedatectl set-ntp true
AnswerB

Correct for immediate sync with chrony.

Why this answer

Option B is correct because `chronyd -q` sends a single NTP query to synchronize the system clock immediately and then exits, which is ideal for one-shot synchronization. This command is part of the `chrony` suite, the default NTP implementation on modern RHEL/CentOS 8+ and Ubuntu 18.04+ systems, and it respects the NTP protocol (RFC 5905) for accurate time adjustment.

Exam trap

The trap here is that candidates confuse `chronyd -q` (one-shot sync) with `chronyd` without options (which starts the daemon), or they mistakenly think `ntpdate` is still the standard command for immediate synchronization, ignoring its deprecation and the shift to `chrony` in modern distributions.

How to eliminate wrong answers

Option A is wrong because `ntpdate` is deprecated and often not installed by default on modern distributions; it uses the older NTPv3 protocol and lacks the security and accuracy features of `chrony`. Option C is wrong because `ntpd -g` starts the full NTP daemon in continuous synchronization mode, not a one-shot sync, and the `-g` flag only allows a large initial time jump, but the daemon continues running and does not exit after syncing. Option D is wrong because `timedatectl set-ntp true` enables the NTP service (usually `chronyd` or `ntpd`) to run continuously, but it does not trigger an immediate synchronization; it only activates the service for ongoing adjustments.

114
MCQhard

A process is consuming 99% CPU and is unresponsive to normal shutdown requests. After running 'top', you see the PID is 1234. What is the most appropriate command to stop the process gracefully first?

A.kill -15 1234
B.kill -19 1234
C.kill -2 1234
D.kill -9 1234
AnswerA

SIGTERM is the default and polite way to terminate a process.

Why this answer

The correct answer is A: kill -15 1234. The SIGTERM signal (15) is the standard way to request a process terminate gracefully, allowing it to clean up resources, close files, and perform shutdown routines. This is the most appropriate first step before escalating to stronger signals, as it gives the process a chance to exit normally.

Exam trap

The trap here is that candidates often jump to kill -9 (SIGKILL) as the first solution when a process is unresponsive, but the LFCS exam emphasizes the principle of escalating signals gracefully, starting with SIGTERM.

How to eliminate wrong answers

Option B is wrong because kill -19 sends SIGSTOP, which pauses the process but does not terminate it; the process remains in memory and can be resumed with SIGCONT, so it does not stop the process gracefully. Option C is wrong because kill -2 sends SIGINT, which is typically used to interrupt a foreground process from the terminal (like Ctrl+C) and may not be effective for a background or daemon process that is unresponsive to normal shutdown requests. Option D is wrong because kill -9 sends SIGKILL, which forcefully terminates the process without allowing any cleanup; this should be a last resort after graceful methods fail, not the first attempt.

115
Multi-Selectmedium

A Linux administrator is troubleshooting a service that is running as the 'nobody' user but keeps failing because it cannot write to its log file. The log file is located at /var/log/app.log. Which TWO of the following methods will allow the service to write to the log file while maintaining security best practices?

Select 2 answers
A.Delete /var/log/app.log and restart the service.
B.Add an ACL entry for user nobody with write permission using setfacl.
C.Change the group of /var/log/app.log to nogroup and set group write permission.
D.Change the permissions of /var/log/app.log to 777.
E.Change the owner of /var/log/app.log to nobody using chown.
AnswersB, E

ACLs allow fine-grained permission assignment to a specific user without changing ownership.

Why this answer

Option B is correct because using setfacl to add an ACL entry for the 'nobody' user grants write permission without altering the file's ownership or group, preserving the principle of least privilege. ACLs provide fine-grained access control beyond traditional Unix permissions, allowing the service to write while other users and processes retain their existing access restrictions.

Exam trap

Linux Foundation often tests the distinction between ACL-based solutions and traditional permission changes, trapping candidates who overlook that 'nobody' is not a member of 'nogroup' or that 777 is insecure, while both B and E are correct but E is also valid because changing ownership directly grants the user write access without affecting other permissions.

116
MCQhard

A system administrator needs to find all files in /home that are owned by user 'alice' and have been modified in the last 7 days. The administrator then wants to compress those files into a single archive named alice_recent.tar.gz. Which of the following commands accomplishes this?

A.find /home -user alice -mtime -7 -exec tar -rf alice_recent.tar.gz {} +
B.find /home -user alice -mtime -7 -print | cpio -o > alice_recent.tar.gz
C.tar -czf alice_recent.tar.gz -T <(find /home -user alice -mtime -7)
D.find /home -user alice -mtime -7 | tar -cvf alice_recent.tar.gz
AnswerA

Correctly appends found files to a tar archive (creates if not exists). Then compress: gzip alice_recent.tar.

Why this answer

Option A is correct because it uses `find` with `-user alice` and `-mtime -7` to locate files owned by alice modified within the last 7 days, then executes `tar -rf` with `{} +` to append those files to an archive. The `-r` flag appends files to an existing archive (or creates one if it doesn't exist), and `{} +` efficiently passes multiple filenames to a single `tar` invocation, avoiding command-line length limits.

Exam trap

The trap here is that candidates often assume `tar` can read filenames from stdin via pipe without the `-T` option, or they confuse `cpio` with `tar` formats, leading them to choose options that produce incorrect archive types or fail to include the files.

How to eliminate wrong answers

Option B is wrong because `cpio -o` creates a cpio archive, not a gzip-compressed tar archive; the output would be a cpio file named `.tar.gz`, which is misleading and not a valid tar.gz. Option C is wrong because process substitution `<(...)` is a bash feature that may not be available in all POSIX shells (e.g., `sh`), and the command would fail in a standard LFCS exam environment; also, `tar -czf` with `-T` expects a file, not a process substitution, though it works in bash, it's not portable. Option D is wrong because piping `find` output to `tar -cvf` does not pass filenames as arguments; `tar` expects filenames from stdin only with the `-T` option, so this command would either ignore stdin or produce an empty archive.

117
MCQeasy

To display the first 10 lines of a file named 'log.txt', which command is correct?

A.less log.txt
B.tail log.txt
C.head log.txt
D.cat log.txt
AnswerC

Outputs the first 10 lines by default.

Why this answer

The `head` command is designed to display the first 10 lines of a file by default. Running `head log.txt` outputs the first 10 lines of the file without any additional options, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse `head` with `tail` or assume `less` or `cat` are appropriate for displaying only the first few lines, when in fact `head` is the specific command for that purpose.

How to eliminate wrong answers

Option A is wrong because `less` is a pager that displays the file interactively, allowing scrolling both forward and backward, but it does not default to showing only the first 10 lines; it shows the beginning of the file and waits for user input. Option B is wrong because `tail` displays the last 10 lines of a file by default, not the first 10 lines. Option D is wrong because `cat` outputs the entire contents of the file to the terminal, not just the first 10 lines.

118
Multi-Selectmedium

A server with two network interfaces needs to forward IP packets between them. Which two steps are required to enable IP forwarding? (Choose two.)

Select 2 answers
A.Run systemctl restart network
B.Run sysctl -p
C.Set net.ipv4.ip_forward=1 in /etc/sysctl.conf
D.Add a route to the second interface
E.Set net.ipv4.conf.all.forwarding=1
AnswersB, C

This applies the sysctl settings from /etc/sysctl.conf.

Why this answer

Option B is correct because `sysctl -p` reloads kernel parameters from `/etc/sysctl.conf`, making the `net.ipv4.ip_forward=1` setting active without a reboot. Option C is correct because setting `net.ipv4.ip_forward=1` in `/etc/sysctl.conf` enables IP forwarding persistently across reboots. Together, these two steps ensure the kernel forwards IP packets between network interfaces.

Exam trap

The trap here is that candidates often confuse enabling IP forwarding with adding routes or restarting network services, but the core requirement is a kernel parameter change, not a routing table or service restart.

119
MCQeasy

A system administrator wants to view the last 10 lines of the system log file '/var/log/syslog' and continue to watch for new lines as they are appended. Which command should be used?

A.tail -n 10 /var/log/syslog
B.less /var/log/syslog
C.tail -n 10 -f /var/log/syslog
D.head -n 10 /var/log/syslog
AnswerC

Shows last 10 lines and follows new entries.

Why this answer

Option C is correct because the `tail -n 10 -f /var/log/syslog` command first displays the last 10 lines of the file and then uses the `-f` (follow) flag to continuously monitor the file for new appended lines, outputting them in real time. This matches the requirement to both view the last 10 lines and watch for new entries.

Exam trap

The trap here is that candidates often confuse `tail -n 10` (static view) with `tail -f` (follow mode), or mistakenly think `less` with its Shift+F feature is the default answer, but the question explicitly requires a single command that both shows the last 10 lines and continuously watches for new lines.

How to eliminate wrong answers

Option A is wrong because `tail -n 10 /var/log/syslog` only shows the last 10 lines and then exits, without continuing to watch for new lines. Option B is wrong because `less /var/log/syslog` opens the file for interactive paging but does not automatically show only the last 10 lines or follow new appends without manual intervention (e.g., pressing Shift+F). Option D is wrong because `head -n 10 /var/log/syslog` shows the first 10 lines of the file, not the last 10, and does not follow new lines.

120
MCQhard

A production web server is experiencing intermittent high load. The administrator suspects that a specific Apache module is causing memory leaks. Which approach is most effective for isolating the issue without restarting the server?

A.Check the Apache error log for memory-related errors.
B.Disable all modules in httpd.conf and reload the configuration.
C.Use top to monitor the memory usage of httpd processes over time.
D.Use strace -p <PID> on the Apache process and analyze system calls for memory allocation patterns.
AnswerD

Strace can trace memory allocation syscalls like malloc, mmap.

Why this answer

D is correct because strace attaches to a running Apache process and traces its system calls, including memory-related calls like mmap, brk, and malloc. By analyzing these calls over time, the administrator can identify abnormal memory allocation patterns indicative of a leak in a specific module, all without restarting the server.

Exam trap

The trap here is that candidates assume top or error logs can diagnose memory leaks, but they lack the per-process system call visibility needed to isolate a module-level issue without restarting.

How to eliminate wrong answers

Option A is wrong because Apache error logs typically record runtime errors (e.g., segfaults, configuration issues) but do not capture granular memory allocation patterns or module-level memory leaks. Option B is wrong because disabling all modules and reloading the configuration would restart the server's child processes, disrupting service and preventing observation of the leak under real load. Option C is wrong because top shows aggregate memory usage of httpd processes but cannot attribute memory growth to a specific module or distinguish between normal allocation and a leak.

121
MCQmedium

Given the routing table output in the exhibit, what will happen when the system tries to send a packet to 10.1.1.1?

A.The packet is sent via eth1.
B.The packet is sent to 192.168.1.1 via eth0.
C.The packet is sent via default route.
D.The packet is dropped because there is no subnet matching 10.1.1.1.
AnswerB

The 10.0.0.0/8 route matches and points to that gateway.

Why this answer

The routing table shows a specific route for the 10.0.0.0/8 network via gateway 192.168.1.1 on eth0. Since 10.1.1.1 falls within this subnet, the packet is forwarded to 192.168.1.1 via eth0, not through the default route or any other interface.

Exam trap

The trap here is that candidates often assume a destination like 10.1.1.1 has no matching route and default to the default gateway, overlooking the presence of a classful /8 route that explicitly covers it.

How to eliminate wrong answers

Option A is wrong because eth1 is associated with the 192.168.2.0/24 network, which does not include 10.1.1.1. Option C is wrong because the default route is only used when no more specific route matches the destination; here, the 10.0.0.0/8 route is a more specific match. Option D is wrong because the routing table explicitly contains a route for 10.0.0.0/8, which covers 10.1.1.1, so the packet is not dropped.

122
Drag & Dropmedium

Order the steps to set up passwordless SSH key-based authentication.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key generation, copying, and testing are essential; permissions and file verification ensure security.

123
MCQhard

A system administrator manages a database server service (database.service) that experiences periodic CPU spikes, causing excessive load on the server. The administrator wants to limit the service's CPU usage to 25% of a single CPU core. The service is running on a system with cgroup v2. Which directive should be added to the [Service] section of the unit file to achieve this?

A.CPUAccounting=true
B.CPUQuota=25%
C.CPUWeight=100
D.CPUShares=256
AnswerB

Sets a hard limit on CPU usage.

Why this answer

Option B is correct because in cgroup v2, the `CPUQuota=` directive in a systemd unit file directly limits the CPU time a service can use, expressed as a percentage of a single CPU core. Setting `CPUQuota=25%` restricts the service to using at most 25% of one core, which matches the administrator's requirement to cap CPU usage at 25% of a single core.

Exam trap

The trap here is that candidates often confuse `CPUQuota=` (a hard limit) with `CPUWeight=` or `CPUShares=` (relative priority settings), mistakenly thinking a weight or share value can enforce a specific percentage cap on CPU usage.

How to eliminate wrong answers

Option A is wrong because `CPUAccounting=true` enables CPU usage accounting and statistics for the service, but it does not impose any limit on CPU usage; it only tracks and reports usage. Option C is wrong because `CPUWeight=100` sets the relative scheduling priority (weight) for the service in cgroup v2, which influences how CPU time is distributed among competing services but does not enforce a hard cap on CPU usage. Option D is wrong because `CPUShares=` is a cgroup v1 directive that provides relative CPU weight, not a hard limit; in cgroup v2, it is replaced by `CPUWeight=`, and neither option can enforce a specific percentage cap like 25%.

124
Multi-Selecteasy

Which TWO commands can be used to display the current routing table on a Linux system?

Select 2 answers
A.ss -r
B.route -n
C.ip route show
D.netstat -r
E.ifconfig
AnswersB, C

route -n displays the routing table.

Why this answer

The `route -n` command displays the kernel IP routing table with numeric addresses, avoiding DNS resolution for faster output. The `ip route show` command is part of the modern `iproute2` suite and shows the same routing table with more detail and flexibility. Both are standard tools for viewing the current routing table on Linux.

Exam trap

The trap here is that `netstat -r` is a valid command for displaying the routing table, but it is deprecated and not considered a primary tool in the LFCS exam, which emphasizes the modern `ip` command over legacy tools.

125
MCQmedium

A process is stuck in an uninterruptible sleep (D state) and cannot be killed. What is the most likely cause?

A.The process has been stopped by a signal
B.The process is waiting for a network response
C.The process is waiting for I/O from a failing disk
D.The process is waiting for CPU
AnswerC

D state is uninterruptible sleep, usually due to I/O.

Why this answer

Option C is correct because a process in uninterruptible sleep (D state) is typically waiting for I/O from a block device, such as a disk. When a disk is failing or unresponsive, the kernel cannot complete the I/O request, and the process cannot be killed because doing so would risk data corruption or filesystem inconsistency. This state is a kernel-level wait that ignores signals, including SIGKILL.

Exam trap

Linux Foundation often tests the misconception that any 'stuck' process is due to network issues, but the D state specifically indicates block I/O, not network I/O, which uses interruptible sleep (S state).

How to eliminate wrong answers

Option A is wrong because a process stopped by a signal enters a T state (stopped), not D state; such processes can be resumed or killed. Option B is wrong because waiting for a network response typically results in interruptible sleep (S state), as network I/O can be interrupted by signals; D state is reserved for block I/O operations. Option D is wrong because waiting for CPU is represented by the R state (runnable) or S state (sleeping while waiting for CPU), not D state.

126
MCQmedium

A system administrator wants to display a list of all currently running processes with their parent process IDs. Which command is most appropriate?

A.pstree
B.jobs
C.top
D.ps -ef
AnswerD

Shows all processes with parent PID in the PPID column.

Why this answer

Option D (ps -ef) is correct because the 'ps' command with the '-e' flag displays all processes, and the '-f' flag provides a full-format listing that includes the PPID (parent process ID) in the output. This directly meets the requirement to list all currently running processes with their parent process IDs.

Exam trap

The trap here is that candidates may confuse 'pstree' (which shows parent-child relationships visually) with 'ps -ef' (which lists numeric PPIDs), or assume 'top' is suitable for a static list, when the question specifically asks for a list with parent process IDs, not a tree or dynamic view.

How to eliminate wrong answers

Option A is wrong because pstree displays processes in a tree hierarchy showing parent-child relationships, but it does not show the numeric parent process ID (PPID) in its default output; it focuses on the tree structure rather than a list with PPIDs. Option B is wrong because the 'jobs' command lists only background jobs associated with the current shell session, not all running processes on the system. Option C is wrong because 'top' provides a dynamic, real-time view of running processes and can display PPID if configured, but it is not a static list command and does not output a simple list of all processes with their PPIDs by default.

127
MCQhard

A server has multiple IP aliases on eth0. Remote hosts cannot reach the secondary IP addresses. What should the administrator check?

A.The server's routing table includes routes for the secondary IPs' subnets.
B.The ARP flux settings are configured correctly.
C.The interface is set to NOARP.
D.The secondary IPs are in the same subnet as the primary.
AnswerB

Incorrect arp_ignore/arp_announce can cause secondary IPs to be unreachable.

Why this answer

When multiple IP aliases are configured on a single Ethernet interface, the kernel may respond to ARP requests inconsistently, a behavior known as ARP flux. This causes remote hosts to receive conflicting MAC addresses for the secondary IPs, preventing connectivity. Correctly configuring ARP flux settings (e.g., using `arp_ignore=1` and `arp_announce=2` via sysctl) ensures the kernel responds only from the appropriate IP and advertises the correct MAC.

Exam trap

The trap here is that candidates assume secondary IPs must be in the same subnet as the primary (Option D) or that routing entries are needed (Option A), when the actual cause is the kernel's default ARP behavior, which is controlled by sysctl settings.

How to eliminate wrong answers

Option A is wrong because the routing table does not need routes for the secondary IPs' subnets; the secondary IPs are local to the interface, and the kernel handles them via local routing automatically. Option C is wrong because setting the interface to NOARP would disable ARP entirely, preventing any IP communication on that interface, not just secondary IPs. Option D is wrong because secondary IPs can be in a different subnet from the primary; the issue is ARP flux, not subnet matching.

128
MCQhard

A user reports that they cannot execute a file even though they are in the file's group. The file has permissions 644 and group ownership 'staff'. The user is a member of 'staff'. What is the likely issue?

A.The file lacks execute permission for the group
B.The file does not have the setgid bit
C.The user's primary group is not 'staff'
D.The user is not the owner of the file
AnswerA

644 gives read/write to owner, read to group, no execute. Group needs execute to run.

Why this answer

The file permissions 644 (rw-r--r--) do not include execute for group, so the user cannot execute it.

129
MCQhard

A server uses firewalld. Which command permanently allows HTTP traffic?

A.firewall-cmd --add-service=http
B.firewall-cmd --add-service=http --permanent
C.firewall-cmd --add-port=80/tcp
D.systemctl reload firewalld
AnswerB

Adds the http service permanently to the default zone.

Why this answer

Option B is correct because the `--permanent` flag is required to make the rule persist across reboots when using `firewall-cmd`. Without it, the rule is only added to the runtime configuration and will be lost after a firewall reload or system restart. The `--add-service=http` parameter uses the predefined service definition for HTTP (port 80/tcp), which is the proper way to allow HTTP traffic in firewalld.

Exam trap

The trap here is that candidates often assume `firewall-cmd --add-service=http` alone is sufficient, forgetting that without `--permanent`, the rule is ephemeral and will be lost on reload or reboot.

How to eliminate wrong answers

Option A is wrong because it omits the `--permanent` flag, so the rule is applied only to the runtime configuration and will not survive a firewall reload or reboot. Option C is wrong because `--add-port=80/tcp` adds a direct port rule rather than using the predefined HTTP service; while it may work functionally, it bypasses firewalld's service abstraction and is not the standard method for allowing HTTP traffic. Option D is wrong because `systemctl reload firewalld` reloads the firewall configuration but does not add any rule; it would only apply permanent rules that were already added, not create a new rule.

130
MCQhard

A system has a process stuck in uninterruptible sleep (D state). The administrator wants to identify which kernel function it is waiting on. Which tool should be used?

A.cat /proc/PID/stack
B.gdb -p PID
C.perf top -p PID
D.strace -p PID
AnswerA

Shows kernel stack trace of the blocked process.

Why this answer

Option A is correct because reading /proc/PID/stack directly shows the kernel stack trace of the process, revealing the exact kernel function or wait queue the process is blocked on while in uninterruptible sleep (D state). This is the only tool listed that can inspect the kernel-side call stack without attaching a debugger or altering process state.

Exam trap

The trap here is that candidates often confuse strace (user-space syscall tracing) with kernel stack inspection, assuming strace can show kernel internals, but strace only traces syscall entry/exit and cannot reveal the internal kernel function where the process is blocked.

How to eliminate wrong answers

Option B (gdb -p PID) is wrong because gdb attaches to a user-space process and inspects user-space memory and registers; it cannot access the kernel stack or show which kernel function caused the D state. Option C (perf top -p PID) is wrong because perf top samples performance counters and shows hot functions in user and kernel space, but it does not display the current blocked stack trace for a process in D state. Option D (strace -p PID) is wrong because strace traces system calls, but a process in uninterruptible sleep is already inside a kernel function and not making new system calls; strace will hang or show no output.

131
MCQhard

A server on a corporate network is intermittently losing connectivity. The administrator runs 'tcpdump -i eth0 icmp' and sees 'ICMP time exceeded in-transit' messages from a router. What is the most likely cause?

A.There is a mismatch in MTU size.
B.The destination host is down.
C.A firewall is blocking the packets.
D.There is a routing loop or the TTL is too low.
AnswerD

'Time exceeded' indicates TTL expired, common in loops.

Why this answer

The 'ICMP time exceeded in-transit' message indicates that a packet's TTL (Time to Live) has reached zero before reaching its destination. This is most commonly caused by a routing loop, where packets circulate endlessly between routers, or by an initial TTL value that is too low for the number of hops required. The router that decrements the TTL to zero sends this ICMP Type 11 Code 0 message back to the source, as defined in RFC 792.

Exam trap

Linux Foundation often tests the distinction between ICMP error types, and the trap here is that candidates confuse 'time exceeded' with 'destination unreachable' or assume any connectivity loss is due to a firewall or MTU issue, rather than recognizing the specific TTL exhaustion symptom.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch typically triggers 'ICMP fragmentation needed' (Type 3 Code 4) messages, not 'time exceeded'. Option B is wrong because if the destination host is down, the last-hop router would send 'ICMP destination unreachable' (Type 3 Code 1) or the host itself would be silent, not a 'time exceeded' from an intermediate router. Option C is wrong because a firewall blocking packets would either drop them silently or send 'ICMP administratively prohibited' (Type 3 Code 13), not a 'time exceeded' message.

132
MCQhard

To ensure a service starts only after /var/lib/mysql is mounted, which directive should be used in the unit file?

A.Requires=/var/lib/mysql
B.BindsTo=var-lib.mount
C.Before=var-lib.mount
D.After=var-lib.mount
AnswerD

After ensures the service starts after the mount unit.

Why this answer

Option D is correct because the `After=` directive in a systemd unit file specifies that the current unit should start only after the listed units have been activated. By setting `After=var-lib.mount`, the service will wait until the mount unit for `/var/lib/mysql` is fully mounted before starting, ensuring the required filesystem is available.

Exam trap

The trap here is that candidates confuse `After=` with `Requires=` or `BindsTo=`, thinking that dependency directives alone enforce startup order, but systemd separates ordering from dependency requirements.

How to eliminate wrong answers

Option A is wrong because `Requires=` declares a hard dependency that the required unit must be active for the current unit to start, but it does not enforce ordering; the service could start simultaneously or before the mount, leading to failure. Option B is wrong because `BindsTo=` creates a stronger dependency where the bound unit's failure stops the current unit, but it also does not guarantee ordering unless combined with `After=`, and the syntax `var-lib.mount` is correct for a mount unit but the directive alone does not ensure the mount happens first. Option C is wrong because `Before=` specifies that the current unit should start before the listed unit, which would cause the service to start before the mount, defeating the purpose of waiting for the filesystem.

133
MCQmedium

A large company needs to create 100 user accounts from a list of names in a CSV file. Which tool is most efficient for batch user creation?

A.vipw
B.for loop with useradd
C.newusers
D.pwconv
AnswerC

Designed for batch user creation from a formatted file.

Why this answer

The newusers command reads a file with specific format (username:password:UID:GID:... ) and creates multiple users at once.

134
MCQeasy

A junior administrator issued the command 'usermod -L alice' to lock the account of user alice. However, alice is still able to log in via SSH using a public key. What is the most likely reason?

A.The usermod -L command only locks the password but does not prevent SSH key-based authentication.
B.The usermod -L command only changes the user's shell to /sbin/nologin.
C.The usermod -L command requires a restart of the SSH service to take effect.
D.The usermod -L command is not effective on accounts with a UID less than 1000.
AnswerA

Correct as described.

Why this answer

Option A is correct because usermod -L locks the password by adding a '!' to the password hash, but SSH key authentication bypasses password verification. Option B is wrong because usermod changes take effect immediately; SSH restart is not required for account locking. Option C is wrong because changing shell is not part of -L.

Option D is wrong because UID doesn't affect locking.

135
MCQhard

Given the routing table, if the server sends a packet to destination 10.0.1.200, which interface will be used and what is the next hop?

A.eth1 via 10.0.1.1
B.eth1 directly to 10.0.1.200
C.eth0 with next hop 10.0.0.1
D.eth0 with next hop 10.0.1.200
AnswerB

Directly connected route, no gateway needed.

Why this answer

The destination 10.0.1.200 falls within the directly connected network 10.0.1.0/24 on eth1. According to the routing table, this route has a /24 netmask and is marked as directly connected, meaning no next-hop router is needed. The server will ARP for 10.0.1.200 and send the packet directly to that host via eth1.

Exam trap

The trap here is that candidates often assume all traffic must go through a gateway (next hop), forgetting that directly connected routes allow direct delivery without a router, leading them to pick Option A or C.

How to eliminate wrong answers

Option A is wrong because it incorrectly specifies a next-hop gateway (10.0.1.1) for a directly connected network; when the destination is on the same subnet, the packet is sent directly, not via a router. Option C is wrong because eth0 is associated with the 10.0.0.0/24 network, and 10.0.1.200 is not within that subnet; the routing table would not use eth0 for this destination. Option D is wrong because eth0 is not the correct interface for the 10.0.1.0/24 network, and even if it were, a directly connected route does not use a next-hop IP; the packet would be sent directly to the destination MAC.

136
Multi-Selecteasy

Which TWO commands can be used to check the status of a service?

Select 2 answers
A.systemd-analyze
B.service status
C.start stop restart
D.systemctl status
E.initctl status
AnswersB, D

Legacy command, still works with systemd via compatibility.

Why this answer

The `service` command is a legacy SysV init wrapper that can query the status of a service by calling the appropriate init script with the `status` argument. It remains available on many Linux distributions for backward compatibility, making it a valid tool to check service status.

Exam trap

The trap here is that candidates may think `systemd-analyze` checks service status because of its name, but it is strictly a boot analysis tool, not a status checker.

137
MCQeasy

A system administrator notices that the disk space on the root filesystem is at 95% usage. After investigating, they find that a large log file named 'access.log' in /var/log is taking up significant space. The administrator deletes the file using 'rm /var/log/access.log' but the disk usage remains at 95%. Running 'df -h' still shows the same usage. What is the most likely cause and the correct next step?

A.The file is compressed and needs to be decompressed. Use 'gzip -d access.log' first.
B.The filesystem is marked as full in the superblock. Use 'fsck' to repair the filesystem.
C.The file is still open by a process. Use 'lsof | grep access.log' to identify the process and restart it.
D.The file has multiple hard links. Use 'find / -links +1' to locate all hard links and delete them.
AnswerC

Deleted open files still consume space; finding and restarting the process releases the space.

Why this answer

When a file is deleted with 'rm' while it is still open by a running process, the file's directory entry is removed, but the inode and data blocks remain allocated until the process closes the file descriptor. This causes 'df' to still report the space as used. The correct next step is to use 'lsof' to find the process holding the file open and restart it, which releases the file descriptor and frees the disk space.

Exam trap

The trap here is that candidates assume 'rm' immediately frees disk space, but they overlook that open file descriptors by running processes (e.g., syslog, Apache) keep the data blocks allocated until the process is restarted or the descriptor is closed.

How to eliminate wrong answers

Option A is wrong because the file was already deleted, not compressed; 'gzip -d' would fail on a removed file and does not address the open file handle issue. Option B is wrong because the filesystem is not marked as full in the superblock; 'fsck' repairs filesystem metadata corruption, not space accounting for open deleted files. Option D is wrong because hard links would cause the file to still exist under another name, but 'rm' would only remove one link; however, 'df' would show freed space only after all links are removed, but the question states the file was deleted and space remains, which points to an open file descriptor, not multiple hard links.

138
MCQhard

A company runs a critical web application on a Linux server. The application is managed by a systemd service called 'myapp.service'. Recently, after a scheduled maintenance reboot, the service failed to start automatically. The administrator manually started it with 'systemctl start myapp' and it ran fine. The unit file is located at /etc/systemd/system/myapp.service and contains: [Unit] Description=MyApp After=network.target [Service] ExecStart=/usr/local/bin/myapp Restart=on-failure [Install] WantedBy=multi-user.target. The administrator wants to ensure the service starts automatically after future reboots. However, after running 'systemctl enable myapp', the service still didn't start after the next reboot. What is the most likely cause?

A.The 'systemctl enable' command only creates symlinks; a separate 'systemctl start' must be run after enable.
B.The service depends on a target that is not reached before the service starts, and 'Restart=on-failure' does not retry the start if the condition is not met.
C.The 'systemctl enable' command was not run as root.
D.The unit file has a syntax error that prevents systemd from parsing it.
AnswerB

With After=network.target, the service may start before network is fully ready; on-failure only restarts if the service exits with non-zero, but if the start fails due to a condition (e.g., network not ready), the service may not be restarted. Using 'Restart=always' or 'RestartSec' can help.

Why this answer

Option B is correct because the 'After=network.target' directive only specifies ordering, not a requirement. If the network target is not fully reached before the service starts, systemd will attempt to start the service once and, if it fails, 'Restart=on-failure' will restart it only if the start was successful but the process later exits with a failure. It does not retry the initial start if a dependency condition is not met.

The service must have 'Requires=network.target' or 'Wants=network.target' to ensure the target is active before the service starts.

Exam trap

The trap here is that candidates confuse 'After=' with a dependency directive, assuming ordering implies requirement, and overlook that 'Restart=on-failure' only applies to runtime failures, not initial start failures due to unmet conditions.

How to eliminate wrong answers

Option A is wrong because 'systemctl enable' creates symlinks to enable automatic start at boot, but the issue is that the service did not start after reboot despite being enabled; the administrator already ran 'systemctl enable', so the symlinks exist. Option C is wrong because 'systemctl enable' typically requires root privileges, but if it were not run as root, the command would have failed with a permission error, and the administrator would have noticed; the question states the command was run, implying it succeeded. Option D is wrong because if the unit file had a syntax error, 'systemctl enable' would have reported an error, and the service would not have been enabled; the administrator ran 'systemctl enable' without issue, and the service started manually, indicating the unit file is syntactically correct.

139
MCQhard

A company wants to ensure that a web server (IP 192.168.1.10) is accessible from the internet via port 443, but all other inbound traffic should be blocked. The server also needs to communicate with an internal database (IP 10.0.0.50) on port 3306. The default firewall zone is 'public'. Which iptables rules should be applied to the server?

A.iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables -P INPUT DROP
B.iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -P INPUT ACCEPT
C.iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables -P INPUT DROP; iptables -P OUTPUT ACCEPT
D.iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables -P INPUT DROP; iptables -P OUTPUT DROP
AnswerC

This allows incoming HTTPS, blocks other inbound, and allows all outbound.

Why this answer

Option C is correct because it explicitly allows inbound HTTPS traffic on port 443, permits return traffic for established/related connections (which is essential for the server to communicate with the internal database on port 3306), and sets a default DROP policy on the INPUT chain to block all other inbound traffic. The OUTPUT chain is left with a default ACCEPT policy, allowing the server to initiate outbound connections to the database without additional rules.

Exam trap

The trap here is that candidates often forget to set a default DROP policy on the INPUT chain or mistakenly set a default DROP on the OUTPUT chain, thinking it enhances security, but this breaks outbound connectivity required for the server to communicate with the internal database.

How to eliminate wrong answers

Option A is wrong because it does not set a default policy on the INPUT chain; the default policy remains ACCEPT (unless explicitly changed), which would allow all inbound traffic, contradicting the requirement to block all other inbound traffic. Option B is wrong because it sets the INPUT chain default policy to ACCEPT, which permits all inbound traffic, and it lacks the ESTABLISHED,RELATED rule, which would break return traffic for the database connection. Option D is wrong because it sets the OUTPUT chain default policy to DROP, which would block the server from initiating outbound connections to the internal database on port 3306, violating the requirement that the server needs to communicate with the database.

140
MCQeasy

Refer to the exhibit. What is the primary group ID of user 'charlie'?

A.1000
B.Charlie Brown
C.1005 (the same as UID)
D.1005
AnswerC

The fourth field is GID, which equals UID in this case.

Why this answer

Option B is correct. In /etc/passwd, the fourth field (after the second colon) is the primary group GID. Here it is 1005.

Option A is the UID (third field). Option C is the GECOS field (fifth field). Option D is not directly listed.

141
Multi-Selecthard

Which THREE are valid reasons to use a swap file instead of a swap partition? (Choose three.)

Select 3 answers
A.Can be placed on a filesystem that supports sparse files.
B.Required for hibernation (suspend-to-disk).
C.Easier to manage in virtualized environments.
D.Faster performance than swap partition.
E.Easier to resize without repartitioning.
AnswersA, C, E

Sparse files save space until used.

Why this answer

Option A is correct because swap files can be placed on filesystems that support sparse files (e.g., ext4, XFS). A sparse file allocates disk blocks only when data is written, allowing a large swap file to be created without consuming the full physical disk space immediately. This is useful for systems where disk space is at a premium or where swap size needs to be overcommitted.

Exam trap

The trap here is that candidates often assume swap files are always slower than swap partitions, but the question asks for valid reasons to use a swap file, and performance is not one of them; the key is recognizing that swap files offer flexibility (sparse files, resizing, virtualization) at the cost of a slight performance penalty.

142
MCQhard

A sysadmin set up a shared directory /data/project with group ownership project and permissions 2775 (rwxrwsr-x). Users in the project group can create files, but when they try to edit files created by other group members, they get permission denied. Which is the most likely cause?

A.The directory is owned by root, so files inherit owner root, not the user's primary group.
B.The umask of users is set to 027, which prevents group write on new files.
C.The sticky bit interferes with group editing.
D.The SGID bit is not set; the directory must be chmod g+s to enforce group ownership inheritance.
AnswerB

A umask of 027 results in files with 640 permissions, no group write.

Why this answer

Option A is correct because a umask of 027 would result in new files having permissions 640 (rw-r-----), lacking group write. Option B is wrong because 2775 includes the SGID bit. Option C is wrong because SGID still works with root ownership.

Option D is wrong because the sticky bit affects deletion, not editing.

143
MCQhard

A system administrator cannot restart a service because another unit 'stop' the request. The status message says 'Unit test.service is not running, but has pending stop job'. What is the most likely cause?

A.The service unit file has RefuseManualStop=yes
B.The service has a dependency that is stopping
C.A previous stop command is still being processed
D.The service is masked
AnswerC

A pending stop job means the stop is in progress; this can happen if the service is taking too long to stop.

Why this answer

The message 'Unit test.service is not running, but has pending stop job' indicates that systemd has queued a stop operation for the service, but the stop job has not yet completed. This typically happens when a previous 'systemctl stop' command was issued but the service's stop process (e.g., ExecStop script) is still running or hanging. Until that job finishes, any attempt to restart the service will be blocked because systemd serializes jobs for the same unit.

Exam trap

The trap here is that candidates confuse 'pending stop job' with a configuration error like masking or manual-stop refusal, when in fact it is a transient state caused by an incomplete stop operation.

How to eliminate wrong answers

Option A is wrong because RefuseManualStop=yes prevents manual stop commands entirely, but the status shows a stop job is pending, meaning a stop was initiated; RefuseManualStop would have rejected the stop request outright, not left it pending. Option B is wrong because a dependency stopping would affect the dependent unit's state, but the error message specifically refers to a pending stop job on test.service itself, not on a dependency. Option D is wrong because a masked service cannot be started or stopped at all; its unit file is symlinked to /dev/null, and attempting to stop it would fail immediately with a different error, not a pending stop job.

144
MCQhard

An administrator wants to ensure that a background process continues running after logout. Which command should be used to start the process?

A.nohup sleep 100 &
B.runproc sleep 100 &
C.sleep 100 &
D.sleep 100 & disown
AnswerA

nohup ignores SIGHUP, so process continues after logout.

Why this answer

The correct answer is A because `nohup` allows a process to ignore the SIGHUP signal that is sent to background processes when the parent shell exits, ensuring it continues running after logout. The `&` places the command in the background, and `nohup` redirects output to `nohup.out` by default, making it the standard way to run a process immune to hangups.

Exam trap

The trap here is that candidates often think `&` alone or `disown` alone is sufficient to keep a process running after logout, but without `nohup`, the process will still receive SIGHUP and terminate when the shell exits.

How to eliminate wrong answers

Option B is wrong because `runproc` is not a standard Linux command; it does not exist in the LFCS exam context and would not provide any hangup immunity. Option C is wrong because `sleep 100 &` runs the process in the background but does not protect it from SIGHUP; when the shell exits, the background job will receive SIGHUP and terminate. Option D is wrong because `disown` removes a job from the shell's job table but does not prevent SIGHUP from being sent to the process; the process will still receive SIGHUP and terminate upon shell logout unless it was started with `nohup` or has otherwise set itself to ignore SIGHUP.

145
Multi-Selectmedium

A system administrator needs to monitor real-time network traffic on a specific interface (eth0). Which TWO tools can be used for packet-level analysis?

Select 2 answers
A.tshark -i eth0
B.tcpdump -i eth0
C.iftop
D.wireshark
E.netstat -i
AnswersA, B

CLI version of Wireshark for packet capture.

Why this answer

A is correct because tshark is the command-line version of Wireshark, capable of capturing and analyzing packets in real time on a specific interface using the -i flag. It provides detailed packet-level inspection, including protocol dissection, which is essential for network traffic analysis.

Exam trap

The trap here is that candidates may confuse tools that show network statistics (like iftop or netstat) with those that perform actual packet-level capture and analysis, or assume that Wireshark is suitable for command-line-only environments without considering its GUI dependency.

146
Drag & Dropmedium

Order the steps to set up a LVM logical volume from a new disk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

LVM requires creating PV, then VG, then LV, then formatting and mounting.

147
MCQmedium

You are troubleshooting a Linux server that acts as a router between two networks: 10.0.1.0/24 (eth0) and 10.0.2.0/24 (eth1). IP forwarding is enabled. Hosts on 10.0.1.0/24 can ping the server's eth0 IP (10.0.1.1), but cannot ping hosts on 10.0.2.0/24 (e.g., 10.0.2.10). The server can ping both 10.0.2.10 and 10.0.1.10. The iptables FORWARD chain policy is ACCEPT. What is the most likely cause?

A.The hosts on 10.0.1.0/24 do not have a route to 10.0.2.0/24
B.The server cannot reach 10.0.2.10
C.IP forwarding is not enabled
D.The iptables FORWARD chain has a DROP policy
AnswerA

If hosts don't know where 10.0.2.0/24 is, they send packets to their default gateway, which may not be this server.

Why this answer

The server can ping both networks, confirming IP forwarding is enabled and iptables FORWARD chain policy is ACCEPT. Hosts on 10.0.1.0/24 can ping the server's eth0 IP but not hosts on 10.0.2.0/24, which indicates the hosts lack a route to the 10.0.2.0/24 network. Without a route, packets from 10.0.1.0/24 destined for 10.0.2.0/24 are dropped at the source host because the kernel has no next-hop information for that destination.

Exam trap

The trap here is that candidates often assume the router's IP forwarding or firewall is the problem when the server itself can reach both networks, overlooking the requirement for client-side routing configuration.

How to eliminate wrong answers

Option B is wrong because the server can ping 10.0.2.10, proving reachability from the server to that host. Option C is wrong because IP forwarding is confirmed enabled by the server's ability to ping both networks, and the question states it is enabled. Option D is wrong because the iptables FORWARD chain policy is explicitly stated as ACCEPT, so packets are not being dropped by the firewall.

148
Multi-Selectmedium

Which TWO utilities can be used to configure network bridges on Linux?

Select 2 answers
A.route
B.ip
C.nmcli
D.brctl
E.ifconfig
AnswersB, D

The ip command can manage bridges using 'ip link set master' and 'ip link add type bridge'.

Why this answer

The `ip` command (from the iproute2 suite) is the modern, recommended tool for configuring network bridges on Linux. It can create, delete, and manage bridge devices (e.g., `ip link add name br0 type bridge`) and enslave interfaces to them, replacing the older `brctl` utility. `brctl` is also correct as it was the traditional tool from the bridge-utils package, still widely used for bridge management.

Exam trap

The trap here is that candidates often confuse `route` (Layer 3 routing) with bridge configuration (Layer 2 switching), or assume `ifconfig` is still a valid tool for all interface management tasks, including bridges.

149
MCQeasy

An administrator wants to extend a logical volume named 'lv_data' in volume group 'vg_data' by 5GB. The volume group has free physical extents. Which command should be used?

A.pvextend -L +5G /dev/vg_data/lv_data
B.lvextend -L +5G /dev/vg_data/lv_data
C.lvresize -L +5G /dev/vg_data/lv_data
D.lvextend -L 5G /dev/vg_data/lv_data
AnswerB

The + sign indicates adding space.

Why this answer

The correct command to extend a logical volume is `lvextend`. Option B uses the correct syntax with the `-L +5G` flag, which adds 5GB to the existing logical volume `/dev/vg_data/lv_data`. The volume group `vg_data` has free physical extents, so the extension can proceed without needing to add new physical volumes.

Exam trap

The trap here is that candidates may confuse `lvextend` with `lvresize` or forget the `+` sign in the size specification, leading them to choose Option C or D, or they might incorrectly use `pvextend` (Option A) which does not exist in LVM.

How to eliminate wrong answers

Option A is wrong because `pvextend` is not a valid LVM command; the correct command for extending a logical volume is `lvextend`, not `pvextend`. Option C is wrong because `lvresize` can resize a logical volume, but it is not the standard command for extending; `lvextend` is the dedicated command, and using `lvresize` without the `-r` flag may not resize the filesystem automatically, which is a common pitfall. Option D is wrong because `-L 5G` sets the logical volume to exactly 5GB, not adding 5GB; the `+` sign is required to specify an increase in size.

150
MCQmedium

A security policy requires that all users in the 'webadmin' group should have read and write access to files in /var/www/html. New files created in that directory should automatically be assigned to the 'webadmin' group and have group read/write permissions. Which combination of permissions and group ownership should be set on /var/www/html?

A.chmod o+t /var/www/html; chmod 1775 /var/www/html; chown root:webadmin /var/www/html
B.chmod g+s /var/www/html; chmod 2755 /var/www/html; chown root:webadmin /var/www/html
C.chmod u+s /var/www/html; chown root:webadmin /var/www/html
D.chmod g+s /var/www/html; chmod 2775 /var/www/html; chown root:webadmin /var/www/html
AnswerD

Setgid bit ensures new files inherit group, and permissions allow group write.

Why this answer

Option D is correct because setting the setgid bit (g+s) on /var/www/html ensures that new files inherit the directory's group ('webadmin'), and the 2775 permissions grant group read/write/execute (rwx) while the setgid bit is represented by the leading 2. This combination satisfies the security policy: group ownership inheritance and group read/write access for all new files.

Exam trap

The trap here is that candidates often confuse the setgid bit (g+s) with the sticky bit (o+t) or setuid bit (u+s), and may overlook that the numeric mode must include the leading 2 (or 2xxx) to enable setgid, not just the symbolic chmod g+s.

How to eliminate wrong answers

Option A is wrong because 'chmod o+t' sets the sticky bit, which only prevents users from deleting files they don't own, and 1775 sets no setgid bit, so new files will not inherit the 'webadmin' group. Option B is wrong because 2755 grants group permissions of r-x (read/execute only), not rw- (read/write), failing the requirement for group write access. Option C is wrong because 'chmod u+s' sets the setuid bit (affects user ownership, not group), and without the setgid bit, new files will not automatically be assigned to the 'webadmin' group.

Page 1

Page 2 of 7

Page 3

All pages