Linux Foundation Certified System Administrator LFCS (LFCS) — Questions 151225

513 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A system administrator needs to configure a static IPv4 address of 192.168.1.100/24 on interface eth0 using NetworkManager. Which command accomplishes this?

A.nmcli dev set eth0 ipv4.address 192.168.1.100/24
B.nmcli con up eth0 ipv4.address 192.168.1.100/24
C.nmcli con mod eth0 ipv4.addresses 192.168.1.100/24 ipv4.method manual
D.nmcli con add con-name eth0 type ethernet ipv4.address 192.168.1.100/24
AnswerC

This correctly modifies the connection to use a static IP address and sets the method to manual.

Why this answer

Option C is correct because `nmcli con mod` modifies an existing connection profile, and setting `ipv4.addresses` along with `ipv4.method manual` is the proper way to assign a static IPv4 address in NetworkManager. The `/24` prefix length is correctly specified as part of the address value, and the manual method disables DHCP for IPv4.

Exam trap

The trap here is that candidates often confuse `nmcli dev set` (device-level) with `nmcli con mod` (connection-level), or they use the singular `ipv4.address` instead of the plural `ipv4.addresses`, which is the correct property name in NetworkManager.

How to eliminate wrong answers

Option A is wrong because `nmcli dev set` is used to set device-level properties (like link state or MTU), not IP address configuration; it does not accept `ipv4.address` as a parameter. Option B is wrong because `nmcli con up` brings a connection profile up (activates it) and does not accept `ipv4.address` as an argument; it cannot modify configuration. Option D is wrong because `nmcli con add` creates a new connection profile, but the correct parameter for the IP address is `ipv4.addresses` (plural), not `ipv4.address` (singular), and it also requires `ipv4.method manual` to set a static address; without that, the profile would default to DHCP.

152
MCQhard

A Linux administrator needs to create a RAID 5 array using three disks: /dev/sdb, /dev/sdc, and /dev/sdd, each 2TB. The administrator wants to ensure the array can be reassembled automatically after a reboot. Which command should be used to create the array?

A.mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/sdb /dev/sdc /dev/sdd --metadata=0.90
B.mdadm --create /dev/md0 --level=1 --raid-devices=3 /dev/sdb /dev/sdc /dev/sdd
C.mdadm --create /dev/md0 --level=0 --raid-devices=3 /dev/sdb /dev/sdc /dev/sdd
D.mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/sdb /dev/sdc /dev/sdd --metadata=1.2
AnswerD

Correct for RAID 5 with metadata 1.2, supporting large disks and auto-assembly.

Why this answer

Option D is correct because it uses `--metadata=1.2`, which stores the superblock at a standard 4 KiB offset from the start of each device, enabling the kernel to automatically discover and assemble the RAID array on reboot without manual intervention. RAID 5 with three disks provides striping with distributed parity, offering a balance of performance and redundancy.

Exam trap

The trap here is that candidates often choose `--metadata=0.90` (option A) because it is older and familiar, but they overlook that it does not support automatic reassembly on boot, which is explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because `--metadata=0.90` stores the superblock at the end of the device, which is not automatically scanned by the kernel during boot, requiring manual assembly or configuration in `/etc/mdadm/mdadm.conf`. Option B is wrong because `--level=1` creates a RAID 1 mirror, which with three devices would result in a mirrored set (not RAID 5) and does not meet the requirement for a RAID 5 array. Option C is wrong because `--level=0` creates a RAID 0 stripe set with no parity or redundancy, which provides no fault tolerance and is not suitable for the stated goal of a RAID 5 array.

153
Multi-Selecthard

Which THREE methods can be used to rescue a Linux system that fails to boot past GRUB? (Choose three.)

Select 4 answers
A.Append 'systemd.unit=emergency.target' to kernel command line.
B.Boot into single-user mode by adding 'single' to kernel command line.
C.At GRUB prompt, press 'e' to edit and add 'init=/bin/bash' to boot.
D.From GRUB menu, run 'linux /vmlinuz-... root=/dev/sda1 init=/bin/bash'.
E.Use the system rescue image by selecting 'Rescue' from boot media.
AnswersA, B, C, E

Emergency target provides a minimal shell.

Why this answer

Option A is correct because appending 'systemd.unit=emergency.target' to the kernel command line instructs systemd to boot directly into the emergency target, which provides a minimal rescue shell with only the root filesystem mounted read-only. This is a standard systemd mechanism for recovering from boot failures.

Exam trap

The trap here is that candidates may think option D is a valid GRUB command, but GRUB does not accept a raw 'linux' command with an 'init=' parameter at the prompt; the correct way is to edit the boot entry with 'e' and modify the kernel line, not to type a full command.

154
MCQmedium

A system administrator configures a web server using systemd. After creating a custom service unit file, the administrator runs `systemctl daemon-reload` but the service still fails to start with a 'Unit not found' error. What is the most likely cause?

A.The administrator forgot to run `systemctl enable` before starting the service.
B.The unit file is placed in /usr/lib/systemd/system/ instead of /etc/systemd/system/.
C.The administrator is not in the 'systemd' group.
D.The service name was misspelled in the `systemctl start` command.
AnswerB

Unit files for custom services should be in /etc/systemd/system/; /usr/lib/systemd/system/ is for distribution-provided units.

Why this answer

The 'Unit not found' error after `systemctl daemon-reload` indicates that systemd cannot locate the unit file. Unit files in `/usr/lib/systemd/system/` are intended for distribution packages and are not automatically scanned by `daemon-reload` unless they are symlinked or the directory is explicitly included. The correct location for custom administrator-created unit files is `/etc/systemd/system/`, which is the primary location for locally managed units and is always included in the unit search path.

Exam trap

The trap here is that candidates assume any systemd directory works for custom units, but the LFCS exam specifically tests the distinction between vendor-provided units (`/usr/lib/`) and administrator-managed units (`/etc/`), and that `daemon-reload` does not automatically scan `/usr/lib/` for new files.

How to eliminate wrong answers

Option A is wrong because `systemctl enable` creates symlinks for automatic startup but is not required to start a service; `systemctl start` can start a service without enabling it. Option C is wrong because there is no 'systemd' group in standard Linux; systemd operations are controlled by user privileges (root or sudo) and polkit rules, not group membership. Option D is wrong because while a misspelled service name would cause a 'Unit not found' error, the question states the administrator created a custom unit file and ran `daemon-reload`, making the file location the more likely and fundamental issue.

155
Multi-Selecthard

Which THREE of the following are valid systemd unit types?

Select 3 answers
A.notification
B.startup
C.target
D.socket
E.service
AnswersC, D, E

Groups units for synchronization.

Why this answer

Option C is correct because 'target' is a standard systemd unit type used to group other units together, similar to runlevels in SysVinit. Targets are defined in .target files and are essential for defining synchronization points during system boot or service state transitions.

Exam trap

The trap here is that candidates may confuse systemd unit types with service configuration directives (like Type=notify) or with generic terms like 'startup', leading them to select invalid options that sound plausible but are not defined in systemd's unit type specification.

156
Multi-Selecthard

Which TWO commands can display a list of active TCP connections listening on the system? (Choose two.)

Select 2 answers
A.ss -tuln
B.nmcli connection show
C.ifconfig
D.netstat -tuln
E.ip route show
AnswersA, D

Modern replacement for netstat; shows listening sockets.

Why this answer

Option A is correct because `ss -tuln` displays TCP (`-t`) and UDP (`-u`) sockets in a listening (`-l`) state with numeric (`-n`) addresses and ports, directly showing active TCP listening connections. Option D is correct because `netstat -tuln` performs the same function, listing TCP and UDP listening sockets with numeric output, and is the traditional tool for this purpose.

Exam trap

The trap here is that candidates confuse commands that show network configuration (like `ifconfig` or `ip route`) with commands that show active socket states, leading them to pick options that display interface or routing information instead of listening TCP ports.

157
Multi-Selectmedium

A Linux administrator wants to restrict user 'alice' to only be able to use the system for non-interactive tasks (e.g., running cron jobs and receiving mail) but not allow her to log in via SSH or console. Which TWO actions would achieve this goal? (Choose two.)

Select 2 answers
A.Lock alice's password with 'passwd -l alice'.
B.Set alice's login shell to /sbin/nologin in /etc/passwd.
C.Add alice to the DenyUsers directive in /etc/ssh/sshd_config.
D.Change alice's UID to 0.
E.Add alice to /etc/cron.deny.
AnswersB, C

Prevents interactive login without affecting cron/mail.

Why this answer

Options A and B are correct. Setting the shell to /sbin/nologin prevents interactive logins but cron and mail still work because they use /bin/sh independently. Adding to DenyUsers in sshd_config blocks SSH only.

Option C does not block SSH key authentication. Option D gives root privileges instead of blocking. Option E blocks cron, which is not desired.

158
MCQmedium

A company runs an Apache HTTP server hosting multiple virtual hosts on a single server. The server is managed by systemd. After editing the configuration file for one of the virtual hosts, the administrator notices that the entire Apache service fails to start with a syntax error. Other virtual hosts are currently down because the service failed. The administrator must resolve the issue with minimal downtime and without affecting the configuration of the working virtual hosts. Which course of action is most appropriate?

A.Check the Apache error log to identify the syntax error, fix the configuration, and run 'systemctl restart httpd'.
B.Run 'systemctl restart httpd' immediately to apply the change; the error will be logged.
C.Run 'apachectl configtest' to validate all configurations, fix any reported errors, then run 'systemctl reload httpd'.
D.Disable the problematic virtual host file by renaming it, then restart Apache to bring up the other sites.
AnswerC

Correct: configtest checks syntax without starting; reload applies changes without full restart, minimizing downtime.

Why this answer

Using apachectl configtest to validate the configuration before restarting is the safest approach. It identifies syntax errors without affecting running services. Then the fix can be applied and a reload (or restart) performed.

Option A ignores validation and restarts, causing potential additional downtime if the error persists. Option B also restarts without validation. Option D disables the problematic site, but that may not be desired if the site is needed.

159
MCQmedium

A Linux server cannot reach the internet, but internal LAN connectivity works. The output of 'ip route' shows a default gateway of 192.168.1.1, but pinging 8.8.8.8 fails. What is the most likely cause?

A.The default gateway is not reachable or has no internet connectivity.
B.The ARP table is corrupted.
C.The default gateway is missing.
D.DNS resolution is failing.
AnswerA

The gateway may be down or misconfigured.

Why this answer

The default gateway 192.168.1.1 is present in the routing table, but pinging 8.8.8.8 fails while internal LAN connectivity works. This indicates that the gateway itself either cannot be reached (e.g., due to a layer 2 issue or misconfiguration) or, more likely, it has no upstream internet connectivity. Since the default route is configured, the failure is not due to a missing gateway but rather the gateway's inability to forward traffic to external networks.

Exam trap

The trap here is that candidates often assume a missing default gateway is the problem when they see internet failure, but the question explicitly states the default gateway is present, shifting the focus to the gateway's own connectivity rather than the local routing table.

How to eliminate wrong answers

Option B is wrong because a corrupted ARP table would prevent communication with any host on the local subnet, including the default gateway, causing internal LAN connectivity to fail as well; since internal connectivity works, ARP is functioning correctly. Option C is wrong because the 'ip route' output explicitly shows a default gateway of 192.168.1.1, so the default gateway is not missing. Option D is wrong because DNS resolution is irrelevant when pinging a raw IP address like 8.8.8.8; the failure occurs at the network layer, not at the application layer.

160
MCQhard

Refer to the exhibit. The /etc/sysconfig/network-scripts/ifcfg-eth0 file contains the above content. After reboot, eth0 still does not obtain an IP via DHCP. What is the most likely missing configuration?

A.The MTU is not specified
B.DNS1 is not set
C.TYPE=Ethernet is missing
D.The gateway is not defined
AnswerC

Without TYPE=Ethernet, the network service may not process the file correctly.

Why this answer

Option C is correct because the `ifcfg-eth0` file is missing the `TYPE=Ethernet` directive. In RHEL/CentOS 7 and later, NetworkManager requires the `TYPE` parameter to correctly identify and manage the interface type. Without it, NetworkManager may ignore the file or fail to apply DHCP settings, even if `BOOTPROTO=dhcp` is present.

Exam trap

The trap here is that candidates often focus on DHCP-specific parameters like DNS or gateway, overlooking that NetworkManager requires the `TYPE` directive to recognize the interface as an Ethernet device, without which the DHCP configuration is never applied.

How to eliminate wrong answers

Option A is wrong because MTU is optional and not required for DHCP to function; the default MTU of 1500 is used if not specified. Option B is wrong because DNS1 is not required for obtaining an IP via DHCP; DNS servers are typically provided by the DHCP server itself. Option D is wrong because the gateway is not required for DHCP to obtain an IP address; the DHCP server supplies the default gateway via the DHCP offer.

161
Multi-Selecteasy

An administrator needs to grant a user named 'john' the ability to switch to any other user without a password. Which TWO of the following steps are required to achieve this?

Select 2 answers
A.Add 'john' to the 'wheel' group and configure /etc/pam.d/su to use pam_wheel.so with the 'trust' option.
B.Add a sudo rule: 'john ALL=(ALL) NOPASSWD: ALL' to /etc/sudoers.
C.Set the suid bit on /bin/su.
D.Run 'usermod -L john'.
E.Add 'john' to the 'root' group.
AnswersA, B

Correct: This allows members of the wheel group to su without a password if pam_wheel.so is configured.

Why this answer

Option A is correct because adding 'john' to the 'wheel' group and configuring /etc/pam.d/su with pam_wheel.so and the 'trust' option allows members of the 'wheel' group to switch to any user via su without being prompted for a password. The 'trust' modifier in PAM bypasses the password authentication for users in the specified group, effectively granting passwordless su access.

Exam trap

The trap here is that candidates may confuse the 'wheel' group's traditional role in restricting su access (via pam_wheel.so without 'trust') with granting passwordless su, or they may incorrectly assume that adding a user to the 'root' group or locking the account would enable privilege escalation.

162
MCQhard

A team of developers must share files under /opt/project. All developers are members of the 'devteam' group. New files must be automatically assigned to group 'devteam' and be writable by the group. Which umask and setgid configuration should be applied?

A.Set setgid bit on /opt/project and set umask to 007
B.Set the sticky bit on /opt/project and umask to 022
C.Set umask for developers to 002 only
D.Set setgid bit on /opt/project and set umask for developers to 002
AnswerD

Setgid ensures group ownership inheritance; umask 002 ensures group write.

Why this answer

Option A is correct: chmod g+s sets the setgid bit so new files inherit the group; umask 002 gives group write permission (files 664, dirs 775). Option B: umask 002 but no setgid means new files will inherit the creator's primary group, not necessarily 'devteam'. Option C: umask 007 removes group permissions entirely.

Option D: umask 022 gives group read-only.

163
MCQmedium

A system administrator needs to stop a misbehaving process gracefully, allowing it to clean up resources. The process is unresponsive to the standard SIGTERM signal. What should the administrator do next?

A.Use 'kill -15' again, wait a few seconds, then use 'kill -9' if still unresponsive.
B.Wait for the process to finish on its own.
C.Use 'kill -9' immediately.
D.Send SIGTERM again with a higher priority.
AnswerA

This is the recommended procedure: try graceful termination first, then force kill if needed.

Why this answer

Option A is correct because the standard escalation path for terminating an unresponsive process is to first send SIGTERM (signal 15) to request a graceful shutdown, then after a brief wait, send SIGKILL (signal 9) if the process has not terminated. This allows the process a chance to clean up resources before being forcibly killed, which is the recommended practice in Linux process management.

Exam trap

The trap here is that candidates may think SIGKILL is the immediate solution for any unresponsive process, but the LFCS exam emphasizes the proper escalation sequence (SIGTERM first, then SIGKILL) to ensure graceful resource cleanup.

How to eliminate wrong answers

Option B is wrong because waiting indefinitely for a misbehaving process to finish on its own is not a valid administrative action; the process is already unresponsive and may never terminate, leading to resource starvation. Option C is wrong because using 'kill -9' immediately bypasses the process's cleanup handlers and can leave resources (e.g., temporary files, network sockets) in an inconsistent state, which is considered a last resort. Option D is wrong because SIGTERM does not have a 'priority' concept; signals are delivered as-is, and sending the same signal again with no change in behavior will not overcome the process's unresponsiveness.

164
MCQmedium

A system administrator is managing a RHEL 8 server that requires a static IP address on interface ens192. The administrator modifies /etc/sysconfig/network-scripts/ifcfg-ens192 to set BOOTPROTO=static, IPADDR=192.168.1.100, PREFIX=24, GATEWAY=192.168.1.1, and DNS1=8.8.8.8. After saving, the administrator runs 'systemctl restart NetworkManager'. The interface obtains the correct static IP and network connectivity works. However, after a reboot of the server, the interface fails to come up with the static IP and instead obtains an IP via DHCP from the local network. The administrator verifies that the DHCP server is active and that the physical connection is good. What is the most likely cause of the issue?

A.The kernel parameter nomodeset is set in /etc/default/grub.
B.The firewall is blocking the static IP assignment.
C.The ONBOOT parameter is set to no or missing in the configuration file.
D.The network service is not enabled to start at boot.
AnswerC

ONBOOT=yes is required for the interface to start at boot.

Why this answer

The ONBOOT parameter controls whether the interface is activated at system boot. If set to 'no' or missing entirely, NetworkManager will not bring up the interface automatically after a reboot, causing it to fall back to DHCP if a DHCP client is active. Setting BOOTPROTO=static and IPADDR correctly only takes effect when ONBOOT=yes is present.

Exam trap

The trap here is that candidates assume setting BOOTPROTO=static and IPADDR is sufficient, overlooking the mandatory ONBOOT=yes parameter required for automatic activation at boot.

How to eliminate wrong answers

Option A is wrong because the kernel parameter 'nomodeset' affects video driver initialization, not network interface configuration or static IP assignment. Option B is wrong because the firewall operates at Layer 3/4 and does not block the assignment of a static IP address to an interface; it filters traffic after the IP is assigned. Option D is wrong because the 'network' service is deprecated in RHEL 8 and replaced by NetworkManager, which is enabled by default; the issue is not about the service being disabled but about the per-interface ONBOOT setting.

165
MCQmedium

Which bonding mode provides high availability without requiring switch configuration?

A.mode 1 (active-backup)
B.mode 4 (802.3ad)
C.mode 6 (balance-alb)
D.mode 0 (balance-rr)
AnswerA

Active-backup uses only one NIC at a time; no switch configuration needed.

Why this answer

Mode 1 (active-backup) provides high availability by designating one NIC as active and the others as standby, with automatic failover if the active link fails. It requires no special switch configuration because it does not use any link aggregation protocol or load-balancing algorithm that depends on switch-side settings.

Exam trap

The trap here is that candidates often confuse 'high availability' with 'load balancing' and choose mode 0 or mode 4, not realizing that those modes require switch configuration or do not inherently provide failover without additional setup.

How to eliminate wrong answers

Option B is wrong because mode 4 (802.3ad) requires the switch to be configured with a matching LACP (Link Aggregation Control Protocol) port channel. Option C is wrong because mode 6 (balance-alb) requires the switch to accept packets from multiple MAC addresses on the same port, which may need switch-side ARP filtering or port security adjustments. Option D is wrong because mode 0 (balance-rr) requires the switch to support Ethernet bonding (e.g., static link aggregation) and typically needs switch configuration to treat the multiple links as a single logical link.

166
MCQhard

A system administrator needs to securely transfer files between two Linux servers using port 22. The administrator uses the following command: 'scp file.txt user@remote:/tmp/'. The transfer fails with the error 'Permission denied (publickey)'. What is the most likely cause?

A.The client's public key is not in the remote user's authorized_keys file.
B.The remote server does not have SSH installed.
C.The SSH service is not running on the remote server.
D.The remote server's firewall is blocking port 22.
AnswerA

'Permission denied (publickey)' indicates key authentication failed.

Why this answer

The error 'Permission denied (publickey)' indicates that the SSH key-based authentication failed. SCP uses SSH for transport, and by default, SSH on the remote server checks the client's public key against the remote user's ~/.ssh/authorized_keys file. If the client's public key is not listed there, the SSH server rejects the connection, causing the SCP transfer to fail.

Exam trap

The trap here is that candidates often confuse network-level issues (firewall, service status) with authentication-level errors, but the specific 'Permission denied (publickey)' message directly points to SSH key authentication failure, not connectivity or service availability.

How to eliminate wrong answers

Option B is wrong because if the remote server did not have SSH installed, the error would typically be 'Connection refused' or 'No route to host', not 'Permission denied (publickey)'. Option C is wrong because if the SSH service were not running, the client would receive a 'Connection refused' error, not a publickey authentication failure. Option D is wrong because if the remote server's firewall were blocking port 22, the client would see a timeout or 'Connection refused' error, not a publickey permission error.

167
MCQhard

A company's database server uses LVM for storage. The system administrator notices that the logical volume /dev/vg_db/lv_data is at 95% capacity. The server is in production and cannot be taken offline. The volume group vg_db has free physical extents. Which command sequence should the administrator use to safely increase the size of the logical volume and filesystem without unmounting?

A.lvextend /dev/vg_db/lv_data /dev/sdb; resize2fs /dev/vg_db/lv_data
B.lvresize -L +10G /dev/vg_db/lv_data; mkfs.ext4 /dev/vg_db/lv_data
C.lvextend -L +10G /dev/vg_db/lv_data; mount -o remount /dev/vg_db/lv_data
D.lvextend -L +10G /dev/vg_db/lv_data; resize2fs /dev/vg_db/lv_data
AnswerD

Correct: lvextend increases LV capacity, resize2fs expands the filesystem online.

Why this answer

Option D is correct because it first extends the logical volume using `lvextend -L +10G` to allocate additional physical extents from the volume group, then resizes the ext4 filesystem online with `resize2fs` to utilize the new space. Both operations can be performed without unmounting the filesystem, as ext4 supports online resizing and LVM allows live extension of logical volumes.

Exam trap

The trap here is that candidates may think `mount -o remount` resizes the filesystem or that `mkfs.ext4` can be used to expand an existing filesystem, when in fact a filesystem-specific resize command is required after extending the logical volume.

How to eliminate wrong answers

Option A is wrong because it specifies a physical volume (`/dev/sdb`) instead of a size increment, which would attempt to use the entire device rather than adding a specific amount of space, and the syntax is incorrect for extending by a size. Option B is wrong because `mkfs.ext4` would create a new filesystem, destroying existing data, and does not resize the current filesystem. Option C is wrong because `mount -o remount` only re-mounts the filesystem and does not resize it; the filesystem must be explicitly resized with `resize2fs` after extending the logical volume.

168
MCQhard

A server has two network interfaces: eth0 (192.168.1.10/24) and eth1 (10.0.0.10/24). The default gateway is 192.168.1.1. The administrator wants traffic to 10.0.1.0/24 to go through eth1's gateway 10.0.0.1. Which command adds this route?

A.Both A and B are correct
B.ip route add 10.0.1.0/24 via 10.0.0.1 dev eth1
C.ip route add 10.0.1.0/24 dev eth1 via 10.0.0.1
D.route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.0.1 eth1
AnswerA

Both commands correctly add the route; ip route is the modern method, but route is still supported on many systems.

Why this answer

Option A is correct because both B and C are valid `ip route add` syntax variations that achieve the same result: adding a route to 10.0.1.0/24 via gateway 10.0.0.1 on interface eth1. The `ip route` command accepts the `via` and `dev` keywords in either order, making both B and C syntactically correct. Option D uses the legacy `route` command with improper syntax (missing `dev` keyword before the interface name), which would fail or produce unexpected behavior.

Exam trap

The trap here is that candidates assume the legacy `route` command's syntax is interchangeable with `ip route`, or that the order of `via` and `dev` in `ip route` is fixed, leading them to incorrectly dismiss valid options B or C.

How to eliminate wrong answers

Option B is wrong because it is actually correct — it uses proper `ip route add` syntax with `via` followed by `dev`. Option C is wrong because it is also correct — the `ip route add` command allows `dev` before `via` without issue. Option D is wrong because the legacy `route add` command requires the `dev` keyword before the interface name (e.g., `dev eth1`), not just appending `eth1` at the end; the correct syntax would be `route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.0.1 dev eth1`.

169
MCQeasy

A system administrator wants to combine two network interfaces for increased throughput and fault tolerance. The requirement is that both links are active simultaneously and the system can tolerate a failure of one link without interruption. Which bonding mode should be used?

A.Mode 4 (802.3ad)
B.Mode 2 (balance-xor)
C.Mode 1 (active-backup)
D.Mode 0 (balance-rr)
AnswerA

Combines links for throughput and fails over if a link goes down.

Why this answer

Mode 4 (802.3ad) is correct because it implements IEEE 802.3ad Link Aggregation Control Protocol (LACP), which allows both links to be active simultaneously for increased throughput while providing fault tolerance. If one link fails, traffic is automatically redistributed across the remaining active links without interruption, meeting the requirement for both active links and failure tolerance.

Exam trap

The trap here is that candidates often confuse Mode 4 (802.3ad) with Mode 0 (balance-rr) because both allow active links, but Mode 0 lacks the standardized LACP negotiation and seamless failover that Mode 4 provides, leading to incorrect selection when fault tolerance is explicitly required.

How to eliminate wrong answers

Option B (Mode 2, balance-xor) is wrong because while it allows both links to be active, it does not provide fault tolerance without interruption—a link failure may cause traffic disruption until the bonding driver rebalances. Option C (Mode 1, active-backup) is wrong because it uses only one active link at a time, failing the requirement for both links to be active simultaneously. Option D (Mode 0, balance-rr) is wrong because although both links are active, it does not support 802.3ad negotiation and may cause out-of-order packet delivery, and it does not guarantee seamless failover without interruption.

170
MCQhard

An administrator configures a systemd service with Restart=on-failure and RestartSec=10. What happens if the service exits with a non-zero exit code?

A.It restarts immediately
B.It retries infinitely regardless of exit code
C.It does not restart
D.It waits 10 seconds before restarting
AnswerD

RestartSec defines the delay between restart attempts.

Why this answer

Option D is correct because when Restart=on-failure is set, systemd only restarts the service if it exits with a non-zero exit code or is terminated by a signal (excluding SIGHUP, SIGINT, SIGTERM, and SIGPIPE). The RestartSec=10 directive then introduces a 10-second delay before the restart attempt, preventing rapid restart loops and giving the system time to stabilize.

Exam trap

The trap here is that candidates often confuse Restart=on-failure with Restart=always, assuming any exit triggers a restart, or they forget that RestartSec applies even when Restart=on-failure is set, leading them to choose 'immediately' (Option A).

How to eliminate wrong answers

Option A is wrong because RestartSec=10 explicitly adds a 10-second delay; the service does not restart immediately. Option B is wrong because Restart=on-failure does not cause infinite retries for any exit code — it only triggers restarts on non-zero exit codes or certain signals, and the number of restart attempts is limited by StartLimitBurst and StartLimitInterval (default 5 attempts within 10 seconds). Option C is wrong because the service does restart on a non-zero exit code when Restart=on-failure is configured; it only does not restart if the exit code is zero.

171
MCQmedium

A system administrator needs to find all files under /var/log that have been modified within the last 7 days. Which command accomplishes this task?

A.find /var/log -atime -7
B.find /var/log -mmin -10080
C.find /var/log -mtime -7
D.find /var/log -ctime -7
AnswerC

-mtime -7 finds files modified less than 7 days ago.

Why this answer

Option C is correct because the `find` command with `-mtime -7` searches for files whose content was modified (i.e., changed) within the last 7 days. The `-mtime` flag uses a 24-hour period, so `-7` means files modified less than 7 days ago, which matches the requirement to find files modified within the last 7 days under /var/log.

Exam trap

The trap here is that candidates often confuse `-mtime` (modification time) with `-ctime` (change time) or `-atime` (access time), leading them to pick an option that checks the wrong timestamp for the task of finding recently modified files.

How to eliminate wrong answers

Option A is wrong because `-atime -7` searches for files accessed (read) within the last 7 days, not modified, which is a different timestamp. Option B is wrong because `-mmin -10080` uses minutes (10080 minutes = 7 days) and would work for the same purpose, but it is not listed as correct; the question expects the `-mtime` flag, and `-mmin` is a valid alternative but not the intended answer here. Option D is wrong because `-ctime -7` searches for files whose metadata (inode) changed within the last 7 days, such as permissions or ownership, not the file content modification.

172
MCQmedium

A system administrator notices that a web server is not reachable from the internet but is reachable from the internal network. The server's IP is 10.0.1.10/24, and the gateway is 10.0.1.1. Which command should be used to verify the default gateway configuration?

A.arp -a
B.ip route show
C.ip addr show
D.ss -tln
AnswerB

This command displays the routing table, including the default gateway.

Why this answer

The `ip route show` command displays the kernel routing table, including the default gateway entry. Since the server is reachable internally but not from the internet, a missing or incorrect default gateway is the likely cause. This command directly verifies whether a default route (e.g., via 10.0.1.1) is present.

Exam trap

The trap here is that candidates often confuse `ip addr show` (which shows IP configuration) with `ip route show` (which shows routing), leading them to check the IP address instead of the default gateway when troubleshooting external connectivity.

How to eliminate wrong answers

Option A is wrong because `arp -a` shows the ARP cache (IP-to-MAC address mappings) for the local network, not the routing table or default gateway. Option C is wrong because `ip addr show` displays IP addresses and interface configuration, not routing information. Option D is wrong because `ss -tln` lists listening TCP sockets and their ports, which is used to verify service availability, not network-layer routing.

173
MCQmedium

A server runs out of inodes. The administrator needs to find which filesystem is exhausted and which directory has the most files. Which command sequence best accomplishes this?

A.df -i; find / -type f | wc -l
B.df -i; find / -xdev -type f -printf '%h\0' | sort -z | uniq -c -z | sort -rn | head
C.df -i; du --inodes /
D.df -h; du -sh /
AnswerB

Shows filesystem inode usage and then identifies top directories by file count.

Why this answer

Option B is correct because `df -i` first checks inode usage across all mounted filesystems to identify which one is exhausted. Then the `find / -xdev -type f -printf '%h\0' | sort -z | uniq -c -z | sort -rn | head` command counts files per directory on the root filesystem only (due to `-xdev`), using null-delimited output to handle special characters in filenames, and sorts to show the directory with the most files. This directly addresses both parts of the problem: identifying the exhausted filesystem and the directory with the most files.

Exam trap

The trap here is that candidates often confuse inode exhaustion with disk space exhaustion and choose `df -h` and `du -sh` (Option D), or they use a recursive file count without restricting to a single filesystem (Option A), failing to isolate the problematic filesystem and directory.

How to eliminate wrong answers

Option A is wrong because `find / -type f | wc -l` counts all files across all mounted filesystems (including network and virtual filesystems), which can be misleading and does not restrict to the exhausted filesystem; it also does not group files by directory, so it cannot identify which directory has the most files. Option C is wrong because `du --inodes /` is not a valid option in standard `du`; the `--inodes` flag is not supported by GNU `du` (it is a `df` option), and even if it were, it would not provide per-directory file counts. Option D is wrong because `df -h` shows disk space usage, not inode usage, and `du -sh /` shows total disk space used by the root filesystem, which is irrelevant to an inode exhaustion problem.

174
MCQeasy

Which command displays the listening UDP ports on a Linux system?

A.ss -a
B.ss -tln
C.ss -uln
D.netstat -tln
AnswerC

-u for UDP, -l for listening, -n for numeric.

Why this answer

Option C is correct because `ss -uln` specifically displays listening UDP sockets. The `-u` flag filters for UDP, `-l` shows only listening sockets, and `-n` displays numeric addresses and ports (avoiding DNS resolution). This is the most precise command for listing listening UDP ports.

Exam trap

The trap here is that candidates often confuse the `-t` (TCP) and `-u` (UDP) flags, or assume that `netstat -tln` or `ss -tln` will show all listening ports, forgetting that UDP requires explicit `-u` filtering.

How to eliminate wrong answers

Option A is wrong because `ss -a` shows all sockets (both listening and non-listening, TCP and UDP), which is too broad and does not filter for UDP or listening state specifically. Option B is wrong because `ss -tln` filters for TCP sockets only (`-t`), so it will not display any UDP ports. Option D is wrong because `netstat -tln` also filters for TCP sockets only (`-t`), and while netstat can show UDP with `-u`, this option omits the `-u` flag, so it shows only listening TCP ports.

175
Multi-Selecthard

Which THREE statements about Linux network bonding modes are correct? (Choose three.)

Select 3 answers
A.Mode 2 (balance-xor) distributes traffic based on packet type.
B.Mode 0 (balance-rr) can cause out-of-order packet delivery.
C.Modes 5 and 6 (balance-tlb and balance-alb) require IEEE 802.3ad switch support.
D.Mode 4 (802.3ad) requires the switch to support LACP.
E.Mode 1 (active-backup) provides fault tolerance but only one link is active at a time.
AnswersB, D, E

Correct.

Why this answer

Mode 0 (balance-rr) transmits packets in sequential order from the first available slave through the last, then starts over. This round-robin distribution can cause packets belonging to the same TCP session to take different physical paths, leading to out-of-order delivery at the receiver, which may trigger TCP retransmissions and degrade performance.

Exam trap

The trap here is that candidates often confuse 'balance-rr' with 'balance-xor' and assume round-robin distributes traffic based on a hash or packet type, when in fact it simply cycles through slaves without any flow-level awareness.

176
Multi-Selecthard

Which THREE fields are part of a standard /etc/group entry?

Select 3 answers
A.Group password (often 'x')
B.Primary GID of user
C.Group name
D.Home directory of group
E.Group members list
AnswersA, C, E

Second field, usually placeholder.

Why this answer

Options A, C, and E are correct. /etc/group has four fields: group_name, password (usually 'x' or empty), GID, and comma-separated list of members. Option B: user's primary GID is in /etc/passwd, not /etc/group. Option D: home directory is in /etc/passwd.

177
MCQhard

After running 'chage -l bob', the output shows: 'Last password change: Apr 01, 2023', 'Password expires: May 31, 2023', 'Account expires: Jul 15, 2023'. What will happen on May 31, 2023?

A.Bob can still log in but will be forced to change his password.
B.Bob's account will be locked.
C.Bob's password will be disabled.
D.Bob will receive a warning message only.
AnswerA

Password expiry forces a password change on next login, but login is still allowed until account expiry.

Why this answer

Option A is correct. On the password expiration date, the user is forced to change password at next login; the account remains active until the account expiry date.

178
MCQhard

A systems administrator is responsible for a production Linux server running CentOS 7 that provides SSH access to users. The administrator decides to tighten security by restricting SSH access to a specific management subnet 10.0.0.0/24. While connected to the server via SSH from a workstation on 10.0.0.50, the administrator adds the following iptables rule: iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT followed by iptables -P INPUT DROP. Immediately after the rule change, the administrator loses all connectivity to the server, including SSH. The administrator suspects that the new default policy dropped the existing SSH session. What is the most reliable method for the administrator to regain access to the server without rebooting?

A.Use netcat to send a TCP reset packet to the SSH server.
B.Use iptables-save and iptables-restore from another host on the same subnet.
C.Use IPMI or iDRAC to access the server's console and remove or modify the iptables rules.
D.Boot the server into single-user mode and flush iptables rules.
AnswerC

Out-of-band management provides console access independent of network.

Why this answer

Option C is correct because IPMI (Intelligent Platform Management Interface) or iDRAC (Integrated Dell Remote Access Controller) provides out-of-band management access to the server's console, independent of the operating system's network stack. This allows the administrator to log in locally, remove or modify the iptables rules that dropped the SSH session, and restore connectivity without rebooting. Since the default INPUT policy was set to DROP, all new and existing SSH packets are blocked, but out-of-band management bypasses iptables entirely.

Exam trap

The trap here is that candidates assume iptables rules only affect new connections, forgetting that changing the default policy to DROP without a stateful rule for ESTABLISHED connections will immediately terminate existing sessions, and they overlook out-of-band management as the only non-reboot recovery option.

How to eliminate wrong answers

Option A is wrong because netcat cannot send a TCP reset packet to an existing SSH session that is already blocked by the iptables DROP policy; the kernel's netfilter will drop any packets to port 22, including resets, and netcat operates at the application layer, not at the raw socket level required to inject a reset. Option B is wrong because iptables-save and iptables-restore require an active SSH session or network connectivity to execute commands on the target server; since the administrator has lost all connectivity, there is no way to run these commands from another host. Option D is wrong because booting into single-user mode requires a reboot, which the question explicitly states should be avoided; moreover, single-user mode is a boot-time option that cannot be entered without restarting the system.

179
MCQhard

A Linux administrator needs to configure VLAN tagging on a network bridge to isolate traffic from different virtual machines. The physical interface is eth0, and VLAN ID 100 should be accessible via the bridge br0. Which set of commands correctly creates this configuration using the ip command?

A.ip link add link eth0 name eth0.100 type vlan id 100; ip link add br0 type bridge; ip link set eth0.100 master br0; ip link set br0 up
B.ip link add br0 type bridge; ip link set eth0 master br0; ip link set br0 up
C.ip link add eth0.100 link eth0 type vlan id 100; ip link set eth0.100 master br0; ip link add br0 type bridge
D.ip link add name br0 type bridge; ip link add link br0 name vlan100 type vlan id 100; ip link set eth0 master br0
AnswerA

Correct sequence: create VLAN subinterface, create bridge, attach VLAN to bridge.

Why this answer

Option A is correct because it first creates a VLAN interface (eth0.100) on top of physical interface eth0 with VLAN ID 100 using `ip link add link eth0 name eth0.100 type vlan id 100`. It then creates a bridge (br0) with `ip link add br0 type bridge`, attaches the VLAN interface to the bridge as a port with `ip link set eth0.100 master br0`, and finally brings the bridge up. This sequence ensures that traffic tagged with VLAN 100 on eth0 is properly forwarded through the bridge to virtual machines, while untagged or other VLAN traffic is isolated.

Exam trap

The trap here is that candidates often forget the order of operations — the bridge must exist before enslaving a port, and the VLAN interface must be created on the physical NIC, not on the bridge itself.

How to eliminate wrong answers

Option B is wrong because it directly attaches the physical interface eth0 to the bridge without creating a VLAN interface, so no VLAN tagging or isolation is configured — all traffic on eth0 passes through the bridge untagged. Option C is wrong because it attempts to set eth0.100 as a slave of br0 before the bridge br0 has been created, which will fail since the bridge must exist first for the `master` command to succeed. Option D is wrong because it creates a VLAN interface on top of the bridge (br0) rather than on the physical interface eth0, which would tag traffic originating from the bridge itself rather than isolating incoming VLAN 100 traffic from eth0.

180
MCQhard

The administrator wants to create a new logical volume of 5GB for /var/log. Which of the following is the most appropriate first step?

A.Use lvresize to shrink lv_root by 5G and then create lv_var_log
B.Add a new disk (e.g., /dev/sdc) to the system, create a PV, and extend vg_root.
C.Mount a new filesystem directly on a new partition /dev/sdc1
D.Use lvcreate -L 5G vg_root -n lv_var_log
AnswerB

This provides free space to create the new LV.

Why this answer

Option B is correct because the volume group vg_root currently has no free space to create a new logical volume. Adding a new disk, creating a physical volume (PV) on it, and extending vg_root with vgextend provides the necessary free extents. Only then can lvcreate be used to create the 5GB lv_var_log logical volume for /var/log.

Exam trap

The trap here is that candidates assume lvcreate can always create a new logical volume in an existing volume group, forgetting that the VG must have sufficient free space; they overlook the prerequisite of adding a new PV when the VG is full.

How to eliminate wrong answers

Option A is wrong because lvresize to shrink lv_root is risky and unnecessary; it also does not add free space to the volume group if the filesystem is not shrunk first, and it may cause data loss or filesystem corruption. Option C is wrong because mounting a new filesystem directly on a partition bypasses LVM entirely, which contradicts the requirement to create a logical volume. Option D is wrong because lvcreate will fail if vg_root does not have at least 5GB of free extents; the command itself is correct syntax but cannot succeed without available space in the volume group.

181
MCQhard

A security policy requires that a user account 'temp_audit' be locked immediately without changing the password. Which command locks the account and prevents login?

A.userdel temp_audit
B.usermod -L temp_audit
C.chage -E 0 temp_audit
D.passwd -u temp_audit
AnswerB

Locks the account by prepending '!' to the encrypted password.

Why this answer

usermod -L locks the account by placing an '!' in the password field of /etc/shadow, preventing password authentication.

182
MCQeasy

Which command adds an existing user to a supplementary group without removing the user from other groups?

A.groupmod -a username groupname
B.usermod -A groupname username
C.usermod -aG groupname username
D.usermod -g groupname username
AnswerC

-a (append) with -G adds to supplementary group without affecting other groups.

Why this answer

Option A is correct because usermod -aG appends the user to the specified group while retaining existing supplementary group memberships.

183
MCQmedium

A system administrator wants to limit the CPU usage of a service. Which systemd resource control directive should be used?

A.CPUShares
B.CPUQuota
C.CPUAccounting=yes and CPUQuota
D.CPULimit
AnswerC

CPUAccounting enables accounting, then CPUQuota can be applied.

Why this answer

Option C is correct because to limit CPU usage in systemd, you must first enable CPU accounting with `CPUAccounting=yes` to track CPU consumption, and then set `CPUQuota` to specify a maximum percentage of CPU time the service can use. Without `CPUAccounting=yes`, the `CPUQuota` directive is ignored by systemd, making the combination essential for enforcing a hard CPU limit.

Exam trap

The trap here is that candidates assume `CPUQuota` works independently, but the LFCS exam tests the requirement to enable `CPUAccounting=yes` first, as systemd defaults to accounting being off for performance reasons.

How to eliminate wrong answers

Option A is wrong because `CPUShares` controls relative CPU priority among services under contention, not a hard limit on CPU usage; it distributes available CPU time proportionally. Option B is wrong because `CPUQuota` alone is insufficient; systemd requires `CPUAccounting=yes` to be explicitly set for the quota to take effect, otherwise the directive is silently ignored. Option D is wrong because `CPULimit` is not a valid systemd resource control directive; the correct directive for limiting CPU usage is `CPUQuota`.

184
MCQeasy

A user wants to view the contents of a compressed log file /var/log/syslog.2.gz without decompressing it first. Which command should they use?

A.gunzip /var/log/syslog.2.gz
B.cat /var/log/syslog.2.gz
C.zcat /var/log/syslog.2.gz
D.less /var/log/syslog.2.gz
AnswerC

zcat reads gzip files directly.

Why this answer

Option C is correct because `zcat` is a utility that reads compressed files (typically gzip-compressed) and outputs their decompressed content to standard output without permanently decompressing the file. This allows the user to view the contents of `/var/log/syslog.2.gz` directly in the terminal.

Exam trap

The trap here is that candidates may confuse `zcat` with `gunzip` or assume `less` can handle compressed files natively, but the LFCS exam expects knowledge of the specific command designed for viewing compressed files without decompression.

How to eliminate wrong answers

Option A is wrong because `gunzip` permanently decompresses the file, replacing the `.gz` file with an uncompressed version, which is not what the user wants. Option B is wrong because `cat` cannot interpret gzip compression; it will output raw binary data, which is unreadable. Option D is wrong because `less` does not natively handle gzip-compressed files; it would display binary garbage unless used with a wrapper like `zless` or a pipe from `zcat`.

185
MCQhard

An administrator created an LVM snapshot of a logical volume to perform a backup. During the backup, the snapshot runs out of space. What will happen to the original logical volume?

A.The original volume becomes read-only.
B.The backup completes successfully but data may be inconsistent.
C.The snapshot becomes invalid and must be recreated.
D.The original volume is automatically extended.
AnswerC

Snapshots use copy-on-write; when full, they are dropped and become inaccessible. Original volume unaffected.

Why this answer

When an LVM snapshot runs out of space, it becomes invalid and cannot track changes made to the original logical volume during the backup. The snapshot is automatically dropped by the device-mapper, and any attempt to mount or read it will fail. The original logical volume remains fully functional and unaffected, but the snapshot must be recreated to perform a new backup.

Exam trap

The trap here is that candidates often assume the original volume will be affected (e.g., become read-only or extended) when the snapshot runs out of space, but LVM isolates the original volume from snapshot failures, so only the snapshot is invalidated.

How to eliminate wrong answers

Option A is wrong because the original volume does not become read-only; LVM snapshots are copy-on-write, and running out of space in the snapshot only invalidates the snapshot, not the original volume. Option B is wrong because the backup cannot complete successfully; once the snapshot runs out of space, it is dropped and becomes inaccessible, so the backup process will fail or produce an error. Option D is wrong because LVM does not automatically extend snapshots or original volumes; snapshot size must be manually monitored and extended using 'lvextend' before it fills up.

186
MCQmedium

A system administrator runs 'ss -tuln' and sees that port 80 is listening. What does the 'u' option represent?

A.User
B.Unix sockets
C.UDP
D.Unicast
AnswerC

The -u option filters for UDP sockets.

Why this answer

In the `ss` command, the `-u` option filters output to show only UDP sockets. Since the question shows `ss -tuln`, which combines `-t` (TCP), `-u` (UDP), `-l` (listening), and `-n` (numeric), the `u` specifically represents UDP. This is confirmed by the `ss` man page and standard Linux networking tools.

Exam trap

The trap here is that candidates confuse `-u` with 'Unix sockets' (which is `-x`) or 'User' (which is `-p`), because the letter 'u' is commonly associated with 'Unix' or 'user' in other commands, but in `ss` it specifically means UDP.

How to eliminate wrong answers

Option A is wrong because `-u` does not stand for 'User'; user information is displayed with the `-p` option or by default in some output formats, not with `-u`. Option B is wrong because Unix sockets are displayed with the `-x` option, not `-u`; `-u` is exclusively for UDP sockets. Option D is wrong because 'Unicast' is a type of network transmission, not a socket type or protocol filter in `ss`; `ss` uses `-u` to filter by UDP protocol, not by unicast addressing.

187
Multi-Selecthard

Which THREE steps are necessary to permanently disable a systemd service from starting at boot?

Select 3 answers
A.systemctl stop myapp.service
B.systemctl mask myapp.service
C.systemctl reset-failed myapp.service
D.systemctl disable myapp.service
E.systemctl daemon-reload
AnswersA, B, D

Stops the currently running service.

Why this answer

Option A is correct because `systemctl stop` immediately terminates the service process, which is necessary to ensure the service is not currently running before disabling it from future boots. While stopping alone does not prevent the service from starting at boot, it is a required step in the process of permanently disabling a service, as you must stop the current instance before disabling it to avoid an inconsistent state.

Exam trap

The trap here is that candidates often think `systemctl disable` alone is sufficient to prevent a service from starting at boot, but they forget that the service may still be running currently, and without stopping it first, the disable command only affects future boots, not the current session.

188
MCQeasy

Refer to the exhibit. Which filesystem is mounted using the XFS filesystem type?

A./home
B./boot
C./proc
D./
AnswerA

XFS filesystem.

Why this answer

The correct answer is A (/home) because the exhibit shows that /home is mounted with the XFS filesystem type, as indicated in the output of the 'df -hT' or similar command. XFS is a high-performance 64-bit journaling filesystem commonly used in Linux for large files and scalability, and it is the default filesystem in RHEL/CentOS 7 and later.

Exam trap

Linux Foundation often tests the misconception that the root filesystem (/) is always XFS in modern distributions, but many exam scenarios use ext4 for / and reserve XFS for separate partitions like /home or /var.

How to eliminate wrong answers

Option B (/boot) is wrong because /boot is typically mounted using ext4 or ext3, not XFS, as it requires a simpler filesystem for bootloader compatibility. Option C (/proc) is wrong because /proc is a pseudo-filesystem (procfs) that exists only in memory and is not a physical disk filesystem like XFS. Option D (/) is wrong because the root filesystem in the exhibit is shown as ext4, not XFS, which is a common default for many distributions.

189
Multi-Selecteasy

Which THREE commands can show the current system time and date?

Select 3 answers
A.time
B.timedatectl
C.date
D.ntpdate
E.hwclock
AnswersB, C, E

Shows system time, date, and timezone.

Why this answer

B is correct because `timedatectl` is the primary command in systemd-based Linux distributions (e.g., RHEL 7+, Ubuntu 16.04+) for querying and configuring system time, date, time zone, and NTP synchronization. It displays the current local time, UTC time, RTC time, and time zone status in a structured output.

Exam trap

The trap here is that candidates confuse `time` (a performance measurement tool) with `date` (a time display tool), or mistakenly think `ntpdate` is a display command when it actually modifies the system clock.

190
MCQeasy

Which file stores the encrypted password (or password hash) for user accounts?

A./etc/group
B./etc/shadow
C./etc/passwd
D./etc/gshadow
AnswerB

Correct. Contains password hashes and aging info.

Why this answer

Option B is correct. The /etc/shadow file contains the encrypted password and password aging information. The /etc/passwd file historically contained passwords but now uses 'x' placeholder.

191
MCQeasy

Refer to the exhibit. The administrator wants to create a RAID 1 array using /dev/sdb1 and /dev/sdc1. Which command should be used?

A.mdadm --create /dev/md0 --level=5 --raid-devices=2 /dev/sdb1 /dev/sdc1
B.mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1
C.mdadm --create /dev/md0 --level=10 --raid-devices=2 /dev/sdb1 /dev/sdc1
D.mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb1 /dev/sdc1
AnswerB

Correct: RAID 1 requires level=1.

Why this answer

Option B is correct because RAID 1 (mirroring) requires exactly two devices to provide redundancy by duplicating data across both disks. The `--level=1` parameter specifies RAID 1, and `--raid-devices=2` matches the two partitions /dev/sdb1 and /dev/sdc1.

Exam trap

The trap here is that candidates confuse RAID levels and their minimum device requirements, often selecting RAID 5 or RAID 10 without verifying the device count, or mistakenly thinking RAID 0 provides redundancy.

How to eliminate wrong answers

Option A is wrong because `--level=5` (RAID 5) requires a minimum of three devices for striping with distributed parity, not two. Option C is wrong because `--level=10` (RAID 10) is a nested RAID combining mirroring and striping, requiring at least four devices (two mirrored pairs). Option D is wrong because `--level=0` (RAID 0) provides striping without redundancy, which does not meet the administrator's goal of creating a RAID 1 array.

192
MCQmedium

After editing /etc/resolv.conf to set a custom DNS server, the changes are reverted after reboot. What is the most likely cause?

A.The DHCP client overwrites resolv.conf on lease renewal
B.SELinux reinitializes the file from defaults
C.NetworkManager manages DNS and overwrites manual changes
D.systemd-resolved regenerates the file from configuration
AnswerC

NetworkManager updates resolv.conf based on its configuration; to persist manual changes, set dns=none in NetworkManager.conf.

Why this answer

NetworkManager actively manages network interfaces and DNS settings by default on many Linux distributions. When a user manually edits /etc/resolv.conf, NetworkManager detects the change and overwrites it with its own configuration, especially after a reboot or network restart, because it treats the file as a managed resource. This is the most common reason for DNS changes being reverted.

Exam trap

The trap here is that candidates often assume DHCP client behavior (Option A) is the primary cause, but the LFCS exam focuses on NetworkManager as the default network service manager on modern enterprise Linux distributions like RHEL and CentOS.

How to eliminate wrong answers

Option A is wrong because while a DHCP client can overwrite resolv.conf on lease renewal, this typically occurs only if the DHCP client is configured to manage DNS directly, which is less common than NetworkManager's default behavior on modern systems. Option B is wrong because SELinux does not reinitialize files from defaults; it enforces security policies on file access but does not regenerate or overwrite configuration files. Option D is wrong because systemd-resolved can regenerate resolv.conf from its own configuration, but this only happens if systemd-resolved is actively managing DNS and resolv.conf is symlinked to /run/systemd/resolve/stub-resolv.conf, which is not the default in all distributions and is less likely than NetworkManager's direct management.

193
MCQhard

You are a systems administrator for a company that runs a critical web application on a Linux server. The server has two network interfaces: eth0 (public IP 203.0.113.10/24, gateway 203.0.113.1) and eth1 (private IP 10.0.0.10/24). The web server listens on port 443 (HTTPS) and must be accessible from the internet. The server also needs to connect to an internal database server at 10.0.0.50/24 on port 3306. Recently, users reported that the website is intermittently unreachable. You SSH into the server and run 'ss -tln' and see that the web server is listening on 0.0.0.0:443. You check the routing table with 'ip route show' and see: default via 203.0.113.1 dev eth0; 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.10. You also run 'iptables -L -n -v' and see: Chain INPUT (policy ACCEPT), with no rules. However, you notice that the server's default gateway is unreachable from the server itself when you run 'ping 203.0.113.1' (100% packet loss). What is the most likely cause of the intermittent unreachability?

A.The web server is not listening on the public IP address.
B.A firewall rule is blocking incoming HTTPS traffic.
C.The default gateway is unreachable, preventing return traffic from the internet.
D.The private interface eth1 has a misconfigured IP address.
AnswerC

The gateway is down, so the server cannot send packets to the internet, making the web server unreachable.

Why this answer

The correct answer is C. The server's default gateway (203.0.113.1) is unreachable, as confirmed by the 100% packet loss on ping. This means that although the web server is listening on 0.0.0.0:443 and the firewall allows traffic, any response packets from the server to internet clients must be routed through the default gateway.

Without a working gateway, return traffic cannot reach the clients, causing intermittent unreachability from the internet.

Exam trap

The trap here is that candidates often focus on firewall rules or service binding, overlooking the fact that even with correct listening and permissive firewall, network-layer routing (specifically a working default gateway) is essential for bidirectional communication with the internet.

How to eliminate wrong answers

Option A is wrong because the web server is listening on 0.0.0.0:443, which binds to all available IP addresses, including the public IP 203.0.113.10, so it is accessible on the public interface. Option B is wrong because the iptables output shows an empty INPUT chain with a default policy of ACCEPT, meaning no firewall rules are blocking incoming HTTPS traffic. Option D is wrong because the routing table shows a correct route for 10.0.0.0/24 via eth1 with the source IP 10.0.0.10, and the private interface is functioning for internal database connectivity; the issue is with the default gateway, not the private IP configuration.

194
MCQeasy

A Linux server experiences a kernel panic during boot. The administrator needs to capture the kernel panic message for debugging. Which of the following methods would allow capturing the panic message?

A.Add 'quiet' to the kernel boot parameters.
B.Add 'panic=0' to the kernel boot parameters.
C.Configure netconsole to send kernel messages to a remote syslog server.
D.Set the kernel parameter 'console=ttyS0' to redirect output to a serial console.
AnswerB

Setting panic=0 tells the kernel to wait indefinitely on a panic, allowing the administrator to read the message on the console.

Why this answer

Option B is correct because setting 'panic=0' in the kernel boot parameters instructs the kernel to wait indefinitely (never reboot) after a kernel panic, allowing the administrator to capture the panic message from the console output. This is essential for debugging as it prevents automatic reboot and preserves the panic screen.

Exam trap

The trap here is that candidates may confuse 'panic=0' with disabling panic behavior, when in fact it disables automatic reboot, or they may think 'console=ttyS0' alone captures the message, whereas it only redirects output without preserving it during a crash.

How to eliminate wrong answers

Option A is wrong because adding 'quiet' suppresses most kernel messages, including panic details, making it harder to capture the panic message. Option C is wrong because netconsole sends kernel messages over the network to a remote syslog server, but it requires network configuration and may not function reliably during a kernel panic, especially if the network stack is compromised. Option D is wrong because 'console=ttyS0' redirects kernel output to a serial console, which is useful for remote access but does not inherently capture or preserve the panic message; it only changes the output destination.

195
Matchingmedium

Match each Linux package management command to its distribution.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Debian/Ubuntu

RHEL/CentOS 7

Fedora/RHEL 8+

openSUSE

Arch Linux

Why these pairings

Common package managers for various distributions.

196
MCQeasy

A user reports that they cannot delete a file named 'important.txt' located in their home directory. The file is owned by the user and the user has write permission on the directory. Running 'rm important.txt' produces the error: 'rm: cannot remove 'important.txt': Operation not permitted'. The user has also tried using 'sudo rm' but gets the same error. Which of the following is the most likely cause and correct solution?

A.The file has an ACL that denies deletion. Use 'setfacl -b important.txt' to remove ACLs.
B.The file has the immutable attribute set. Use 'lsattr important.txt' and if the 'i' attribute is present, remove it with 'chattr -i important.txt'.
C.The file is currently in use by another process. Use 'lsof' to find the process and kill it.
D.The directory has the sticky bit set, preventing deletion. Use 'chmod o-t .' to remove the sticky bit.
AnswerB

The immutable attribute prevents deletion; removing it allows deletion.

Why this answer

The error 'Operation not permitted' despite the user owning the file and having write permission on the directory indicates a filesystem-level restriction rather than a permission or ACL issue. The immutable attribute (i) on the file prevents any modification, including deletion, even by the root user. Running 'lsattr' reveals the attribute, and 'chattr -i' removes it, allowing deletion.

Exam trap

The trap here is that candidates confuse 'Operation not permitted' with standard permission errors, overlooking the immutable attribute as a filesystem-level override that affects even root and is not visible with 'ls -l'.

How to eliminate wrong answers

Option A is wrong because ACLs (Access Control Lists) do not produce an 'Operation not permitted' error for a file owner; they would show 'Permission denied' if applicable, and 'setfacl -b' removes all ACLs, which is unnecessary here. Option C is wrong because a file in use by another process would typically give a 'Text file busy' or 'Device or resource busy' error, not 'Operation not permitted', and killing the process would not resolve an immutable attribute. Option D is wrong because the sticky bit on a directory affects deletion of files owned by other users, not the file owner; the user owns the file, so the sticky bit does not block deletion, and 'chmod o-t' removes the sticky bit from the current directory, which is not the issue.

197
MCQhard

A security policy requires that all users in the 'admin' group must have a umask of 027 set automatically upon login. An administrator adds 'umask 027' to /etc/profile. However, users report that the umask is still 022. What is a likely cause?

A.The umask in /etc/profile is overridden by user-specific .bash_profile or .bashrc files.
B.The umask command in /etc/profile has a syntax error that is silently ignored.
C.The admin placed the umask command after the call to /etc/bash.bashrc which resets it.
D.The admin forgot to run 'source /etc/profile' on each user's session.
AnswerA

User files commonly override global settings.

Why this answer

Option A is correct because user-specific startup files (like .bash_profile) can override /etc/profile. Option B is wrong because /etc/profile is sourced automatically for login shells. Option C is possible but less likely since syntax is correct.

Option D is wrong because /etc/profile executes before user files; any reset would be in user files.

198
Drag & Dropmedium

Order the steps to create a systemd service unit that runs a script at boot.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Creating the unit file, enabling for boot, starting, and checking status are standard steps.

199
MCQmedium

An administrator receives a report that a specific directory /var/log is consuming too much disk space. Which command should be used to determine the total disk space used by that directory?

A.df -h /var/log
B.ls -la /var/log
C.fdisk /var/log
D.du -sh /var/log
AnswerD

du -sh calculates the total size of the directory.

Why this answer

Option D is correct because the `du -sh /var/log` command calculates the total disk space used by the specified directory. The `-s` flag summarizes the total size, `-h` provides human-readable output (e.g., in KB, MB, GB), and the path `/var/log` targets the directory in question. This is the standard Linux command for determining directory disk usage.

Exam trap

The trap here is that candidates confuse `df` (filesystem-level usage) with `du` (directory-level usage), often selecting `df -h` because it shows disk space, without realizing it reports on the entire partition rather than the specific directory.

How to eliminate wrong answers

Option A is wrong because `df -h /var/log` reports the disk space usage of the filesystem (partition) that contains `/var/log`, not the directory itself; it shows total, used, and available space for the entire mount point. Option B is wrong because `ls -la /var/log` lists the contents of the directory with file sizes but does not sum them recursively, so it cannot provide the total disk space consumed by the directory tree. Option C is wrong because `fdisk /var/log` is a partition table manipulation tool that operates on block devices (e.g., /dev/sda), not on directories; it would fail with an error when given a directory path.

200
MCQeasy

A user reports that a shell script 'backup.sh' in /home/user/scripts fails to execute. What is the most likely cause?

A.The script is not in the user's PATH.
B.The script does not have execute permission for the user.
C.The script must be owned by root.
D.The script does not have a shebang line (#!/bin/bash) at the top.
AnswerB

Missing execute permission is the most common cause of 'Permission denied' errors when running a script.

Why this answer

The most likely cause is that the script lacks execute permission for the user. In Linux, a file must have the execute bit set (e.g., `chmod +x backup.sh`) to be run as a script. Without it, the shell will refuse to execute the file, even if the user has read access and the script is syntactically correct.

Exam trap

The trap here is that candidates often assume a missing shebang (Option D) is the primary cause, but the LFCS exam tests that execute permission is the fundamental requirement for running any script directly.

How to eliminate wrong answers

Option A is wrong because the script is being executed directly (e.g., `./backup.sh` or via a full path), so PATH is irrelevant; PATH only matters when invoking a command by name without a path. Option C is wrong because script ownership does not affect execution; any user with execute permission can run it, regardless of owner. Option D is wrong because while a shebang is good practice, the shell will still attempt to execute the script using the default shell (usually /bin/sh) if no shebang is present; the script would run, not fail to execute entirely.

201
MCQeasy

A system administrator receives an alert that disk /dev/sda is predicted to fail soon. The server uses LVM, and /dev/sda is part of a volume group named vg_system. Which of the following is the best course of action to replace the failing disk without downtime?

A.Use dd to clone /dev/sda to a new disk and then replace.
B.Use ddrescue to copy data, then replace the disk.
C.Remove /dev/sda from the volume group and add a new disk.
D.Use pvmove to move physical extents to another disk, then remove the old disk.
AnswerD

pvmove safely relocates data online.

Why this answer

Option D is correct because pvmove relocates physical extents from /dev/sda to another physical volume in the same volume group while the filesystem remains online and accessible. This allows the failing disk to be removed from vg_system without any downtime, preserving LVM metadata and data integrity.

Exam trap

The trap here is that candidates confuse block-level cloning (dd) with LVM-aware migration (pvmove), assuming any copy tool can replace a disk in an LVM setup without understanding that LVM metadata and extent mapping must be handled correctly to avoid downtime or data corruption.

How to eliminate wrong answers

Option A is wrong because dd clones the entire block device including LVM metadata, which can cause UUID conflicts and requires the disk to be offline or unmounted, leading to downtime. Option B is wrong because ddrescue is designed for data recovery from failing media, not for live migration within LVM, and still requires the disk to be taken offline. Option C is wrong because removing /dev/sda from the volume group without first moving its extents would cause data loss; vgreduce can only remove a physical volume that has no allocated extents.

202
Multi-Selectmedium

A system administrator needs to configure a network bond on a Linux server using NetworkManager. Which TWO steps are required to create a functional bond interface?

Select 2 answers
A.Set the bond mode to 'balance-rr' in the connection profile.
B.Load the bonding kernel module using 'modprobe bonding'.
C.Use 'nmcli connection add type bond ifname bond0' to create the bond interface.
D.Use 'nmcli connection add type ethernet ifname eth0 master bond0' to attach a slave.
E.Ensure that the slave interfaces are down before adding them to the bond.
AnswersC, D

Creating the bond connection is the first required step.

Why this answer

The two required steps are creating the bond connection and attaching slave interfaces. The bonding kernel module is usually loaded automatically. Setting the bond mode and IP address can be done later, and the slave interfaces do not need to be down.

203
MCQeasy

An administrator needs to delete user 'obsolete' and remove its home directory and mail spool. Which command should be used?

A.userdel -f obsolete
B.userdel -r obsolete
C.userdel obsolete
D.groupdel obsolete
AnswerB

-r removes home and mail spool along with user account.

Why this answer

Option C is correct because userdel -r removes home directory and mail spool. Option A (-f) forces but does not remove files. Option B deletes group, not user.

Option D without -r leaves files behind.

204
MCQhard

A host with this routing table can ping 10.0.2.1 but cannot ping 8.8.8.8. What is the most likely cause?

A.The default route is missing
B.The default gateway 10.0.1.1 does not have internet connectivity
C.The host has no route to 10.0.2.0/24
D.The host has no route to 10.0.1.1
AnswerB

Even though the host can reach the gateway, the gateway itself may not have a path to the internet.

Why this answer

The host can ping 10.0.2.1, which is on the directly connected 10.0.2.0/24 network, confirming that the local interface and link-layer are functional. However, it cannot ping 8.8.8.8, a public internet address. The routing table shows a default route via 10.0.1.1, so the host will forward the packet to that gateway.

Since the host has a default route, the most likely cause is that the gateway 10.0.1.1 itself lacks internet connectivity (e.g., no upstream route, NAT misconfiguration, or ISP outage), preventing the packet from reaching 8.8.8.8.

Exam trap

The trap here is that candidates assume a missing default route is the only cause for internet unreachability, but the question explicitly states the routing table includes a default route, shifting the focus to the gateway's own connectivity or upstream routing failure.

How to eliminate wrong answers

Option A is wrong because the routing table includes a default route (0.0.0.0/0 via 10.0.1.1), so the default route is not missing. Option C is wrong because the host can ping 10.0.2.1, which is on the 10.0.2.0/24 network, proving that a route to that subnet exists (likely a directly connected route). Option D is wrong because the host does not need a specific route to 10.0.1.1; the default route via 10.0.1.1 implies the host can reach that gateway through its local subnet (e.g., via ARP on the directly connected network), and the problem is upstream, not local reachability.

205
MCQhard

Refer to the exhibit. A user attempts to create a file in /backup/snapshots/ but receives an error. What is the most likely cause?

A.The /backup filesystem is mounted read-only.
B.The /backup directory does not exist.
C.The user does not have write permission on /backup.
D.The /backup filesystem is full.
AnswerA

The '(ro)' flag indicates a read-only mount.

Why this answer

The error occurs because the /backup filesystem is mounted read-only, which prevents any write operations, including file creation, regardless of directory permissions or available space. This is a common scenario when a filesystem is intentionally mounted with the 'ro' option in /etc/fstab or via the mount command to protect data integrity.

Exam trap

The trap here is that candidates often focus on file permissions or disk space, overlooking the filesystem-level mount option that overrides all other write mechanisms.

How to eliminate wrong answers

Option B is wrong because if the /backup directory did not exist, the error would typically be 'No such file or directory' rather than a permission or write failure, and the user is attempting to create a file in /backup/snapshots/, implying the parent exists. Option C is wrong because write permission on /backup is irrelevant if the underlying filesystem is mounted read-only; even root cannot write to a read-only filesystem without remounting. Option D is wrong because a full filesystem would produce a 'No space left on device' error, not a generic write failure, and the question does not indicate disk space exhaustion.

206
Multi-Selectmedium

Which TWO statements are true about systemd service unit files? (Choose two.)

Select 2 answers
A.Environment variables can be loaded using EnvFile= directive.
B.The default service type is 'forking'.
C.The [Service] section is mandatory for a service unit file.
D.The [Install] section is used by systemctl enable to create symlinks.
E.The [Service] section must appear before the [Unit] section.
AnswersC, D

A service unit must have a [Service] section to define the process.

Why this answer

Option C is correct because the [Service] section is mandatory in a systemd service unit file; without it, systemd cannot determine how to manage the service process. This section defines the service type, execution command, and other runtime parameters essential for the unit to function.

Exam trap

The trap here is that candidates often confuse the 'EnvironmentFile=' directive with a non-existent 'EnvFile=', and assume 'forking' is the default service type because many legacy daemons use it, but systemd's default is 'simple'.

207
Multi-Selecteasy

Which TWO commands can be used to display the current working directory?

Select 2 answers
A.which pwd
B.pwd
C.date
D.echo $PWD
E.whoami
AnswersB, D

Prints working directory.

Why this answer

The `pwd` command (B) is the standard POSIX command that prints the full pathname of the current working directory. The shell variable `$PWD` (D) is automatically set by the shell to the current working directory, so `echo $PWD` outputs the same path. Both are valid ways to display the current working directory.

Exam trap

Linux Foundation often tests the distinction between commands that display the working directory and commands that merely locate or describe other things, tricking candidates into selecting `which pwd` because it contains the letters 'pwd'.

208
MCQeasy

An administrator wants to permanently configure a static IP address on a CentOS 7 system. Which file should be edited?

A./etc/sysconfig/network-scripts/ifcfg-eth0
B./etc/sysconfig/network
C./etc/hostname
D./etc/network/interfaces
AnswerA

This is the standard network interface configuration file for CentOS/RHEL 7.

Why this answer

On CentOS 7, network interface configuration is stored in individual files under /etc/sysconfig/network-scripts/, named ifcfg-<interface>. The ifcfg-eth0 file contains parameters like BOOTPROTO, IPADDR, NETMASK, and GATEWAY, and setting BOOTPROTO=static along with the IP address values permanently configures a static IP. This is the standard method for RHEL/CentOS 7 systems using the legacy network scripts (not NetworkManager's keyfile format).

Exam trap

The trap here is that candidates familiar with Debian-based systems may choose /etc/network/interfaces (Option D), while those who confuse global network settings with per-interface settings may pick /etc/sysconfig/network (Option B), both of which are incorrect for CentOS 7's static IP configuration.

How to eliminate wrong answers

Option B is wrong because /etc/sysconfig/network is a system-wide file that sets global networking parameters (e.g., HOSTNAME, GATEWAY) but does not define per-interface IP addresses; editing it alone cannot configure a static IP for a specific interface. Option C is wrong because /etc/hostname only sets the system's hostname, not IP address configuration; it is unrelated to static IP assignment. Option D is wrong because /etc/network/interfaces is the configuration file used by Debian/Ubuntu systems (ifupdown), not by CentOS 7 which uses the ifcfg files under /etc/sysconfig/network-scripts/.

209
MCQeasy

Based on the exhibit, which port is listening only on the loopback interface?

A.53
B.22
C.443
D.80
AnswerA

Listening on 127.0.0.1, which is the loopback interface only.

Why this answer

Option A is correct because port 53 (DNS) is configured to listen only on the loopback interface (127.0.0.1) as shown in the exhibit's output of `ss -tlnp`. The listening address `127.0.0.1:53` indicates the service is bound exclusively to the loopback interface, meaning it is not accessible from external network interfaces.

Exam trap

The trap here is that candidates often confuse 'listening on all interfaces' (0.0.0.0) with 'listening only on loopback' (127.0.0.1), and may incorrectly assume that common services like SSH or HTTP are loopback-only when they are typically bound to all interfaces.

How to eliminate wrong answers

Option B (22) is wrong because SSH (port 22) is listening on `0.0.0.0:22`, which means it is bound to all interfaces, including external ones, not just the loopback. Option C (443) is wrong because HTTPS (port 443) is listening on `0.0.0.0:443`, indicating it is available on all interfaces, not restricted to loopback. Option D (80) is wrong because HTTP (port 80) is listening on `0.0.0.0:80`, meaning it is bound to all interfaces and not limited to the loopback interface.

210
Multi-Selectmedium

Which THREE commands can be used to view the contents of a compressed archive file without extracting it? (Select three.)

Select 3 answers
A.tar -tvf archive.tar.gz
B.zcat archive.gz
C.gunzip archive.gz
D.less archive.gz
E.bunzip2 archive.bz2
AnswersA, B, D

Lists contents of tar archive.

Why this answer

Options A, B, and E are correct: tar -tvf lists contents of a tarball; zcat shows gzip file content; less can read compressed files if configured. Option C (gunzip) decompresses; Option D (bunzip2) decompresses bzip2.

211
MCQhard

Refer to the exhibit. A system administrator notices that SSH connections to the server are being dropped immediately. Assuming the server's external interface is eth0, which rule is responsible for this behavior?

A.Rule 3
B.Both Rule 2 and Rule 3
C.Rule 1
D.Rule 2
AnswerA

Rule 3 drops all incoming traffic on eth0, which includes new SSH connections.

Why this answer

Rule 3 drops all incoming traffic on eth0. SSH traffic is a new connection, so it does not match Rule 2 (which only accepts established/related connections). It also does not match Rule 1 (loopback).

Therefore, Rule 3 drops the SSH connection.

212
MCQmedium

A system administrator notices that logrotate did not rotate the /var/log/messages file on a CentOS 7 server despite having a configuration at /etc/logrotate.d/syslog. The admin runs 'logrotate -d /etc/logrotate.conf' and sees that the syslog file is excluded due to 'olddir' option, but the olddir does not exist. Additionally, the logrotate status file (/var/lib/logrotate/logrotate.status) shows that /var/log/messages was last rotated 30 days ago. The logrotate cron job is scheduled daily. What is the most likely reason the rotation fails?

A.The log file size has not exceeded the configured maxsize threshold.
B.The olddir specified in the config does not exist, causing logrotate to error out before rotation.
C.The logrotate script does not have read permission on /var/log/messages.
D.The 'compress' option is missing, so logrotate skips the file.
AnswerB

Missing olddir directory causes failure.

Why this answer

The `logrotate -d` (debug) output explicitly states the file is excluded due to the 'olddir' option, and the admin confirmed the olddir does not exist. When logrotate is configured with an 'olddir' directive, it attempts to move the rotated log file to that directory before performing the rotation. If the directory does not exist, logrotate fails with an error and aborts the rotation for that log file, leaving it unrotated.

This is a common misconfiguration that prevents rotation even when all other conditions (e.g., age, size) are met.

Exam trap

The trap here is that candidates may assume the failure is due to a missing 'size' or 'compress' option, but the debug output's explicit 'excluded due to olddir' message directly points to the missing directory as the root cause.

How to eliminate wrong answers

Option A is wrong because the logrotate status shows the file was last rotated 30 days ago, and the cron job runs daily; the 'daily' frequency or 'maxage' directive would trigger rotation based on time, not just size, so the failure is not due to a size threshold. Option C is wrong because if logrotate lacked read permission on /var/log/messages, the debug output would show a permission denied error, not an exclusion due to 'olddir'. Option D is wrong because the 'compress' option is optional and does not cause logrotate to skip a file; missing compression simply means the rotated file is not compressed, but rotation still occurs.

213
MCQmedium

A system administrator has a cron job that runs a backup script. The script requires the variable BACKUP_DIR to be set, but the administrator cannot modify the script. Which is the most appropriate place to define the variable for cron?

A.In the crontab file with the line 'BACKUP_DIR=/var/backups' before the command
B.In /etc/profile.d/backup.sh
C.In /etc/environment
D.In ~/.bash_profile
AnswerA

crontab allows variable definitions.

Why this answer

Cron jobs run in a minimal environment and do not source shell profiles or login scripts. Defining BACKUP_DIR directly in the crontab file before the command ensures the variable is set in the cron execution context, which is the only reliable way to pass environment variables to cron without modifying the script.

Exam trap

The trap here is that candidates assume cron inherits the user's login environment or sources profile files, but cron explicitly does not, making inline crontab variable definitions the only correct approach.

How to eliminate wrong answers

Option B is wrong because /etc/profile.d/ scripts are sourced only by interactive login shells, not by cron, which uses a non-interactive, non-login shell. Option C is wrong because /etc/environment is read by PAM (pam_env.so) during login sessions, but cron does not use PAM for environment setup. Option D is wrong because ~/.bash_profile is sourced only for interactive login shells, and cron does not invoke a login shell.

214
MCQhard

A system administrator monitors a server that periodically becomes unresponsive for a few seconds. Investigation reveals that the kernel OOM killer is being invoked, but standard memory usage monitoring tools like 'free' and 'top' show less than 50% memory usage. The server runs a web server and a database. Which of the following is the most likely cause and diagnostic step?

A.The server is experiencing a fork bomb. Use 'ps -ef | wc -l' to count processes.
B.The database is using swap space excessively. Use 'swapon -s' to check swap usage.
C.The web server is leaking file descriptors. Use 'lsof -n' to check open files.
D.The kernel is using a large amount of memory for slab caches. Use 'slabtop' to examine kernel memory allocations.
AnswerD

Slab caches can consume significant memory not shown in standard memory tools; 'slabtop' helps identify this.

Why this answer

Option D is correct because the kernel OOM killer can be triggered by high slab cache usage, which is memory allocated for kernel data structures like inode and dentry caches. Standard tools like 'free' and 'top' may show low overall memory usage because they report only user-space memory, while slab caches are accounted separately. Using 'slabtop' allows the administrator to identify which kernel slab caches are consuming excessive memory, often due to a large number of small files or heavy filesystem metadata operations.

Exam trap

The trap here is that candidates assume OOM kills are always due to user-space memory exhaustion, overlooking that kernel slab caches can consume significant memory and trigger the OOM killer even when 'free' and 'top' show low usage.

How to eliminate wrong answers

Option A is wrong because a fork bomb would cause a rapid increase in process count and high CPU usage, not periodic unresponsiveness with low memory usage as reported by 'free' and 'top'; 'ps -ef | wc -l' would show an abnormally high number of processes, but the scenario describes memory pressure without high process count. Option B is wrong because excessive swap usage would be reflected in 'free' or 'top' as high swap usage, and the OOM killer is invoked when physical memory is exhausted, not when swap is used; 'swapon -s' shows swap devices and their usage, but the problem is kernel memory, not swap. Option C is wrong because a file descriptor leak would cause the process to hit the file descriptor limit (ulimit -n), leading to 'too many open files' errors, not OOM kills; 'lsof -n' lists open files but does not directly relate to kernel memory exhaustion.

215
MCQeasy

A network engineer needs to temporarily disable a network interface eth1 without bringing it down permanently. Which command?

A.systemctl stop network
B.ip link set eth1 down
C.nmcli device disconnect eth1
D.ifdown eth1
AnswerB

This temporarily brings the interface down until manually brought up or reboot.

Why this answer

The `ip link set eth1 down` command temporarily disables the eth1 interface by changing its state to DOWN at the kernel level, without making any persistent changes to configuration files. This is the correct approach for a temporary disable because the interface can be re-enabled with `ip link set eth1 up` and will revert to its configured state upon reboot.

Exam trap

The trap here is that candidates often confuse `ifdown eth1` as a temporary disable, but it can trigger persistent configuration changes or rely on deprecated tools, whereas `ip link set eth1 down` is the modern, stateless method for a temporary interface shutdown.

How to eliminate wrong answers

Option A is wrong because `systemctl stop network` disables all network interfaces managed by the network service and stops the entire networking stack, which is not a targeted temporary disable of a single interface. Option C is wrong because `nmcli device disconnect eth1` only disconnects the interface from NetworkManager's active connection, but the interface remains administratively UP and can be reconnected automatically; it does not bring the interface down at the kernel level. Option D is wrong because `ifdown eth1` is a legacy command that reads configuration files (e.g., /etc/network/interfaces) and may trigger persistent changes or rely on deprecated ifupdown scripts, making it unsuitable for a strictly temporary disable without side effects.

216
Multi-Selectmedium

Which TWO commands can be used to view the current routing table on a Linux system?

Select 2 answers
A.netstat -rn
B.ifconfig -a
C.ss -tuln
D.route -n
E.ip addr
AnswersA, D

Displays routing table.

Why this answer

Both `netstat -rn` and `route -n` display the kernel IP routing table. The `-r` flag in netstat shows the routing table, and `-n` disables DNS resolution, showing numeric addresses. The `route -n` command directly prints the routing table without resolving hostnames, making both commands suitable for viewing the current routing table.

Exam trap

The trap here is that candidates confuse `ip addr` (which shows addresses) with `ip route` (which shows routes), or assume `ifconfig` shows routing information because it displays interface details, but it never shows the routing table.

217
MCQmedium

To permanently mount an ext4 filesystem at /data with noatime option, which entry should be added to /etc/fstab?

A./dev/sdb1 /data ext4 defaults,noatime 0 0
B./dev/sdb1 /data ext4 noatime 0 0
C./dev/sdb1 /data ext4 defaults,noatime 1 0
D./dev/sdb1 /data ext4 defaults,noatime 0 1
AnswerA

Correct entry with proper options and flags.

Why this answer

Option A is correct because the /etc/fstab entry for a permanent mount requires the filesystem device, mount point, type, options, dump frequency, and fsck pass order. The 'defaults,noatime' option string includes 'defaults' (which implies rw, suid, dev, exec, auto, nouser, async) and then overrides the access time update behavior with 'noatime'. The dump field (5th column) is 0 to disable backups, and the fsck pass order (6th column) is 0 to skip filesystem checks at boot, which is appropriate for a non-root data partition.

Exam trap

The trap here is that candidates often confuse the dump and fsck fields, incorrectly assuming that a non-root data partition should have a non-zero fsck pass order, or they omit 'defaults' thinking 'noatime' alone is sufficient, but the LFCS exam expects the standard 'defaults,noatime' format with dump=0 and fsck=0 for a data mount.

How to eliminate wrong answers

Option B is wrong because it omits 'defaults' from the options field; while 'noatime' alone is a valid mount option, the fstab format expects a comma-separated list and omitting 'defaults' can cause unexpected behavior if other default options (like rw, exec) are not explicitly set, though technically it might work in some kernels, it is not the standard or recommended practice for a permanent mount. Option C is wrong because the dump field (5th column) is set to 1, which would enable the dump utility to back up this filesystem; for a non-root data partition, this should be 0 unless specifically required. Option D is wrong because the fsck pass order (6th column) is set to 1, which would cause the system to check this filesystem at boot with the same priority as the root filesystem; for a non-root data partition, this should be 0 to skip automatic fsck checks unless it is a critical filesystem.

218
MCQmedium

A system administrator is debugging why a service named 'myapp.service' fails to start. He runs 'systemctl status myapp.service' and sees the status 'failed' with details 'Exit code: 1' and 'Failed with result exit-code'. Which command should be used next to view the full log of the service?

A.journalctl -u myapp.service
B.systemctl show myapp.service
C.journalctl -x -u myapp.service
D.systemctl list-dependencies myapp.service
AnswerA

This shows the full log for the service unit.

Why this answer

The correct command is `journalctl -u myapp.service` because it retrieves the full systemd journal logs for the specified unit, showing detailed error messages, stdout/stderr output, and timestamps that explain why the service exited with code 1. The `-u` flag filters the journal to entries related to that specific service unit, which is essential for debugging exit-code failures.

Exam trap

The trap here is that candidates may confuse `systemctl show` (which shows unit properties) with `journalctl` (which shows logs), or think that the `-x` flag in `journalctl` is required to see the full log when it only adds explanatory catalog messages, not the actual service output.

How to eliminate wrong answers

Option B is wrong because `systemctl show myapp.service` displays the current properties and configuration parameters of the unit (e.g., environment variables, resource limits), not the runtime log output or error messages. Option C is wrong because while `journalctl -x -u myapp.service` adds explanatory context (catalog messages) to the log, the `-x` flag is optional and not required to view the full log; the core command is still `journalctl -u myapp.service`, and the question asks for the command to view the full log, not necessarily with extra decoration. Option D is wrong because `systemctl list-dependencies myapp.service` shows the dependency tree of the unit (e.g., required mounts, sockets, other services), which is irrelevant to debugging the exit-code failure.

219
MCQmedium

Based on the iptables-save output, what is the default policy for the FORWARD chain and what happens to a new SSH connection from an external host on eth0?

A.Default policy FORWARD is ACCEPT; SSH connections are dropped.
B.Default policy FORWARD is DROP; SSH connections are dropped.
C.Default policy FORWARD is DROP; SSH connections are accepted.
D.Default policy FORWARD is ACCEPT; SSH connections are accepted.
AnswerC

FORWARD default is DROP; SSH rule allows traffic on port 22.

Why this answer

The default policy for the FORWARD chain is DROP, as shown in the iptables-save output (e.g., `:FORWARD DROP [0:0]`). A new SSH connection from an external host on eth0 is accepted because there is a rule in the FORWARD chain that matches incoming SSH traffic (typically TCP port 22) and has a target of ACCEPT, overriding the default DROP policy for that specific traffic.

Exam trap

The trap here is that candidates often confuse the default policy with the actual behavior for specific traffic, assuming that a DROP default policy means all traffic is dropped, ignoring the effect of explicit ACCEPT rules.

How to eliminate wrong answers

Option A is wrong because the default policy for FORWARD is DROP, not ACCEPT, and SSH connections are accepted, not dropped. Option B is wrong because although the default policy is DROP, SSH connections are accepted due to a specific rule, not dropped. Option D is wrong because the default policy is DROP, not ACCEPT, and SSH connections are accepted, not dropped.

220
Multi-Selecthard

Which THREE of the following are potential causes for a system failing to boot with 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block'?

Select 3 answers
A.The SATA cable for the root disk is loose, causing the disk to be detected intermittently.
B.The partition table on the root disk uses GPT but the BIOS is set to legacy boot.
C.The initramfs image is missing the necessary tools to mount the root filesystem, e.g., missing filesystem driver.
D.The root filesystem is corrupted and cannot be read by the kernel.
E.The root filesystem is located on a device that requires a kernel module not included in the initramfs.
AnswersC, D, E

If initramfs lacks the driver, mount fails.

Why this answer

Options A, C, and D are correct. A missing root filesystem, unsupported filesystem, or bad initrd are common causes. Option B is wrong because SATA cable issue would prevent detection entirely, but the error mentions unknown-block (device exists but cannot mount).

Option E is wrong because GPT vs MBR affects partition table, not filesystem mount.

221
MCQhard

Refer to the exhibit. What is the most likely security issue?

A.SSH service is not running.
B.The root account is disabled.
C.Someone is attempting to brute-force the root password.
D.The firewall is blocking SSH.
AnswerC

Repeated failed attempts from same IP indicate a brute-force attack.

Why this answer

The exhibit shows multiple failed SSH login attempts for the root user from the same IP address in quick succession, as seen in the auth.log or secure log entries. This pattern indicates a brute-force attack, where an attacker systematically tries different passwords to gain unauthorized root access. Option C is correct because the repeated 'Failed password for root' messages are the hallmark of a brute-force attempt.

Exam trap

The trap here is that candidates may see 'SSH' and 'root' and incorrectly assume the service is down or the account is disabled, rather than recognizing the pattern of repeated failed login attempts as a brute-force attack.

How to eliminate wrong answers

Option A is wrong because the SSH service is clearly running and accepting connections, as evidenced by the log entries showing SSH authentication attempts. Option B is wrong because the root account is not disabled; if it were disabled, the log would show 'User root not allowed because account is locked' or similar, not 'Failed password' attempts. Option D is wrong because the firewall is not blocking SSH; if it were, the connection attempts would not reach the SSH daemon to generate authentication failure logs.

222
MCQhard

You are a system administrator for a company that runs a web server on a Linux system. The web server logs are stored in /var/log/nginx/access.log. The log file grows rapidly and rotates weekly via logrotate. The system has been running for several months. Recently, the development team reported that the web server is responding slowly. You suspect that the disk I/O might be high due to log file activity. You check the disk usage and find that /var/log/nginx/access.log is 4 GB, and the rotated logs (access.log.1.gz, access.log.2.gz, etc.) total another 10 GB. The /var partition has 20 GB total, so it's 70% full. You decide to reduce the disk usage by compressing the current log file and truncating it without stopping the nginx service. Which command sequence should you use to safely achieve this?

A.:> /var/log/nginx/access.log && cp /var/log/nginx/access.log /var/log/nginx/access.log.bak && gzip /var/log/nginx/access.log.bak
B.cp /var/log/nginx/access.log /var/log/nginx/access.log.bak && :> /var/log/nginx/access.log && gzip /var/log/nginx/access.log.bak
C.rm /var/log/nginx/access.log && touch /var/log/nginx/access.log && chmod 644 /var/log/nginx/access.log
D.mv /var/log/nginx/access.log /var/log/nginx/access.log.bak && touch /var/log/nginx/access.log && gzip /var/log/nginx/access.log.bak
AnswerB

Correct: copies the file, truncates the original (keeping inode), compresses the copy.

Why this answer

Option B is correct because it first copies the current log file to a backup, then truncates the original file in place using the shell null command (`:>`) without stopping nginx, and finally compresses the backup. This ensures nginx continues writing to the same inode (file descriptor remains valid) and the disk space is reclaimed after compression.

Exam trap

The trap here is that candidates often choose `mv` and `touch` (Option D) thinking it's the standard logrotate method, but without signaling nginx, the old file descriptor remains attached to the moved file, causing the new empty file to be ignored and log data to be written to the renamed file instead.

How to eliminate wrong answers

Option A is wrong because it truncates the log file before copying it, resulting in an empty backup and loss of log data. Option C is wrong because `rm` removes the file entirely, breaking nginx's open file descriptor and causing it to log to a deleted inode until restarted; `touch` creates a new file with a different inode, and the permission reset is unnecessary. Option D is wrong because `mv` moves the file to a new name, which changes the inode; nginx continues writing to the old inode (now renamed), and the new `touch`ed file is not used until nginx is restarted or signaled, causing log loss or misdirection.

223
MCQmedium

A server has two network interfaces: eth0 (public IP 203.0.113.10/24) and eth1 (private IP 10.0.0.1/8). The default gateway is 203.0.113.1. The admin wants to ensure that traffic to the private subnet 10.0.0.0/8 goes via eth1. Which command correctly adds a static route?

A.ip route add 10.0.0.1/8 dev eth1
B.ip route add 10.0.0.0/8 via 10.0.0.1 dev eth0
C.ip route add 10.0.0.0/8 dev eth1
D.route add -net 10.0.0.0/8 eth1
AnswerC

Correct: adds network route via device eth1.

Why this answer

Option C is correct because it adds a static route for the 10.0.0.0/8 network directly via the eth1 interface, which is the private interface with IP 10.0.0.1/8. The `ip route add` command with `dev eth1` specifies that traffic destined for the 10.0.0.0/8 subnet should be sent out through eth1, without needing a next-hop gateway since eth1 is directly connected to that subnet.

Exam trap

The trap here is that candidates often confuse the network address with a host address (as in Option A) or incorrectly assume a gateway is always required (as in Option B), forgetting that directly connected networks only need a device specification.

How to eliminate wrong answers

Option A is wrong because it specifies the destination as 10.0.0.1/8, which is a host address (10.0.0.1) with a /8 prefix, instead of the network address 10.0.0.0/8; this would create a route for a single host, not the entire subnet. Option B is wrong because it uses `via 10.0.0.1 dev eth0`, which attempts to route 10.0.0.0/8 traffic through eth0 (the public interface) to the gateway 10.0.0.1, but 10.0.0.1 is not reachable via eth0 and the gateway should be on the same subnet as the interface; this would cause traffic to be sent to the wrong interface. Option D is wrong because the `route add` command syntax is incorrect: it uses `-net 10.0.0.0/8 eth1` but the correct syntax requires a `dev` keyword before the interface name (e.g., `route add -net 10.0.0.0/8 dev eth1`), and the command as written would fail or be misinterpreted.

224
MCQhard

A user reports that they cannot log in via SSH. The system administrator checks that the account is not locked, the password is correct, and the shell is valid. However, the user's home directory is owned by root instead of the user. What is the most likely cause of the login failure?

A.The home directory ownership is incorrect, causing SSH PAM session module to reject login
B.The user's login shell is not listed in /etc/shells
C.The /etc/nologin file exists
D.The user's entry in /etc/shadow is corrupted
AnswerA

pam_umask or pam_limits may check ownership; many systems require home owned by user.

Why this answer

Option D is correct because SSH uses PAM, and the pam_unix module checks that the home directory is owned by the user and not writable by others. If owned by root, SSH may deny login for security reasons. Option A (shadow file) would be different if permission wrong.

Option B (nologin) would affect all users. Option C (shell not in /etc/shells) would give a different error.

225
MCQmedium

A backup script must create a compressed archive of the /etc directory, preserving file permissions and timestamps. Which command should be used?

A.gzip -r /etc > backup.tar.gz
B.cpio -ov < /etc > backup.cpio
C.rsync -av /etc /backup/etc
D.tar -czvf backup.tar.gz /etc
AnswerD

tar with -czvf creates a gzipped archive preserving permissions and timestamps.

Why this answer

Option D is correct because the `tar -czvf` command creates a compressed archive (via gzip) that preserves file permissions and timestamps by default when run as root. The `-c` flag creates the archive, `-z` compresses it with gzip, `-v` provides verbose output, and `-f` specifies the archive filename. Tar is the standard Unix tool for bundling files into a single archive while retaining metadata like ownership, permissions, and timestamps.

Exam trap

The trap here is that candidates confuse `gzip` (which compresses individual files) with `tar` (which archives directories), or they think `rsync` creates an archive file when it actually creates a directory copy, not a compressed archive.

How to eliminate wrong answers

Option A is wrong because `gzip -r` recursively compresses individual files in place, not creating a single archive; it would replace each file with a .gz version, losing the directory structure and not preserving permissions in a bundled format. Option B is wrong because `cpio -ov < /etc` reads from stdin, but `/etc` is a directory, not a file list; cpio requires a list of files piped via `find` or similar, and without `--preserve-modification-time` it does not preserve timestamps by default. Option C is wrong because `rsync -av` synchronizes files to a destination directory, not creating a single compressed archive file; it preserves permissions and timestamps but produces a directory copy, not a portable archive like tar.gz.

Page 2

Page 3 of 7

Page 4

All pages