Linux Foundation Certified System Administrator LFCS (LFCS) — Questions 301375

513 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

After a kernel update, a service fails to start with 'cannot allocate memory'. The system has 16GB RAM and 8GB swap. Which command should the administrator run first to diagnose potential memory limits?

A.free -m
B.ulimit -a
C.cat /proc/meminfo
D.sysctl vm.overcommit_memory
AnswerB

Shows process resource limits, which may be too low.

Why this answer

Option B is correct because `ulimit -a` displays all current user-level resource limits, including `max memory size`, `max processes`, and `max locked memory`. After a kernel update, the service may be hitting a newly enforced or reduced `ulimit` (e.g., `RLIMIT_AS` or `RLIMIT_DATA`), which can cause 'cannot allocate memory' even when system memory is abundant. This command is the fastest way to check if a per-process limit is the culprit.

Exam trap

The trap here is that candidates see 'cannot allocate memory' and immediately think of system memory exhaustion, leading them to choose `free -m` or `/proc/meminfo`, but the LFCS exam tests the distinction between system-wide memory and per-process resource limits enforced by `ulimit`.

How to eliminate wrong answers

Option A is wrong because `free -m` shows overall system memory and swap usage, but the error 'cannot allocate memory' can occur even with plenty of free RAM if a per-process limit is imposed; `free` does not reveal user limits. Option C is wrong because `cat /proc/meminfo` provides detailed kernel memory statistics (e.g., MemTotal, MemFree, Committed_AS) but does not show per-process resource limits enforced by the shell or PAM; it cannot diagnose a `ulimit` restriction. Option D is wrong because `sysctl vm.overcommit_memory` controls the kernel's memory overcommit policy (0=heuristic, 1=always, 2=never overcommit), but the error 'cannot allocate memory' from a service is typically a per-process limit issue, not a system-wide overcommit setting; changing this sysctl is a more advanced step after confirming limits.

302
Multi-Selectmedium

Which THREE are common tools used for network troubleshooting on Linux?

Select 3 answers
A.traceroute
B.fdisk
C.ping
D.tcpdump
E.useradd
AnswersA, C, D

Traces the route packets take to a destination.

Why this answer

A. traceroute is correct because it uses ICMP (or UDP on some systems) to trace the path packets take to a destination, revealing each hop's IP address and round-trip time. This helps identify routing issues, packet loss, or latency bottlenecks in the network path.

Exam trap

The trap here is that candidates might confuse system administration tools (like fdisk and useradd) with network utilities, or incorrectly assume that any command that interacts with the system can be used for network troubleshooting, when only dedicated network diagnostic tools like traceroute, ping, and tcpdump are appropriate.

303
MCQmedium

A system administrator needs to increase the size of an existing filesystem mounted at /var/www. The filesystem resides on a logical volume /dev/vg_web/lv_web. The volume group has free space. The administrator runs: lvextend -L +5G /dev/vg_web/lv_web, and then resize2fs /dev/vg_web/lv_web. The commands complete without error, but df shows the filesystem size did not change. What is the most likely reason?

A.The resize2fs command was run without the device path; it requires the mount point.
B.The volume group does not have enough free extents; the lvextend failed silently.
C.The filesystem is not ext4; it is XFS, which requires xfs_growfs.
D.The logical volume was not properly extended; need to use pvresize.
AnswerC

Correct: XFS uses xfs_growfs, not resize2fs.

Why this answer

Option B is correct because if the filesystem is XFS (common for /var/www), resize2fs will not work; xfs_growfs must be used. Option A is false; resize2fs can take the device path. Option C is unnecessary; lvextend does not require pvresize.

Option D would have produced an error if lvextend failed.

304
MCQmedium

Refer to the exhibit. User 'alice' is a member of groups 'users' and 'projectx'? She needs to be a member of 'staff' as well. Which of the following statements is true?

A.Alice is a member of 'projectx' but the groups command is outdated
B.Alice's primary group is 'users' and she cannot have supplementary groups
C.The entry in /etc/group for 'projectx' is incorrect because alice is not a member
D.To become a member of 'staff', alice must either log out and log in, or use newgrp command
AnswerD

New group memberships are only effective after re-login or newgrp.

Why this answer

Option C is correct. The groups command shows only 'users', meaning her secondary groups are not updated; she is not actually a member of 'projectx' yet because new group memberships require re-login. Option A: /etc/group lists her in projectx but groups command hasn't updated because she hasn't re-logged in.

Option B: She is in users as primary? Actually users is likely her primary group? Not necessarily, but the groups command shows users as the only group. Option D: The primary group is determined by /etc/passwd, not shown here.

305
MCQhard

A system administrator is troubleshooting network connectivity from a server that can reach internal resources but cannot access the internet. The server's /etc/sysconfig/network-scripts/ifcfg-eth0 file contains: BOOTPROTO=static, IPADDR=10.0.0.10, NETMASK=255.255.255.0, GATEWAY=10.0.0.1. The administrator runs 'ip route show' and sees: default via 10.0.0.1 dev eth0. However, 'ping 8.8.8.8' fails. Which is the most likely cause?

A.The default gateway is missing from the routing table.
B.The gateway 10.0.0.1 is not configured to forward traffic to the internet (no NAT or upstream route).
C.DNS resolution is not configured.
D.A firewall is blocking outbound ICMP traffic.
AnswerB

The private IP gateway cannot route to the internet without NAT or a public IP.

Why this answer

The routing table shows a default gateway (10.0.0.1) is present, so the issue is not a missing route. Since the server can reach internal resources but not the internet, the most likely cause is that the gateway itself (10.0.0.1) is not configured to perform NAT or does not have an upstream route to forward traffic beyond the local subnet. Without this, packets destined for 8.8.8.8 are sent to the gateway but are then dropped because the gateway has no path to the internet.

Exam trap

The trap here is that candidates often assume a missing default gateway is the problem when ping fails, but the question explicitly shows the default route exists, so the real issue is the gateway's inability to forward traffic beyond the local network.

How to eliminate wrong answers

Option A is wrong because the 'ip route show' output explicitly shows 'default via 10.0.0.1 dev eth0', meaning the default gateway is present in the routing table. Option C is wrong because DNS resolution is not required for a ping to an IP address like 8.8.8.8; the failure occurs at the network layer, not at the application or name resolution layer. Option D is wrong because while a firewall could block ICMP, the question states the server can reach internal resources, and the most likely cause given the routing configuration is a gateway issue; a firewall blocking outbound ICMP would not explain why the gateway itself is unreachable for internet traffic, and the symptom is consistent with a lack of NAT or upstream route on the gateway.

306
MCQmedium

A developer reports that a compiled binary 'app' fails to execute with 'Permission denied' error when run from a mounted directory '/mnt/software'. The binary has execute permissions for all users. What is the most likely cause?

A.SELinux is blocking execution.
B.The binary is linked against missing libraries.
C.The filesystem is mounted with the 'noexec' option.
D.The binary is setuid but owned by a user other than root.
AnswerC

The 'noexec' mount option prevents execution of binaries.

Why this answer

Option C is correct because if the filesystem is mounted with the 'noexec' option, no binaries can be executed from it, even if they have execute permissions. Option A (setuid) would not cause 'Permission denied' but rather may require root ownership. Option B (SELinux) could cause denial but is more specific; noexec is a common misconfiguration.

Option D (missing libraries) results in 'cannot execute binary file' or 'error while loading shared libraries'.

307
MCQhard

A user named 'charlie' has just been added to the 'devops' group. However, when 'charlie' runs 'sudo -l', no sudo entries are shown. What is the most likely cause?

A.'charlie' is not listed by name in the sudoers file.
B.'charlie' must log out and log back in for the group change to take effect.
C.'charlie' is also a member of another group that restricts sudo.
D.The systemctl command is not executable by 'charlie'.
E.The sudoers file has a syntax error.
AnswerB

Correct: Group changes require a new login session to be recognized by PAM and sudo.

Why this answer

Option B is correct because when a user is added to a new group, the group membership is only applied to new login sessions. The `sudo -l` command checks the user's current group memberships, which are cached at login time. Since 'charlie' was added to the 'devops' group while already logged in, the new group membership is not reflected until 'charlie' logs out and logs back in, or uses `newgrp` or `sg` to start a new session with the updated groups.

Exam trap

The trap here is that candidates assume group changes are immediate for all processes, but Linux caches group membership at login time, so `sudo -l` reflects only the groups present when the session started.

How to eliminate wrong answers

Option A is wrong because the sudoers file can grant sudo access via group membership (e.g., `%devops ALL=(ALL) ALL`), so 'charlie' does not need to be listed by name; the group membership should suffice. Option C is wrong because being a member of another group does not restrict sudo unless that group is explicitly denied in sudoers; group membership is additive, not restrictive. Option D is wrong because the `systemctl` command's executability is irrelevant to `sudo -l` showing entries; `sudo -l` displays the commands the user is allowed to run, not whether a specific command is executable.

Option E is wrong because a syntax error in the sudoers file would typically cause `sudo` to fail with an error message (e.g., 'syntax error near line X'), not silently show no entries.

308
MCQeasy

A user wants to find the location of the 'grep' binary. Which command should they use?

A.man grep
B.which grep
C.uname -a
D.grep -r 'grep' /usr/bin
AnswerB

Displays the full path of the grep command.

Why this answer

The 'which' command is specifically designed to locate the binary (executable) of a command by searching the directories listed in the user's PATH environment variable. Option B, 'which grep', will output the full path to the grep binary, such as '/usr/bin/grep', directly answering the user's request.

Exam trap

The trap here is that candidates may confuse documentation commands (man) or system information commands (uname) with binary location commands, or mistakenly think a recursive grep search is an efficient way to find a binary, when 'which' is the standard, straightforward tool for this task.

How to eliminate wrong answers

Option A is wrong because 'man grep' displays the manual page for grep, which provides documentation and usage information, not the filesystem location of the binary. Option C is wrong because 'uname -a' prints system information (kernel name, hostname, kernel release, etc.), which is unrelated to locating a command's binary. Option D is wrong because 'grep -r' performs a recursive text search for the string 'grep' within files under /usr/bin, which is inefficient, may return many irrelevant matches, and does not reliably identify the grep binary itself.

309
Multi-Selecthard

Which TWO commands can be used to create a new empty file?

Select 2 answers
A.touch file
B.mkdir file
C.cat file
D.> file
E.echo 'text' > file
AnswersA, D

Creates an empty file if it does not exist.

Why this answer

Option A is correct because the `touch` command is specifically designed to create an empty file if it does not already exist, or update its timestamps if it does. Option D is correct because using the shell redirection operator `>` with no command before it (or with a null command) creates an empty file by truncating any existing content or creating a new zero-byte file.

Exam trap

The trap here is that candidates may think `echo 'text' > file` creates an empty file because they focus on the redirection operator, but the echo command always writes at least a newline, so the file is not empty.

310
Multi-Selecthard

Which TWO are valid methods to configure a network interface on a Linux system?

Select 2 answers
A.Using sysctl to set net.ipv4.conf.eth0.forwarding
B.Using systemctl enable network.service
C.Editing /etc/network/interfaces
D.Using nmcli connection add
E.Editing /etc/sysconfig/network
AnswersC, D

This file is used by ifupdown on Debian/Ubuntu systems.

Why this answer

Option C is correct because /etc/network/interfaces is the traditional configuration file used by the ifup/ifdown system on Debian-based distributions to define network interfaces, including IP addresses, netmasks, and gateways. This file is parsed by the ifup command to bring interfaces up with the specified settings, making it a valid method for persistent network configuration.

Exam trap

The trap here is that candidates confuse global network configuration files (like /etc/sysconfig/network) with per-interface configuration files, or mistake sysctl for a tool that can set interface IP addresses, when it only modifies kernel parameters unrelated to interface addressing.

311
MCQeasy

Which systemd unit type is used to group services and other units together for boot execution?

A.socket
B.timer
C.service
D.target
AnswerD

target units group services and other units.

Why this answer

In systemd, the 'target' unit type is designed to group services, sockets, timers, and other units into a logical synchronization point for boot execution. Targets do not execute code themselves but instead define dependencies (via Wants, Requires, and After directives) that ensure all associated units are started in the correct order to reach a desired system state, such as multi-user.target or graphical.target.

Exam trap

The trap here is that candidates often confuse 'service' units with the concept of grouping, because services are the most common unit type, but they fail to recognize that only 'target' units can aggregate multiple units into a single boot synchronization point.

How to eliminate wrong answers

Option A is wrong because a 'socket' unit type is used for socket-based activation (e.g., listening on a TCP port or Unix socket), not for grouping units for boot execution. Option B is wrong because a 'timer' unit type schedules and triggers services based on time or calendar events, not for grouping units during boot. Option C is wrong because a 'service' unit type manages a single daemon or process, not a collection of units; grouping multiple services requires a target.

312
MCQeasy

A user needs to view the contents of a compressed log file /var/log/syslog.gz without first decompressing it. Which command should they use?

A.zcat /var/log/syslog.gz
B.gzip -d /var/log/syslog.gz
C.gunzip /var/log/syslog.gz
D.cat /var/log/syslog.gz
AnswerA

Correct: prints compressed file to stdout.

Why this answer

Option A is correct because `zcat` is specifically designed to read the contents of gzip-compressed files without permanently decompressing them. It decompresses the data on the fly and sends the output to stdout, allowing the user to view the log file's contents directly from the terminal.

Exam trap

The trap here is that candidates may confuse commands that permanently decompress files (like `gzip -d` or `gunzip`) with commands that only display the contents, leading them to choose an option that alters the file system state instead of just viewing the data.

How to eliminate wrong answers

Option B is wrong because `gzip -d` permanently decompresses the file, replacing `syslog.gz` with an uncompressed `syslog` file, which alters the original compressed archive. Option C is wrong because `gunzip` is equivalent to `gzip -d` and also permanently decompresses the file, removing the `.gz` version. Option D is wrong because `cat` reads raw binary data and will output garbled, unreadable content when applied to a gzip-compressed file, as it does not perform any decompression.

313
MCQeasy

A Linux server at a hosting provider uses a software RAID 5 array with three 2 TB disks (sda, sdb, sdc) configured as /dev/md0, hosting a large ext4 filesystem. The server experiences a performance degradation and I/O errors. The administrator checks /proc/mdstat and sees that /dev/sda is marked as failed. The remaining two disks are still active. The administrator has a spare disk /dev/sdd of the same size. The filesystem is sparse and can tolerate downtime. What is the most appropriate course of action to restore the array to a fully functional state with redundancy?

A.Recreate the RAID 5 array from scratch using all three healthy disks (sdb, sdc, sdd) and restore data from backup.
B.Run 'mdadm --manage /dev/md0 --fail /dev/sda --remove /dev/sda', then 'mdadm --manage /dev/md0 --add /dev/sdd'.
C.Run 'mdadm --manage /dev/md0 --add /dev/sdd' to directly add the new disk and let the array rebuild automatically.
D.Use LVM to mirror the two healthy disks and ignore the failed one, ensuring data redundancy.
AnswerB

The standard procedure: fail and remove the failed disk, then add the spare, triggering a rebuild.

Why this answer

Option B is correct because the proper procedure is to first mark the failed disk as failed in the MD array, remove it, then add the new disk, which triggers a rebuild. Option A is wrong because simply adding the new disk without removing the failed one will not work; the array still has a failed disk. Option C is wrong because recreating the array destroys existing data.

Option D is wrong because LVM does not have native RAID capabilities and this would not utilize the existing RAID metadata.

314
Multi-Selecthard

Which THREE conditions can cause an 'RTNETLINK answers: File exists' error when adding a static route?

Select 3 answers
A.The route exists with a different metric but same destination and netmask.
B.The gateway is unreachable.
C.The interface is down.
D.The route exists with a different gateway but same destination and netmask.
E.The route already exists with the same destination and netmask (exact duplicate).
AnswersA, D, E

Metric is not part of the uniqueness; still duplicates.

Why this answer

Option A is correct because the Linux kernel's routing table uses the destination and netmask as a unique key for route entries. When adding a route with 'ip route add', if a route already exists with the same destination and netmask but a different metric, the kernel returns 'RTNETLINK answers: File exists' because the metric is not part of the uniqueness check — only the destination prefix and netmask are considered. The metric is a per-route property that does not disambiguate routes in the FIB (Forwarding Information Base).

Exam trap

The trap here is that candidates often assume the metric or gateway differentiates routes, but the Linux kernel treats the destination/netmask pair as the sole unique identifier for a route entry, so any duplicate prefix — even with different metrics or gateways — triggers the 'File exists' error.

315
MCQhard

Your company runs a critical database server that uses a 2TB XFS filesystem mounted at /data. The filesystem resides on an LVM logical volume (lv_data) within a volume group (vg_data) that spans four physical volumes (each 600GB SSD). You have been receiving low-space alerts: /data is at 95% capacity. After reviewing usage, you determine that the database will need an additional 500GB within the next month. The server has no additional physical disks available, but there is an unused 1TB SSD in inventory that you can install. However, the server is in production and cannot be rebooted. The system uses a 5.10 Linux kernel. Which of the following is the best approach to increase the available space for /data?

A.Create a RAID 0 array with the existing SSDs and the new SSD using mdadm, then format with XFS and mount at a different mount point, then move data.
B.Shrink other logical volumes in vg_data that are not important to free up space, then extend lv_data.
C.Install the new SSD, create a partition with fdisk, run pvcreate, vgextend vg_data, lvextend -L +500G /dev/vg_data/lv_data, and then run xfs_growfs /data.
D.Backup /data to an external drive, delete the logical volume, volume group, and physical volumes, then recreate everything including the new SSD to have a single large filesystem, then restore data.
AnswerC

Online expansion of XFS is supported; all steps are non-disruptive.

Why this answer

Option C is correct because it follows the proper procedure to add a new physical disk to an existing LVM volume group, extend the logical volume, and then grow the XFS filesystem online without unmounting or rebooting. The `xfs_growfs` command is specifically designed to expand an XFS filesystem while it is mounted, which is essential for a production database server that cannot be rebooted.

Exam trap

The trap here is that candidates may think a reboot or unmounting is required to extend an XFS filesystem on LVM, but `xfs_growfs` works online, and the correct sequence of LVM commands (pvcreate, vgextend, lvextend) followed by `xfs_growfs` is the only way to add space without downtime.

How to eliminate wrong answers

Option A is wrong because creating a RAID 0 array with mdadm would require reformatting and moving data, causing downtime, and does not integrate with the existing LVM structure. Option B is wrong because shrinking other logical volumes is risky, may not free up enough contiguous space, and is not the recommended approach when a new physical disk is available. Option D is wrong because backing up and recreating the entire LVM stack is unnecessarily disruptive, requires downtime, and is not needed when LVM supports online extension with `xfs_growfs`.

316
MCQmedium

Refer to the exhibit. A system administrator needs to mount the boot filesystem. Which partition should be used?

A./dev/sda2
B.None of the above
C./dev/sda1
D./dev/sda3
AnswerC

EFI System Partition used as /boot/efi or /boot on UEFI systems.

Why this answer

Option C is correct because /dev/sda1 is typically the first partition on a disk and is commonly used as the boot partition in MBR or GPT layouts, containing the bootloader and kernel images. The boot filesystem (often mounted at /boot) must be accessible early in the boot process, and partition 1 is the standard location for this purpose.

Exam trap

The trap here is that candidates may assume the boot partition is always /dev/sda2 (the root partition) or that 'None of the above' is a safe default, but the LFCS exam expects knowledge of standard partition numbering where /dev/sda1 is the boot partition.

How to eliminate wrong answers

Option A is wrong because /dev/sda2 is usually reserved for the root filesystem or swap, not the boot partition, and using it would conflict with standard partitioning conventions. Option B is wrong because /dev/sda1 is a valid partition that can serve as the boot filesystem, so 'None of the above' is incorrect. Option D is wrong because /dev/sda3 is typically an extended partition or a logical volume container, not the primary boot partition, and it may not be directly bootable.

317
MCQeasy

Which tool is the recommended method for persistently configuring network interfaces in RHEL 8?

A.Using the 'ip' command with persistent flags
B.Using nmcli commands
C.Editing /etc/sysconfig/network-scripts/ifcfg-* files directly
D.Using systemd-networkd configuration files
AnswerB

NetworkManager with nmcli is the standard tool for persistent network configuration.

Why this answer

In RHEL 8, NetworkManager is the default networking daemon, and 'nmcli' is the recommended command-line tool for persistently configuring network interfaces. Unlike temporary 'ip' commands, nmcli writes configuration to NetworkManager connection profiles, ensuring changes survive reboots. Red Hat officially deprecates direct editing of ifcfg files in RHEL 8 and uses NetworkManager as the primary interface.

Exam trap

The trap here is that candidates familiar with older RHEL versions (6/7) may default to editing ifcfg files directly, not realizing that RHEL 8 deprecates this method and officially recommends nmcli for persistent configuration.

How to eliminate wrong answers

Option A is wrong because the 'ip' command only makes runtime changes that are lost on reboot; it has no persistent flags to save configuration. Option C is wrong because while ifcfg files are still read by NetworkManager for backward compatibility, Red Hat deprecates direct editing in RHEL 8 and recommends nmcli or nmtui instead. Option D is wrong because systemd-networkd is not the default or recommended network stack in RHEL 8; RHEL 8 uses NetworkManager, not systemd-networkd.

318
MCQmedium

You are a system administrator for a financial firm. One of your users, 'alice', has forgotten her password and is locked out of the system. The security policy requires that all passwords must be changed every 30 days. Alice's account was disabled due to inactivity; the account has been inactive for 45 days. You need to unlock the account and ensure that Alice must change her password at the next login. You have root access. Which set of commands should you run?

A.usermod -U alice; chage -d 0 alice
B.passwd -u alice; chage -M 30 alice
C.usermod -e '' alice; passwd alice
D.chage -E -1 alice; usermod -L alice
AnswerA

Unlocks and forces immediate password change.

Why this answer

Option A is correct. usermod -U unlocks the account, and chage -d 0 forces password change. Option B: passwd -u is not standard on all distros; chage -M 30 sets max days but does not force immediate change. Option C: usermod -e '' sets no account expiry but may not unlock; passwd alice sets a new password but does not force change.

Option D: chage -E -1 sets no account expiry but also uses usermod -L which locks the account.

319
MCQeasy

A server is running out of disk space. Which command will show the disk usage of the root filesystem in a human-readable format?

A.ls -lh /
B.df -h /
C.fdisk -l /
D.du -sh /
AnswerB

Shows filesystem usage in human-readable format.

Why this answer

The `df -h /` command displays disk usage for the root filesystem (`/`) in a human-readable format (e.g., GB, MB) by using the `-h` flag. This is the standard tool for checking filesystem-level disk space, not directory-level usage.

Exam trap

The trap here is that candidates confuse `du` (directory usage) with `df` (filesystem usage), often picking `du -sh /` because it shows a large number, but they fail to realize it does not report filesystem capacity or available space, which is what the question explicitly asks for.

How to eliminate wrong answers

Option A is wrong because `ls -lh /` lists the contents of the root directory with sizes in human-readable format, but it does not show disk usage of the filesystem itself—it only shows file and directory sizes, which is not the same as filesystem capacity or usage. Option C is wrong because `fdisk -l /` is used to manipulate or display the partition table of a disk device (e.g., `/dev/sda`), not to show filesystem disk usage; passing `/` as an argument is invalid and will produce an error. Option D is wrong because `du -sh /` calculates the total disk usage of all files and directories under `/` (i.e., the entire filesystem tree), but it does not show the filesystem's total capacity or available space; it also takes significantly longer to run and is not the intended command for checking filesystem-level disk usage.

320
Drag & Dropmedium

Order the steps to configure a cron job that runs a script every day at 2 AM.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cron format: minute hour day month weekday. 0 2 * * * means 2:00 AM daily.

321
Multi-Selectmedium

Which TWO commands can be used to display the routing table on a Linux system? (Choose two.)

Select 2 answers
A.route -n
B.ip route
C.ss -r
D.traceroute
E.ping -R
AnswersA, B

Route command with -n shows numeric routes.

Why this answer

The `route -n` command displays the kernel IP routing table with numeric addresses, showing destination, gateway, netmask, and interface. The `ip route` command from the iproute2 suite shows the same routing table with more detail and is the modern replacement for `route`. Both are standard tools for viewing routing information on Linux.

Exam trap

The trap here is that candidates confuse `ss` with `route` or `ip` because `ss` is a socket statistics tool, and the `-r` option might be misread as 'route', but `ss -r` only resolves hostnames in its output and does not display routing information.

322
MCQmedium

Refer to the exhibit. A user attempts to read /etc/passwd and receives "Permission denied". What is the most likely reason?

A.The user is not in the root group.
B.The file has the immutable attribute set.
C.The user does not have read permission on the file.
D.The user does not have execute permission on the /etc directory.
AnswerD

Even with file read permission, the user must have execute permission on the directory to access the file.

Why this answer

To read a file, a user needs both read permission on the file itself and execute permission on every directory in the path leading to it. The /etc directory typically has permissions 755 (drwxr-xr-x), which grants execute permission to the owner and group but not to others. If the user is not the owner and not in the group, they lack execute (x) on /etc, which prevents them from traversing into the directory to access /etc/passwd, even if the file's permissions would otherwise allow reading.

Exam trap

The trap here is that candidates assume 'Permission denied' always means missing read permission on the file itself, but the LFCS exam tests the subtle requirement of directory execute permission for path traversal, especially on directories like /etc that are not world-executable.

How to eliminate wrong answers

Option A is wrong because being in the root group does not grant any special file access; group membership only matters if the file's group permissions allow access, and /etc/passwd is typically world-readable (644), so group membership is irrelevant. Option B is wrong because the immutable attribute (chattr +i) prevents modification or deletion of a file, not reading; a user can still read an immutable file if they have read permission. Option C is wrong because /etc/passwd typically has permissions 644 (rw-r--r--), meaning all users have read permission; the 'Permission denied' error in this context is not due to missing read permission on the file itself.

323
MCQeasy

To compress a file while preserving the original file, which command should be used?

A.gzip file.txt
B.gzip -d file.txt.gz
C.gzip -1 file.txt
D.gzip -k file.txt
AnswerD

The -k option keeps the original file after compression.

Why this answer

Option D is correct because the `-k` (or `--keep`) flag in `gzip` instructs the utility to compress the file while retaining the original uncompressed file. By default, `gzip` replaces the original file with a compressed version (appending `.gz`), so `-k` is the explicit option to preserve the source file.

Exam trap

Linux Foundation often tests the default behavior of `gzip` (which deletes the original) versus the `-k` flag, trapping candidates who assume compression always preserves the source file without an explicit option.

How to eliminate wrong answers

Option A is wrong because `gzip file.txt` compresses the file and, by default, deletes the original `file.txt`, leaving only `file.txt.gz`. Option B is wrong because `gzip -d file.txt.gz` decompresses the archive, which does not compress a file and also removes the `.gz` file unless `-k` is used. Option C is wrong because `gzip -1 file.txt` sets the compression level to fastest (level 1), but still removes the original file; the `-1` flag does not affect file preservation.

324
MCQhard

An administrator needs to encrypt a block device (/dev/sdc) using LUKS. Which command creates an encrypted LUKS container on the device?

A.cryptsetup luksOpen /dev/sdc encrypted_device
B.cryptsetup luksFormat /dev/sdc
C.openssl enc -aes-256-cbc -in /dev/sdc -out /dev/sdc.enc
D.dm-crypt create encrypted /dev/sdc
AnswerB

Initializes the LUKS container.

Why this answer

Option B is correct because `cryptsetup luksFormat /dev/sdc` initializes the block device with a LUKS header, setting up an encrypted container that can later be opened with a passphrase or key file. This is the standard command for creating a new LUKS partition, as it writes the LUKS metadata and prepares the device for encryption.

Exam trap

The trap here is that candidates confuse `luksFormat` (which creates the container) with `luksOpen` (which opens/maps it), or they think a generic encryption tool like `openssl enc` can replace LUKS for block device encryption.

How to eliminate wrong answers

Option A is wrong because `cryptsetup luksOpen` is used to map an existing LUKS container to a device mapper name (e.g., /dev/mapper/encrypted_device), not to create a new encrypted container. Option C is wrong because `openssl enc` performs file-level encryption using a cipher like AES-256-CBC, but it does not create a LUKS container or handle block device encryption with proper metadata; it would produce an encrypted file, not a usable encrypted block device. Option D is wrong because `dm-crypt create` is not a valid command; the correct tool for device-mapper encryption is `cryptsetup`, and the syntax `dm-crypt create` does not exist in standard Linux utilities.

325
Matchingmedium

Match each Linux process signal to its numeric value.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

1

2

9

15

19

Why these pairings

Standard signal numbers used in Linux.

326
MCQmedium

Refer to the exhibit. The 'developers' group has members alice, bob, and charlie. User 'charlie' is not in the 'developers' group. Which statement is true?

A.alice can write to file.txt because she is in the developers group and the file has group write.
B.bob can delete /shared/project because he is the owner? No, directory permissions apply.
C.charlie can read /shared because the directory has world read? No, it's --- for others.
D.charlie can list the contents of /shared if he knows the path.
AnswerA

File has rw-rw----, group can write; alice is in developers, so she can write.

Why this answer

The setgid bit (s in group execute) on /shared means new files inherit the group (developers). However, /shared has permissions 770 for owner and group, so charlie (not in group) cannot access it.

327
MCQeasy

Which command shows the default target for systemd?

A.systemctl show default
B.systemctl list-default
C.systemctl get-default
D.systemctl default
AnswerC

Correct command to show default target.

Why this answer

The correct command to display the default target (the systemd unit that the system boots into by default) is `systemctl get-default`. This command reads the symlink at `/etc/systemd/system/default.target` and outputs its target, such as `multi-user.target` or `graphical.target`. Option C is correct because it directly queries systemd for the current default boot target.

Exam trap

The trap here is that candidates confuse `systemctl get-default` with `systemctl default` (which activates the default target) or with non-existent commands like `systemctl list-default`, leading them to pick a plausible-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because `systemctl show default` is not a valid systemctl subcommand; `systemctl show` is used to display properties of a unit (e.g., `systemctl show sshd.service`), not to retrieve the default target. Option B is wrong because `systemctl list-default` does not exist; the correct subcommand for listing targets is `systemctl list-units --type=target`, which shows all loaded target units, not the default one. Option D is wrong because `systemctl default` is a valid command but it changes the current target to the default target (i.e., it activates the default boot target), not displays it.

328
MCQhard

A system administrator is configuring a custom systemd service that runs a Python script. The script logs output to stdout. The administrator wants to ensure that the service restarts automatically if it crashes, but only after a 10-second delay. Which directive should be added to the [Service] section of the unit file?

A.Restart=on-success RestartSec=10
B.Restart=on-failure RestartSec=10
C.Restart=always RestartSec=10
D.RestartSec=10
AnswerB

Restarts the service only when it exits with a non-zero exit code or is terminated by a signal, with a 10-second delay.

Why this answer

Option B is correct because `Restart=on-failure` ensures the service restarts only when it exits with a non-zero exit code or is terminated by a signal (e.g., SIGKILL), which matches the 'crashes' scenario. Adding `RestartSec=10` introduces a 10-second delay before the restart attempt, as required. The other options either restart on success (irrelevant) or always restart (which would restart even on intentional stops), or omit the restart condition entirely.

Exam trap

The trap here is that candidates often confuse `Restart=on-failure` with `Restart=always`, not realizing that `always` restarts even on clean exits (e.g., `systemctl stop`), which would interfere with manual service management.

How to eliminate wrong answers

Option A is wrong because `Restart=on-success` triggers restarts only when the service exits with a zero exit code (success), which is the opposite of a crash condition. Option C is wrong because `Restart=always` restarts the service regardless of the exit status, including when the administrator manually stops it with `systemctl stop`, which is not desired for crash-only recovery. Option D is wrong because it only sets `RestartSec=10` without specifying a `Restart=` directive, so the default `Restart=no` applies and the service will never restart automatically.

329
MCQeasy

A system administrator needs to partition a new 2TB disk using GPT. Which tool should be used?

A.cfdisk
B.fdisk
C.parted
D.sfdisk
AnswerC

Supports GPT and large disks.

Why this answer

Parted is the correct tool because it explicitly supports GPT partition tables on disks larger than 2TB, whereas fdisk and cfdisk traditionally use MBR (which is limited to 2TB) and sfdisk is primarily a script-based tool that, while it can handle GPT, is not the standard interactive tool for initial partitioning of a new 2TB GPT disk. Parted provides both interactive and scriptable modes and is designed to handle modern partition table formats like GPT.

Exam trap

The trap here is that candidates often assume fdisk is the universal partitioning tool because of its widespread use with MBR, but the LFCS exam specifically tests knowledge of GPT support and the fact that parted (or gdisk) is the correct choice for disks larger than 2TB with GPT.

How to eliminate wrong answers

Option A is wrong because cfdisk is a curses-based partition editor that, by default, operates on MBR partition tables and does not natively support GPT without additional flags or a separate version (like cgdisk). Option B is wrong because fdisk traditionally uses MBR and, although newer versions (util-linux 2.23+) can handle GPT, it is not the recommended or primary tool for GPT on a 2TB disk; its default behavior and legacy association with MBR make it a poor choice for this specific requirement. Option D is wrong because sfdisk is a script-oriented tool for dumping and restoring partition tables, not an interactive partitioner for initial setup; while it can handle GPT, it is not the standard interactive tool a sysadmin would use to partition a new disk.

330
MCQeasy

Refer to the exhibit. The /var partition is 100% full. Which command can be used to find the largest files in /var/log to free up space?

A.ls -lS /var/log
B.find /var/log -size +100M
C.du -ah /var/log | sort -rh | head
D.df -h /var/log
AnswerC

du recursively calculates disk usage, sorts by size human-readable, and head shows the top entries.

Why this answer

Option C is correct because it uses `du -ah` to list all files and directories in /var/log with human-readable sizes, pipes the output to `sort -rh` to sort them in reverse numerical order (largest first), and then uses `head` to display only the top entries. This combination efficiently identifies the largest files consuming space, allowing the administrator to target specific files for cleanup.

Exam trap

The trap here is that candidates may choose `ls -lS` (option A) because it sorts by size, but they overlook that it does not recurse into subdirectories, making it ineffective for a directory tree like /var/log that typically contains multiple subdirectories.

How to eliminate wrong answers

Option A is wrong because `ls -lS /var/log` lists files sorted by size, but it does not recurse into subdirectories, so it will miss large files in subdirectories like /var/log/journal or /var/log/nginx. Option B is wrong because `find /var/log -size +100M` only finds files larger than 100 MB, but the /var partition could be full due to many smaller files accumulating to fill the space, and it does not sort or prioritize the largest files. Option D is wrong because `df -h /var/log` shows the disk usage of the /var/log filesystem (or partition), not the sizes of individual files, so it cannot identify which files to delete.

331
MCQhard

Refer to the exhibit. The shadow entry for user 'carol' shows 18000 in the third field. What does the value 18000 represent?

A.The number of days until the account expires.
B.The minimum number of days required between password changes.
C.The number of days since the password was last changed.
D.The number of days before password expiration that the user is warned.
AnswerC

Third field is days since epoch of last password change.

Why this answer

Option B is correct. The third field in /etc/shadow is the date of last password change (in days since epoch). 18000 corresponds to about April 2025 (as of 2025). Option A is the first field (last change).

Option C is the minimum days field (fourth field, which is 0). Option D is the warning days field (seventh field, which is 7).

332
MCQmedium

An administrator runs 'systemctl status sshd' and sees the output above. The administrator wants sshd to start automatically at boot. Which command should be used?

A.systemctl reenable sshd
B.systemctl mask sshd
C.systemctl start sshd
D.systemctl enable sshd
AnswerD

Creates symlinks to enable the service to start at boot.

Why this answer

The `systemctl enable sshd` command creates the necessary symlinks in the systemd unit configuration directories (e.g., `/etc/systemd/system/multi-user.target.wants/`) so that the sshd service is started automatically at boot. This is the correct way to configure a service to start on boot in a systemd-based Linux distribution.

Exam trap

The trap here is confusing `systemctl start` (immediate runtime start) with `systemctl enable` (persistent boot-time start), leading candidates to choose Option C when the question explicitly asks for automatic startup at boot.

How to eliminate wrong answers

Option A is wrong because `systemctl reenable sshd` is not a valid systemd command; the correct command to re-enable a service is `systemctl enable sshd` (which removes and recreates symlinks if already enabled). Option B is wrong because `systemctl mask sshd` prevents the service from being started manually or automatically by linking it to `/dev/null`, which is the opposite of what is needed. Option C is wrong because `systemctl start sshd` starts the service immediately but does not configure it to start automatically at boot; it only affects the current runtime state.

333
MCQhard

A user 'alice' has a umask of 027 in her .bashrc, but the system administrator wants to enforce a umask of 007 for all users in the 'staff' group. Where should the administrator place the umask command to ensure it cannot be overridden by users?

A./etc/bash.bashrc
B./etc/skel/.bashrc
C./etc/profile
D.In /etc/pam.d/common-session with pam_umask.so
AnswerD

PAM umask module applies the umask regardless of shell scripts.

Why this answer

Option C is correct: /etc/bash.bashrc is sourced before user files, but users can still override? Actually, the safest is to use /etc/profile.d/ with a script, but the question asks for a location that cannot be overridden? Typically, /etc/bash.bashrc is for all bash users, but users can still override in their .bashrc after it. The only way to enforce is to set umask in /etc/profile or /etc/bash.bashrc and also in /etc/skel/.bashrc, but users can still change. Actually, no shell-level enforcement is absolute; root can set it in a login script that runs after user scripts? But the question is tricky.

I'll set the correct answer to a pam module: option D: using pam_umask.so in /etc/pam.d/common-session. That ensures it is applied regardless of shell configuration. So D is correct.

Other options are overrideable.

334
MCQmedium

An administrator has created an LVM thin pool. Which command should be used to create a thin logical volume named 'thinvol' of size 100GB from the thin pool 'pool1' in volume group 'vg1'?

A.lvcreate -L 100G -n thinvol vg1
B.lvcreate -s vg1/pool1 -n thinvol
C.lvcreate -V 100G -T vg1/pool1 --name thinvol
D.lvcreate -L 100G -T vg1/pool1 --name thinvol
AnswerC

Correct command.

Why this answer

Option C is correct because the `lvcreate` command for thin logical volumes requires the `-V` flag to specify the virtual size of the thin volume and the `-T` flag to reference the thin pool. The syntax `-V 100G -T vg1/pool1 --name thinvol` correctly creates a thin logical volume named 'thinvol' with a virtual size of 100GB from the thin pool 'pool1' in volume group 'vg1'.

Exam trap

The trap here is that candidates often confuse the `-L` flag (used for standard LVs or pool sizes) with the `-V` flag (required for thin volumes), leading them to select option D, which incorrectly uses `-L` instead of `-V` for the thin volume's virtual size.

How to eliminate wrong answers

Option A is wrong because `lvcreate -L 100G -n thinvol vg1` creates a standard (thick) logical volume, not a thin logical volume, and does not reference a thin pool. Option B is wrong because `lvcreate -s vg1/pool1 -n thinvol` is used to create a snapshot, not a thin logical volume; the `-s` flag creates a snapshot of an existing logical volume. Option D is wrong because `lvcreate -L 100G -T vg1/pool1 --name thinvol` uses the `-L` flag to specify the size, but for thin volumes, the `-V` flag must be used to define the virtual size; `-L` is for the pool's metadata or data size, not the thin volume's virtual size.

335
MCQhard

Refer to the exhibit. A server has two interfaces: eth0 (public) and eth1 (internal). The firewall zone 'internal' is assigned to eth1. An administrator wants to allow TCP traffic on port 8080 from eth1 to the server. Which command will achieve this without affecting existing rules?

A.firewall-cmd --permanent --zone=internal --add-port=8080/tcp
B.firewall-cmd --zone=internal --add-service=http --add-port=8080/tcp
C.firewall-cmd --zone=internal --add-port=8080/tcp
D.firewall-cmd --zone=public --add-port=8080/tcp
AnswerC

This adds the port to the internal zone temporarily but immediately, without reload.

Why this answer

Option C is correct because it uses the `--zone=internal` flag to target the correct zone assigned to eth1, and `--add-port=8080/tcp` to open only TCP port 8080 without modifying any existing rules. The command is not `--permanent`, so it applies immediately to the runtime configuration, which is the default behavior when `--permanent` is omitted.

Exam trap

The trap here is that candidates may confuse `--permanent` with immediate effect, or incorrectly assume that `--add-service=http` is required for HTTP-based traffic on port 8080, when in fact `--add-port` directly specifies the port regardless of the service name.

How to eliminate wrong answers

Option A is wrong because it uses `--permanent`, which would make the rule persistent across reboots but does not apply it to the current runtime configuration unless followed by `firewall-cmd --reload`; the question asks to allow traffic without affecting existing rules, and `--permanent` alone does not activate the rule immediately. Option B is wrong because it adds both `--add-service=http` (which opens port 80/tcp) and `--add-port=8080/tcp`, unnecessarily opening an extra port (80) that was not requested, violating the requirement to allow only port 8080. Option D is wrong because it targets the `public` zone, but the internal interface eth1 is assigned to the `internal` zone, so this command would open port 8080 on the wrong interface and not affect eth1.

336
MCQeasy

Which command enables a service to start automatically at boot in a systemd-based system?

A.systemctl enable service
B.systemctl set-default service
C.systemctl daemon-reload
D.systemctl start service
AnswerA

Enables the service to start at boot.

Why this answer

The `systemctl enable` command creates the necessary symlinks in the `/etc/systemd/system/` directory tree (typically `multi-user.target.wants/`) to ensure the specified service unit is started automatically when the system boots. This is the standard mechanism in systemd to configure a service for automatic startup at boot time.

Exam trap

The trap here is confusing `systemctl enable` (which configures automatic boot-time startup) with `systemctl start` (which runs the service immediately but does not persist across reboots), leading candidates to incorrectly choose option D.

How to eliminate wrong answers

Option B is wrong because `systemctl set-default` sets the default target (e.g., `multi-user.target` or `graphical.target`), not a service; it controls which target the system boots into, not individual service autostart. Option C is wrong because `systemctl daemon-reload` reloads systemd manager configuration after unit file changes but does not enable or disable any service for boot-time startup. Option D is wrong because `systemctl start` immediately starts a service in the current session but does not configure it to start automatically at future boots.

337
MCQmedium

You manage a Linux server that provides DHCP services to a small office network using the dhcpd daemon. The server has two network interfaces: eth0 (192.168.1.1/24) serving the internal network, and eth1 (192.168.0.1/24) connected to a DMZ. The DHCP server is configured to serve addresses only on eth0. Users on the internal network report that they are not receiving IP addresses. You check the DHCP server and find that the dhcpd service is running and listening on UDP port 67. From a client, you run tcpdump and see DHCPDISCOVER packets being sent, but no DHCPOFFER from the server. You also verify that no firewall rules are blocking DHCP traffic on either side. What is the most likely reason for the failure?

A.The DHCP server's IP address is not in the same subnet as the clients.
B.The dhcpd configuration file does not have a subnet declaration for the 192.168.1.0/24 network.
C.The dhcpd service is not running.
D.The network switch is blocking broadcast packets.
AnswerB

Without a subnet declaration, the DHCP server does not know which pool to offer addresses from and will ignore broadcasts on that subnet.

Why this answer

Option B is correct because the dhcpd daemon will only respond to DHCPDISCOVER packets on interfaces for which it has a matching subnet declaration in its configuration file (typically /etc/dhcp/dhcpd.conf). Without a subnet declaration for 192.168.1.0/24, dhcpd ignores all DHCP traffic on eth0, even though the service is running and listening on UDP port 67. The absence of DHCPOFFER packets despite seeing DHCPDISCOVERs confirms that the server is not processing the requests for that subnet.

Exam trap

The trap here is that candidates assume a running service with an open port (UDP 67) is sufficient to serve DHCP, but the dhcpd daemon requires explicit subnet declarations to process requests on each interface.

How to eliminate wrong answers

Option A is wrong because the DHCP server's IP address (192.168.1.1) is in the same subnet as the clients (192.168.1.0/24), so subnet mismatch is not the issue. Option C is wrong because the problem states the dhcpd service is running and listening on UDP port 67, so the service is operational. Option D is wrong because the switch blocking broadcast packets would prevent DHCPDISCOVERs from reaching the server, but the tcpdump shows DHCPDISCOVER packets are being sent, and no firewall rules are blocking traffic, so the switch is not the cause.

338
MCQeasy

An administrator needs to create a system user that runs a service (no login, no home directory). Which command is appropriate?

A.useradd -r myservice
B.useradd -r -m myservice
C.useradd -r -M myservice
D.useradd -M myservice
AnswerC

-r system user, -M no home directory. Perfect for service account.

Why this answer

Option C is correct because useradd -r creates a system account (UID < 1000 typically), -M suppresses home directory creation. Option A creates a regular user with home. Option B creates system user but with home.

Option D creates regular user without home.

339
Multi-Selecteasy

An administrator is configuring a Linux server to act as a web server. The server has two network interfaces: eth0 (public IP 203.0.113.10) and eth1 (private IP 10.0.0.10). The default policy on the INPUT chain is DROP. The administrator wants to allow incoming HTTP (port 80) traffic from any source but only to the public interface. Which TWO iptables rules should be added?

Select 2 answers
A.iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
B.iptables -A INPUT -d 203.0.113.10 -p tcp --dport 80 -j ACCEPT
C.iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
D.iptables -A INPUT -s 203.0.113.10 -p tcp --dport 80 -j ACCEPT
E.iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
AnswersB, C

Matches traffic destined to the public IP.

Why this answer

Option B is correct because it specifies the destination IP address (203.0.113.10) of the public interface, ensuring that HTTP traffic is only accepted when destined for that IP. Option C is also correct because it uses the `-i eth0` flag to match incoming traffic on the public interface only, which restricts HTTP access to the public-facing interface. Both rules are needed to satisfy the requirement of allowing HTTP from any source but only to the public interface, given the default DROP policy on the INPUT chain.

Exam trap

The trap here is that candidates often confuse the INPUT and FORWARD chains, or incorrectly assume that specifying the source IP (`-s`) is equivalent to specifying the destination IP (`-d`), leading them to pick Option D or A instead of the correct combination of B and C.

340
MCQhard

A system administrator is troubleshooting network connectivity from a Linux server to a remote host at 10.0.0.1. The server has a default gateway of 192.168.1.1. Running `ping 10.0.0.1` fails, but `ping 192.168.1.1` succeeds. The output of `ip route show` shows a default route via 192.168.1.1. Which additional step should the administrator take to further investigate?

A.Check the ARP table for 10.0.0.1.
B.Verify that the firewall on the remote host allows ICMP.
C.Run traceroute to 10.0.0.1 to see where packets are dropped.
D.Check if the remote host is in the same subnet as the server.
AnswerC

Traceroute reveals the path and where packets stop, aiding in pinpointing the issue.

Why this answer

Option C is correct because the ping to the default gateway succeeds, confirming local network and ARP resolution are functional, while the ping to the remote host fails. Running traceroute to 10.0.0.1 will reveal the exact hop where packets are dropped, isolating whether the issue lies in routing beyond the gateway, a firewall along the path, or a missing route on an intermediate router.

Exam trap

The trap here is that candidates assume a failed ping to a remote host must be due to a local ARP issue or firewall on the destination, but the successful ping to the gateway proves local connectivity works, making traceroute the logical next step to trace the path.

How to eliminate wrong answers

Option A is wrong because the ARP table is only relevant for hosts on the same subnet; 10.0.0.1 is not on the local subnet (the server's IP is presumably in 192.168.1.0/24), so ARP will never contain an entry for it. Option B is wrong because the question asks for the next step in investigating the connectivity issue from the server's perspective; while the remote host's firewall could block ICMP, the administrator should first verify the path with traceroute before assuming a firewall issue. Option D is wrong because the remote host is clearly not in the same subnet (10.0.0.1 vs. 192.168.1.0/24), and the successful ping to the gateway confirms the server is correctly forwarding traffic to the default route.

341
MCQmedium

A user reports that they cannot log in via SSH, but other users can. The administrator checks /var/log/auth.log and sees 'Failed password for invalid user'. What is the most likely cause?

A.The user's SSH key is not authorized
B.The user account is locked
C.The user does not exist on the system
D.The user's password has expired
AnswerC

Logs indicate 'invalid user', meaning the username is not found.

Why this answer

The log message 'Failed password for invalid user' specifically indicates that the username presented during the SSH authentication attempt does not correspond to any account in the system's user database (e.g., /etc/passwd). This is distinct from a valid user failing authentication; the SSH server (sshd) rejects the session at the authentication stage because the user does not exist. Therefore, the most likely cause is that the user account does not exist on the system.

Exam trap

The trap here is that candidates confuse 'invalid user' (non-existent account) with 'valid user, wrong credentials' (e.g., locked account, expired password, or bad key), but the log message explicitly distinguishes between these two cases.

How to eliminate wrong answers

Option A is wrong because an SSH key not being authorized would generate a 'Failed publickey for <valid_user>' message, not 'invalid user'. Option B is wrong because a locked account (e.g., via `passwd -l` or expired password) would produce a 'Failed password for <valid_user>' or 'Authentication failure' log entry, not 'invalid user'. Option D is wrong because an expired password triggers a password change prompt or a 'Password expired' message during authentication, and the log would still reference a valid username, not 'invalid user'.

342
MCQhard

A system administrator configures a new server with multiple disks. After partitioning and formatting, they mount a partition to /data. Several days later, they notice that the /data filesystem is full, but 'du -sh /data' reports only 2 GB used, while the partition is 100 GB. 'df -h' shows /data is 98% full. What is the most likely cause and the correct action?

A.The filesystem is fragmented. Run 'e4defrag' to defragment.
B.The filesystem has reserved blocks for root. Reduce the reserved percentage with 'tune2fs -m 0'.
C.The 'du' command is not counting hidden files (dot files). Use 'du -sh .*' to include them.
D.There are deleted files still held open by processes. Use 'lsof /data' to find and restart those processes.
AnswerD

Deleted open files consume space but are not counted by 'du'; 'lsof' can find them.

Why this answer

Option D is correct because when a file is deleted but still held open by a running process, the filesystem does not release the disk blocks until the process closes the file descriptor. This causes 'df' to report the space as used, while 'du' cannot see the deleted file's data, leading to the discrepancy. Using 'lsof /data' identifies the processes holding the deleted files, and restarting them frees the space.

Exam trap

The trap here is that candidates often confuse the 'du' vs 'df' discrepancy with hidden files or reserved blocks, but the key clue is that 'du' shows far less usage than 'df', which points to unlinked but still-open files.

How to eliminate wrong answers

Option A is wrong because filesystem fragmentation does not cause a discrepancy between 'du' and 'df'; fragmentation affects performance, not space accounting. Option B is wrong because reserved blocks for root (default 5% on ext4) are counted as used by 'df' but are not the cause of a 98% full partition when only 2 GB is used; reducing the reserved percentage would free space but does not explain the discrepancy. Option C is wrong because 'du -sh /data' already counts all files including hidden files (dot files) by default; the '-sh' option sums the total size, and hidden files are included in that total.

343
MCQhard

A system has a RAID 5 array that is degraded. One of the three disks failed and was replaced. The administrator runs 'cat /proc/mdstat' and sees that the array is still degraded. Which command should be used to add the new disk (/dev/sdc1) to the array?

A.mdadm /dev/md0 --add /dev/sdc1
B.mdadm --add /dev/md0 /dev/sdc1
C.mdadm --manage /dev/md0 --add /dev/sdc1
D.mdadm --re-add /dev/md0 /dev/sdc1
AnswerB

Correct syntax.

Why this answer

Option B is correct because the `mdadm --add /dev/md0 /dev/sdc1` command explicitly adds a new disk to a RAID array. After a failed disk is replaced, the array remains degraded until the new disk is added and the rebuild process begins. The `--add` option is the standard way to incorporate a spare or replacement device into an active MD array.

Exam trap

The trap here is that candidates confuse `--add` with `--re-add`, assuming the latter is always used for replacement disks, but `--re-add` only works for disks that were previously part of the same array and have not been fully removed or failed.

How to eliminate wrong answers

Option A is wrong because the syntax `mdadm /dev/md0 --add /dev/sdc1` omits the required `--manage` or device mode flag; `mdadm` expects either a mode (like `--manage`) or a direct command option before the device name, and this ordering can cause a parsing error or unintended behavior. Option C is wrong because `mdadm --manage /dev/md0 --add /dev/sdc1` is technically valid but redundant — the `--manage` mode is implied when using `--add`, and the LFCS exam expects the simpler, standard form `mdadm --add /dev/md0 /dev/sdc1` as the correct answer. Option D is wrong because `mdadm --re-add` is used to re-add a disk that was previously part of the array and has been removed but not failed (e.g., after a temporary disconnection); it does not apply to a new replacement disk that was never part of the array.

344
MCQmedium

A system administrator needs to list all files in the current directory, including hidden files, in a long listing format sorted by modification time (oldest first). Which command achieves this?

A.ls -lihrt
B.ls -lart
C.ls -lat
D.ls -lrt
AnswerB

Correct: long, all, reverse, time.

Why this answer

Option B is correct because `ls -lart` combines the `-l` (long listing), `-a` (include hidden files starting with dot), `-r` (reverse order), and `-t` (sort by modification time, newest first). The reverse flag flips the sort to oldest first, meeting the requirement exactly.

Exam trap

The trap here is that candidates often remember `-lt` for time-sorted listing but forget that `-a` is required to include hidden files, or they confuse the order and omit `-r` to reverse to oldest first.

How to eliminate wrong answers

Option A is wrong because `ls -lihrt` includes `-i` (inode number) and `-h` (human-readable sizes), which are not requested, and while it sorts by time and reverses, it lacks `-a` so hidden files are omitted. Option C is wrong because `ls -lat` sorts by modification time but newest first, not oldest first, as the `-r` flag is missing. Option D is wrong because `ls -lrt` sorts by time and reverses to oldest first, but it lacks `-a`, so hidden files are not listed.

345
MCQeasy

A system administrator wants to configure a custom service to start automatically at boot. Which command accomplishes this?

A.systemctl daemon-reload custom.service
B.systemctl enable custom.service
C.systemctl reenable custom.service
D.systemctl start custom.service
AnswerB

systemctl enable creates symlinks to start the service at boot.

Why this answer

The `systemctl enable custom.service` command creates the necessary symlinks in the systemd unit file directories (e.g., `/etc/systemd/system/multi-user.target.wants/`) so that the service is automatically started at boot. This is the correct method to configure a custom service for automatic startup in a systemd-based Linux distribution.

Exam trap

The trap here is that candidates confuse `systemctl start` (immediate runtime start) with `systemctl enable` (boot-time persistence), leading them to select option D when the question specifically asks for automatic boot-time configuration.

How to eliminate wrong answers

Option A is wrong because `systemctl daemon-reload` reloads the systemd manager configuration after unit files have been changed, but it does not enable a service to start at boot. Option C is wrong because `systemctl reenable` removes and then recreates the enablement symlinks, which is useful for resetting the enablement state but is not the standard command for initially enabling a service. Option D is wrong because `systemctl start` immediately starts the service in the current session but does not configure it to start automatically at boot.

346
MCQhard

A system running RHEL 8 experiences intermittent crashes. After reboot, 'journalctl -p err -b -1' outputs: 'PID 1234 (myapp) ended due to signal: KILL'. Which diagnostic step should the administrator perform next?

A.Review logrotate configuration for myapp logs.
B.Run strace to capture system calls of myapp before restarting.
C.Enable core dumps and reproduce issue.
D.Check journalctl for 'oom-kill' entries or use 'dmesg | grep -i oom'.
AnswerD

Identifies if out-of-memory killer caused the kill.

Why this answer

The 'PID ended due to signal: KILL' message indicates the process was terminated by a SIGKILL (signal 9), which is commonly sent by the Out-Of-Memory (OOM) killer when the system runs low on memory. Checking journalctl for 'oom-kill' entries or using 'dmesg | grep -i oom' directly confirms whether the OOM killer was responsible, making D the correct next diagnostic step.

Exam trap

The trap here is that candidates may confuse 'signal: KILL' with a manual kill command or a segmentation fault, leading them to choose core dumps (C) or strace (B), when the specific signal name 'KILL' (SIGKILL) points directly to the OOM killer or an explicit kill -9, and the OOM killer is the most common cause in intermittent crash scenarios.

How to eliminate wrong answers

Option A is wrong because logrotate configuration affects log rotation and compression, not process termination causes; it would not help diagnose why myapp was killed. Option B is wrong because strace captures system calls of a running process, but myapp has already crashed and cannot be traced without reproducing the issue first; this is a premature step before confirming the root cause. Option C is wrong because enabling core dumps and reproducing the issue is useful for debugging segmentation faults or other signals (e.g., SIGSEGV), but SIGKILL cannot be caught or handled by the process, so no core dump is generated; this step would be ineffective here.

347
Matchingmedium

Match each Linux networking command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Show/manipulate routing, devices, tunnels

Investigate sockets

Capture and analyze network traffic

Manage NetworkManager

Print network connections (legacy)

Why these pairings

These commands are used for network troubleshooting and configuration.

348
MCQeasy

Which command can be used to display the UUID of a filesystem on /dev/sdb1?

A.blkid /dev/sdb1
B.tune2fs -l /dev/sdb1
C.df -h /dev/sdb1
D.lsblk /dev/sdb1
AnswerA

blkid displays UUID and filesystem type.

Why this answer

The blkid command is specifically designed to locate and print block device attributes, including the UUID and filesystem type. When run against a device like /dev/sdb1, it queries the kernel's device mapper and reads the filesystem superblock to extract the universally unique identifier (UUID). This is the most direct and reliable method for displaying a filesystem's UUID.

Exam trap

The trap here is that candidates often assume tune2fs -l is the universal UUID display tool, but it only works on ext2/3/4 filesystems, whereas blkid works across all Linux filesystem types and is the standard command for this task.

How to eliminate wrong answers

Option B (tune2fs -l /dev/sdb1) is wrong because tune2fs is an ext2/ext3/ext4 filesystem tuning tool; while it can display the UUID in its output, it only works on ext2/3/4 filesystems and will fail or produce no UUID for other types like XFS or Btrfs. Option C (df -h /dev/sdb1) is wrong because df reports disk space usage for mounted filesystems, not UUIDs; it shows mount points and capacity, not block device attributes. Option D (lsblk /dev/sdb1) is wrong because lsblk lists block devices and their partitions, but by default it does not display UUIDs unless the -f or -o UUID option is used; without those flags, it shows only device names, sizes, and mount points.

349
MCQeasy

A user needs to view the contents of a large text file one screen at a time. Which command is best for this?

A.nl file.txt
B.more file.txt
C.cat file.txt
D.less file.txt
AnswerD

less is a full-featured pager that allows scrolling up and down.

Why this answer

Option D is correct because `less` is a terminal pager that allows forward and backward navigation through a file, making it ideal for viewing large text files one screen at a time. Unlike `more`, `less` supports scrolling both up and down, and it does not load the entire file into memory, which is efficient for large files.

Exam trap

The trap here is that candidates often confuse `more` and `less` because both display content one screen at a time, but `less` is the more powerful and recommended tool for interactive viewing, and the LFCS exam expects you to know that `less` is the best choice for this task.

How to eliminate wrong answers

Option A is wrong because `nl` numbers lines and outputs the entire file to stdout without pausing, so it is not suitable for viewing one screen at a time. Option B is wrong because while `more` does display content one screen at a time, it only allows forward navigation (space bar) and cannot scroll backward, making it less flexible than `less` for interactive viewing. Option C is wrong because `cat` concatenates and outputs the entire file to stdout at once, which will flood the terminal and is not designed for paging.

350
MCQmedium

A process (PID 1234) is hung and cannot be killed with SIGTERM. To force termination, which signal should be sent?

A.kill -9 1234 (SIGKILL)
B.kill -15 1234 (SIGTERM)
C.kill -2 1234 (SIGINT)
D.kill -1 1234 (SIGHUP)
AnswerA

SIGKILL cannot be caught and kills immediately.

Why this answer

SIGKILL (signal 9) is the correct choice because it cannot be caught, blocked, or ignored by the process. Unlike SIGTERM, which allows the process to perform cleanup, SIGKILL immediately terminates the process at the kernel level, making it the only reliable way to force-kill a hung process that ignores other signals.

Exam trap

The trap here is that candidates often confuse SIGTERM (15) as a 'force kill' signal, not realizing that a hung process can ignore it, while SIGKILL (9) is the only signal that guarantees termination.

How to eliminate wrong answers

Option B (SIGTERM, signal 15) is wrong because it is the default polite termination signal that the process can catch and ignore, which is exactly why it failed to kill the hung process. Option C (SIGINT, signal 2) is wrong because it is typically generated by Ctrl+C and can be caught or ignored by the process, making it ineffective for a hung process. Option D (SIGHUP, signal 1) is wrong because it is primarily used to notify a process of terminal disconnection or to reload configuration, and it can also be caught or ignored, so it will not force termination.

351
MCQmedium

A system administrator needs to find all files that are larger than 100MB in the /var directory. Which command accomplishes this?

A.find /var -size +100M
B.find /var -size +100MB
C.ls -lh /var | grep '100M'
D.find /var -size +100M -type f
AnswerD

Correct syntax, restricts to files only.

Why this answer

Option D is correct because the `find` command with `-size +100M` locates files larger than 100 megabytes, and `-type f` restricts results to regular files, avoiding directories or special files. The `+` prefix means 'greater than', and `M` denotes megabytes (1048576-byte blocks). This is the standard syntax for size-based file searches on Linux.

Exam trap

The trap here is that candidates often forget the `-type f` filter and pick Option A, assuming `find` only returns files, or they incorrectly use `MB` (Option B) due to familiarity with human-readable size formats, not realizing `find` requires single-letter suffixes.

How to eliminate wrong answers

Option A is wrong because `find /var -size +100M` omits `-type f`, so it will also match directories and other non-regular files that happen to have a size attribute, potentially cluttering results or causing unintended matches. Option B is wrong because `-size +100MB` uses an invalid suffix; `find` accepts `c` (bytes), `k` (kilobytes), `M` (megabytes), `G` (gigabytes), but not `MB` — this will cause a syntax error or be ignored. Option C is wrong because `ls -lh /var | grep '100M'` only matches lines containing the literal string '100M', missing files like '200M' or '1.5G', and it does not recursively search subdirectories; it also fails to handle files with sizes formatted differently (e.g., '101M' would not match).

352
MCQhard

A storage administrator notices that a newly created XFS filesystem on a logical volume shows only 90% of the expected capacity. The logical volume is 100GB. What is the most likely cause?

A.The disk has bad blocks that were marked as unusable.
B.The filesystem was created with a reduced size due to mkfs.xfs default settings.
C.The volume group has insufficient physical extents.
D.The filesystem is mounted with the 'noatime' option.
AnswerB

XFS reserves space for metadata; mkfs.xfs may not use full device if size is not specified.

Why this answer

B is correct because `mkfs.xfs` by default reserves 10% of the filesystem space for metadata and performance optimization (the `-i maxpct` and internal log overhead). This is not a capacity loss but a design feature of XFS, which explains why a 100GB logical volume shows only ~90GB usable.

Exam trap

The trap here is that candidates confuse the 10% XFS reserved blocks with filesystem overhead from journaling (ext4) or assume it is a bug, when in fact it is a configurable default behavior of `mkfs.xfs`.

How to eliminate wrong answers

Option A is wrong because bad blocks are handled by the device mapper or LVM at the block level, not by the filesystem; `mkfs.xfs` does not mark bad blocks as unusable during creation. Option C is wrong because the volume group having insufficient physical extents would prevent the logical volume from being created at all, not reduce its capacity after creation. Option D is wrong because the `noatime` mount option affects access time updates and performance, not the reported filesystem capacity.

353
MCQmedium

A company deploys a new web server with two network interfaces: one for public access (eth0) and one for database access (eth1). The database server is at 10.0.0.10. The web server's default gateway is via eth0, but traffic to 10.0.0.10 is being routed through eth0 instead of eth1. What is the simplest fix?

A.Remove the default gateway on eth0.
B.Configure policy routing to use both tables.
C.Add a static route for 10.0.0.10/32 via eth1's gateway.
D.Change the default gateway metric to prefer eth1.
AnswerC

Directs only database traffic through eth1.

Why this answer

Option C is correct because adding a static route for 10.0.0.10/32 via eth1's gateway forces traffic destined for the database server to use the eth1 interface, overriding the default route that sends all traffic through eth0. This is the simplest and most direct fix, as it does not alter the default gateway or require complex policy routing.

Exam trap

The trap here is that candidates often think they need to change the default gateway or use complex policy routing, when a simple static route is the most efficient and correct solution for directing traffic to a specific host through a different interface.

How to eliminate wrong answers

Option A is wrong because removing the default gateway on eth0 would break all other outbound traffic that must go through eth0 (e.g., internet access), leaving the server without a default route. Option B is wrong because policy routing is an overcomplicated solution for this simple scenario; it involves creating additional routing tables and rules, which is unnecessary when a single static route can solve the problem. Option D is wrong because changing the default gateway metric to prefer eth1 would route all default traffic through eth1, which is likely not desired (eth1 is for database access only), and it would not fix the specific routing for 10.0.0.10 without affecting other traffic.

354
Multi-Selectmedium

Which THREE of the following are valid directives for the [Service] section of a systemd unit file?

Select 3 answers
A.Type
B.Requires
C.User
D.ExecStart
E.Description
AnswersA, C, D

Valid [Service] directive to define service type.

Why this answer

The `Type` directive is valid in the `[Service]` section because it defines the service's process startup type (e.g., `simple`, `forking`, `oneshot`, `dbus`, `notify`, `idle`). This tells systemd how to monitor the service's main process and determine when it has started successfully, which is essential for proper service management.

Exam trap

The trap here is that candidates often confuse `[Unit]` directives (like `Requires`, `Description`, `After`) with `[Service]` directives, leading them to select options that are valid in other sections but not in the `[Service]` block.

355
Multi-Selecthard

Which THREE commands can change the priority of an already running process?

Select 3 answers
A.kill -STOP
B.top (press 'r')
C.chrt
D.nice
E.renice
AnswersB, C, E

top's interactive 'r' command allows changing the nice value of a running process.

Why this answer

Option B is correct because the `top` interactive command allows you to change the priority (nice value) of a running process by pressing 'r' and entering the PID and new nice value. This directly modifies the process's scheduling priority without restarting it.

Exam trap

The trap here is that candidates often confuse `nice` (which only sets priority for new processes) with `renice` (which modifies running processes), or mistakenly think `kill -STOP` changes priority when it actually halts the process.

356
MCQmedium

What is the purpose of the chmod 755 command in this exhibit?

A.Add execute permission for the owner only
B.Remove write permission for others
C.Set the setuid bit
D.Set permissions to rwxr-xr-x
AnswerD

755 corresponds to rwxr-xr-x.

Why this answer

The chmod 755 command sets the file permissions to rwxr-xr-x, meaning the owner has read, write, and execute permissions (7), while the group and others have read and execute permissions (5). This is a common permission set for executable scripts and directories to allow execution without granting write access to non-owners.

Exam trap

The trap here is that candidates often confuse the octal value 755 with adding execute only for the owner (option A) or think it removes write for others (option B), when in fact 755 sets a specific permission mask that includes execute for all and write only for the owner.

How to eliminate wrong answers

Option A is wrong because chmod 755 adds execute permission for the owner, group, and others, not just the owner. Option B is wrong because chmod 755 does not remove write permission for others; it sets the others permission to r-x (read and execute), which already excludes write, but the command is not specifically removing write—it is setting the entire permission triad. Option C is wrong because the setuid bit is set using chmod 4xxx (e.g., chmod 4755), not chmod 755, which uses the octal value 0 for the setuid/setgid/sticky bits.

357
MCQhard

A company is designing a multi-homed server with two network interfaces: one for internal traffic (eth0) and one for external traffic (eth1). The server must prioritize traffic to the 10.1.0.0/16 network through eth0. What is the best practice to ensure traffic to 10.1.0.0/16 uses eth0?

A.Add a static route for 10.1.0.0/16 via the gateway on eth0.
B.Configure policy routing using ip rule and two routing tables.
C.Set a lower metric on the default route for eth0.
D.Use bonding to combine both interfaces.
AnswerA

A static route directs traffic for that subnet to the correct interface.

Why this answer

Adding a static route for 10.1.0.0/16 via the gateway on eth0 directly tells the kernel to send traffic destined for that network through eth0. This is the simplest and most direct method, ensuring that the route is always preferred over the default route for that specific destination, without affecting other traffic.

Exam trap

The trap here is that candidates often confuse policy routing (Option B) as the only way to control interface selection, but a simple static route is the standard and best practice for directing traffic to a specific subnet.

How to eliminate wrong answers

Option B is wrong because policy routing (ip rule and multiple routing tables) is overkill for a simple destination-based routing requirement; it is typically used for complex scenarios like load balancing or source-based routing, not for a single static route. Option C is wrong because setting a lower metric on the default route for eth0 would only affect the default route preference, not direct traffic specifically to 10.1.0.0/16; it would not create a route for that network. Option D is wrong because bonding combines interfaces for redundancy or increased throughput, not for routing traffic to a specific network; it does not control which interface is used for a particular destination.

358
MCQmedium

A systems administrator receives reports that a web server running Nginx is intermittently unresponsive. The server has 8 GB of RAM and 4 CPU cores. The administrator runs 'free -m' and sees that available memory is low, and 'top' shows that several nginx worker processes are using a high percentage of CPU. Which of the following is the most likely cause of the issue?

A.The nginx worker_connections setting is too high.
B.The vm.swappiness value is set to 100.
C.The net.core.somaxconn setting is too low.
D.The kernel parameter kernel.pid_max is set too low.
AnswerA

High worker_connections can cause each worker to allocate large amounts of memory for connection pools, leading to memory exhaustion and high CPU usage as workers compete for resources.

Why this answer

The correct answer is A. When `worker_connections` is set too high, each Nginx worker process attempts to handle more concurrent connections than the system can support, leading to CPU saturation and memory exhaustion. This matches the symptoms of high CPU usage by worker processes and low available memory, causing intermittent unresponsiveness.

Exam trap

The trap here is that candidates may confuse `worker_connections` with `net.core.somaxconn`, assuming a backlog limit causes CPU issues, but `worker_connections` directly impacts per-worker resource consumption under load.

How to eliminate wrong answers

Option B is wrong because `vm.swappiness` controls the kernel's tendency to swap anonymous memory to disk; a value of 100 makes the system swap aggressively, which would cause disk I/O and latency, not high CPU usage by Nginx workers directly. Option C is wrong because `net.core.somaxconn` limits the backlog of pending TCP connections; a low value would cause connection refused errors under load, not high CPU usage or memory exhaustion. Option D is wrong because `kernel.pid_max` sets the maximum PID number; a low value would prevent new processes from starting, not cause existing Nginx workers to consume high CPU or memory.

359
MCQhard

A company's backup script fails with an error indicating 'no space left on device' on an NFS mount. The administrator checks 'df -h' on the NFS client and sees the mount is at 90% usage. However, the NFS server shows the exported filesystem is only 50% full. What is the most likely cause?

A.The 'df' command is caching old data; run 'sync' and then 'df' again.
B.The mount point on the client (e.g., /mnt/nfs) is on a local filesystem that is full, preventing writes to the NFS mount.
C.The NFS server is overloaded and not responding in time.
D.The NFS export has a quota limit that is lower than the actual filesystem capacity.
AnswerB

When the mount point directory itself is on a full filesystem, writes to that mount point fail.

Why this answer

Option D is correct: The NFS client's local mount point has a separate filesystem that is full. Option A is rare; performance issues wouldn't produce that error immediately. Option B is plausible but df should update; still, local mount point issue is more direct.

Option C is possible but the error message is 'no space left on device', which is a local error.

360
MCQeasy

A Linux administrator needs to temporarily stop a service named 'httpd' without disabling it from starting automatically on subsequent boots. Which command should be used?

A.systemctl stop httpd
B.systemctl mask httpd
C.systemctl disable httpd
D.systemctl kill httpd
AnswerA

Stops the service immediately without changing its enable status.

Why this answer

The `systemctl stop httpd` command sends a SIGTERM signal to the main process of the httpd service, causing it to stop immediately. This action does not modify the service's enablement state, so the service will still start automatically on subsequent boots if it is enabled. This is the correct way to temporarily stop a service without altering its boot-time behavior.

Exam trap

The trap here is that candidates confuse 'stop' with 'disable' or 'mask', thinking that stopping a service also prevents it from starting at boot, when in fact 'stop' only affects the current runtime state and has no effect on boot-time enablement.

How to eliminate wrong answers

Option B is wrong because `systemctl mask httpd` creates a symlink to /dev/null, which prevents the service from being started manually or automatically, even by dependencies, and is not temporary — it requires unmasking to reverse. Option C is wrong because `systemctl disable httpd` removes the symlinks that cause the service to start at boot, permanently altering its enablement state until re-enabled. Option D is wrong because `systemctl kill httpd` sends a signal (default SIGTERM) to the service's control group, but it is not the standard command for stopping a service; it is used for sending arbitrary signals or killing specific processes, and it does not manage the service's unit state or dependencies properly.

361
MCQmedium

A server running Ubuntu 20.04 uses netplan for network configuration. The admin wants to set a static IP address 10.0.0.100/24 on interface enp0s3 with gateway 10.0.0.1 and DNS servers 8.8.8.8 and 8.8.4.4. Which YAML configuration is correct?

A.network: version: 2 ethernets: enp0s3: addresses: - 10.0.0.100/24 gateway: 10.0.0.1 nameservers: addresses: [8.8.8.8, 8.8.4.4]
B.network: version: 2 ethernets: enp0s3: address: 10.0.0.100/24 gateway4: 10.0.0.1 dns-nameservers: 8.8.8.8 8.8.4.4
C.network: ethernets: enp0s3: addresses: 10.0.0.100/24 gateway4: 10.0.0.1 nameservers: addresses: [8.8.8.8, 8.8.4.4]
D.network: version: 2 ethernets: enp0s3: addresses: - 10.0.0.100/24 gateway4: 10.0.0.1 nameservers: addresses: [8.8.8.8, 8.8.4.4]
AnswerD

Correct syntax: 'gateway4', 'addresses' as list, 'nameservers.addresses' as list.

Why this answer

Option D is correct because it uses the proper Netplan YAML syntax: `addresses` as a list, `gateway4` for the IPv4 default gateway, and `nameservers` with an `addresses` list. This matches the required static IP 10.0.0.100/24, gateway 10.0.0.1, and DNS servers 8.8.8.8 and 8.8.4.4.

Exam trap

The trap here is that candidates confuse the legacy ifupdown syntax (e.g., `address`, `dns-nameservers`) with the required Netplan YAML structure, or forget the mandatory `version: 2` field.

How to eliminate wrong answers

Option A is wrong because it uses `gateway` instead of `gateway4`; Netplan requires `gateway4` for IPv4 gateways. Option B is wrong because it uses `address` (singular) instead of `addresses` (plural list), and `dns-nameservers` is a legacy ifupdown syntax not valid in Netplan. Option C is wrong because it omits the required `version: 2` field, which Netplan mandates for the configuration to be recognized.

362
Multi-Selectmedium

Which TWO commands can be used to display the current block devices and their partitions?

Select 2 answers
A.df -h
B.lsblk
C.parted -l
D.fdisk -l
E.blkid
AnswersB, D

Lists block devices with partition info.

Why this answer

B is correct because `lsblk` lists all block devices (e.g., /dev/sda, /dev/nvme0n1) and their partition tables in a tree-like format, reading directly from sysfs. D is correct because `fdisk -l` displays partition tables for all block devices by reading the partition table from the disk (MBR or GPT). Both commands show current block devices and their partitions.

Exam trap

The trap here is that candidates confuse `df -h` (which shows mounted filesystems) with commands that display block devices and partitions, leading them to select option A, or they overlook `fdisk -l` because they think it only edits partitions, not lists them.

363
MCQeasy

Which of the following commands can be used to display the total, used, and available space for all mounted ext4 filesystems?

A.lsblk
B.fdisk -l
C.df -hT
D.tune2fs -l /dev/sda1
AnswerC

df -hT shows mounted filesystems with type and usage.

Why this answer

Option A is correct: df -hT shows all mounted filesystems with types and human-readable sizes, including ext4. Option B shows only disk info for a specific device. Option C shows partition table.

Option D shows file system creation parameters.

364
Multi-Selectmedium

Which THREE of the following are valid Linux filesystem types that can be used for root partitions on a modern Linux system?

Select 3 answers
A.XFS
B.NTFS
C.FAT32
D.Btrfs
E.ext4
AnswersA, D, E

Scalable, used in RHEL/CentOS.

Why this answer

XFS is a high-performance 64-bit journaling filesystem created by Silicon Graphics, now widely supported in the Linux kernel. It is a valid choice for root partitions on modern Linux systems, especially for large file and high-concurrency workloads, and is the default filesystem in Red Hat Enterprise Linux 7 and later.

Exam trap

The trap here is that candidates may confuse filesystems that Linux can read/write (like NTFS or FAT32) with native Linux filesystems that are suitable for root partitions, or they may overlook that Btrfs, while less common, is fully supported and valid for root on modern distributions.

365
MCQhard

A system administrator runs 'grep -r 'error' /var/log' and gets many false positives. They want to search only for the exact word 'error' as a whole word, case-insensitively, and display line numbers. Which command should they use?

A.grep -rwi 'error' /var/log
B.grep -rin 'error' /var/log
C.grep -rwn 'error' /var/log
D.grep -rwin 'error' /var/log
AnswerD

Correct: recursive, whole word, case-insensitive, line numbers.

Why this answer

Option D is correct because it combines all required flags: `-r` for recursive search, `-w` for whole-word matching (using word boundaries), `-i` for case-insensitive search, and `-n` for displaying line numbers. The `-w` flag ensures that only the exact word 'error' is matched, not substrings like 'error404' or 'error-prone', which eliminates false positives.

Exam trap

The trap here is that candidates often forget the `-w` flag is needed for whole-word matching, assuming `-i` alone is sufficient, or they confuse the order of flags and omit one of the required options.

How to eliminate wrong answers

Option A is wrong because it lacks the `-n` flag, so line numbers are not displayed. Option B is wrong because it uses `-i` and `-n` but omits `-w`, so it will match substrings (e.g., 'error404') and produce false positives. Option C is wrong because it uses `-w` and `-n` but omits `-i`, so it will not match uppercase variants like 'Error' or 'ERROR'.

366
Multi-Selecteasy

Which TWO commands can be used to mount a filesystem on /dev/sdb1 to /mnt/data?

Select 2 answers
A.mount /mnt/data /dev/sdb1
B.mount /dev/sdb1 /mnt/data
C.mount -t ext4 /dev/sdb1 /mnt/data
D.mount -o loop /dev/sdb1 /mnt/data
E.mount -t auto /dev/sdb1 /mnt/data -o loop
AnswersB, C

Standard mount command; works if filesystem is recognized.

Why this answer

Option B is correct because the standard syntax for the mount command is `mount [options] <device> <mountpoint>`, so `mount /dev/sdb1 /mnt/data` correctly specifies the device first and the target directory second. Option C is also correct because it explicitly specifies the filesystem type with `-t ext4`, which is a valid and common practice when mounting a filesystem, ensuring the kernel uses the correct driver.

Exam trap

Linux Foundation often tests the argument order of the mount command, trapping candidates who confuse the device and mount point positions, especially when combined with options like `-t` or `-o`.

367
MCQhard

You are managing a Linux server that hosts a critical application using a 500GB ext4 filesystem on an LVM logical volume. The application writes large log files that are rotated weekly. Recently, the system has been experiencing intermittent performance degradation and occasional 'Input/output error' messages when writing to the log directory. The disk (SSD) is relatively new, and SMART tests report no errors. The filesystem is not full, with 60% usage. You notice that the errors occur more frequently during peak write times. Which of the following is the most appropriate first step to diagnose and resolve the issue?

A.Add an LVM cache layer to improve write performance.
B.Unmount the filesystem and run 'e2fsck -f' to check and repair filesystem corruption.
C.Replace the SSD immediately as it is likely failing despite SMART tests.
D.Mount the filesystem with the 'noatime' option to reduce write overhead.
AnswerB

Filesystem corruption can cause I/O errors even if disk is healthy.

Why this answer

Option C is correct: Running 'e2fsck -f /dev/vg/lv' will force a filesystem check and repair any inconsistencies that could cause I/O errors. Option A is wrong because SMART is already clean. Option B is wrong because mounting with noatime might help performance but won't fix errors.

Option D is wrong because increasing LVM cache requires additional hardware and may not address filesystem corruption.

368
MCQhard

An administrator runs 'df -h' and notices that /dev/sda1 is 95% full. The administrator needs to identify the largest files in the filesystem. Which command sequence is most efficient?

A.find / -type f -size +100M
B.ls -lR / | sort -k5 -rn
C.find / -type f -exec du -sh {} \;
D.du -sh /* | sort -rh
AnswerD

Shows sizes of top-level directories sorted by size, efficient for identifying large directories.

Why this answer

Option D is correct because it efficiently identifies the largest directories and files at the top level of the filesystem using `du -sh /*` to summarize disk usage per top-level item, then pipes to `sort -rh` to sort by human-readable sizes in descending order. This avoids scanning every single file recursively, making it the fastest approach for a full filesystem.

Exam trap

Linux Foundation often tests the misconception that listing all files with `ls -lR` or scanning every file with `find` is efficient for disk usage analysis, when in reality summarizing with `du` on directories is far faster and more practical.

How to eliminate wrong answers

Option A is wrong because `find / -type f -size +100M` only finds files larger than 100 MB, missing smaller files that could collectively consume significant space, and it does not sort or summarize results. Option B is wrong because `ls -lR / | sort -k5 -rn` is extremely slow on a full filesystem, produces a massive unsorted list, and does not aggregate sizes per directory, making it impractical for identifying the largest space consumers. Option C is wrong because `find / -type f -exec du -sh {} \;` runs `du` on every single file individually, which is extremely slow and inefficient compared to using `du` on directories to get aggregated sizes.

369
Multi-Selectmedium

A system administrator needs to change the group ownership of a file to 'developers' and set the setgid bit on a directory. Which two commands accomplish these tasks? (Choose two.)

Select 2 answers
A.chmod g+s dir
B.chmod u+s dir
C.chown developers: file
D.chown :developers file
E.chmod g+s file
AnswersA, D

Sets the setgid bit on the directory.

Why this answer

Option A is correct because `chmod g+s dir` sets the setgid bit on a directory, causing new files created within it to inherit the directory's group ownership rather than the creator's primary group. This is a standard Linux permission mechanism for collaborative directories.

Exam trap

Linux Foundation often tests the distinction between setting the setgid bit on a directory versus a file, and the correct syntax for changing group ownership with `chown :group` versus `chown group:`.

370
MCQhard

A company runs a web application stack consisting of a frontend web server (web.service) and a backend application server (app.service). The app.service uses Restart=on-failure to automatically restart if it crashes. The administrator wants the web.service to automatically restart whenever app.service restarts, so that the frontend remains in sync with the backend. Which directive should be added to the web.service unit file's [Unit] section to achieve this?

A.BindsTo=app.service
B.PartOf=app.service
C.Requires=app.service
D.Wants=app.service
AnswerB

Propagates stop/restart from app.service to web.service.

Why this answer

Option B (PartOf=app.service) is correct because when app.service stops or restarts, PartOf causes systemd to stop or restart web.service as well, keeping the frontend in sync with the backend. Unlike BindsTo, PartOf does not create a strict dependency that would prevent app.service from starting independently, and it ensures the frontend follows the backend's state changes without requiring the backend to be fully operational for the frontend to start.

Exam trap

The trap here is that candidates confuse PartOf with BindsTo, assuming the stronger dependency is always better, but PartOf is the correct choice because it only propagates restarts without creating a hard binding that would prevent independent startup or cause the frontend to be stopped if the backend fails.

How to eliminate wrong answers

Option A (BindsTo=app.service) is wrong because BindsTo creates a stronger dependency where web.service would be bound to the lifecycle of app.service, and if app.service fails or stops, web.service would be forcefully stopped and could not be started independently; this is too restrictive for a frontend that should only restart when the backend restarts, not be permanently tied. Option C (Requires=app.service) is wrong because Requires only ensures that app.service is started when web.service starts, but it does not cause web.service to restart when app.service restarts; it only activates the dependency at startup. Option D (Wants=app.service) is wrong because Wants is a weaker form of Requires that does not enforce any restart behavior; it merely attempts to start app.service alongside web.service but does not propagate restarts or stops.

371
MCQeasy

A user reports that they can access websites by IP address but not by domain name. Which command should the administrator use to diagnose the issue?

A.dig google.com
B.netstat -r
C.traceroute 8.8.8.8
D.ping google.com
AnswerA

Dig performs DNS lookup and shows resolution details.

Why this answer

The user can access websites by IP address but not by domain name, indicating a DNS resolution failure. The `dig` command is the correct diagnostic tool because it directly queries DNS servers to test domain name resolution, bypassing the system's resolver cache and configuration. This allows the administrator to isolate whether the issue lies with DNS resolution or other network layers.

Exam trap

The trap here is that candidates often choose `ping google.com` (Option D) because it's a common connectivity test, but they fail to recognize that the symptom (access by IP but not name) specifically points to DNS, making `dig` the targeted diagnostic tool.

How to eliminate wrong answers

Option B is wrong because `netstat -r` displays the routing table, which is unrelated to DNS resolution; it would not help diagnose why domain names fail to resolve. Option C is wrong because `traceroute 8.8.8.8` tests network path connectivity to an IP address, which is already working per the user's report, and does not involve DNS. Option D is wrong because `ping google.com` would fail due to the same DNS resolution issue, making it useless for diagnosis; it would not reveal whether the problem is with DNS or something else.

372
MCQhard

A server has two network interfaces: eth0 (10.0.1.10/24, gateway 10.0.1.1) and eth1 (192.168.1.10/24, no gateway). Both are up. The default gateway is set to 10.0.1.1. A ping to 8.8.8.8 fails, but ping to 10.0.1.1 succeeds. What is the most likely cause?

A.eth1 has no gateway configured
B.The default route is missing or pointing to an incorrect gateway
C.DNS resolution is failing
D.eth0 is down
AnswerB

Even though the gateway is reachable, the default route may be missing or misconfigured.

Why this answer

The default gateway is correctly set to 10.0.1.1, and ping to that gateway succeeds, so eth0 and its route are functional. However, ping to 8.8.8.8 fails, which indicates that the default route (0.0.0.0/0 via 10.0.1.1) is either missing or misconfigured, preventing traffic destined for external networks from being forwarded. The fact that eth1 has no gateway is irrelevant because the default route is already defined via eth0.

Exam trap

The trap here is that candidates may incorrectly blame eth1's missing gateway (option A) instead of recognizing that the default route via eth0 is the sole path to external networks, and its absence is the real issue.

How to eliminate wrong answers

Option A is wrong because eth1 having no gateway is not the cause of the failure to reach 8.8.8.8; the default route is already set via eth0, and eth1 is only used for local subnet traffic. Option C is wrong because DNS resolution is not involved in a direct ping to an IP address (8.8.8.8), so a DNS failure would not prevent the ping. Option D is wrong because eth0 is up (ping to 10.0.1.1 succeeds), so the interface is operational.

373
MCQhard

Refer to the exhibit. What is the most likely security issue with this configuration?

A.The 'daemon' user has a login shell of /usr/sbin/nologin, which is not secure.
B.The 'user1' home directory does not match the username.
C.There are multiple users with UID 0.
D.The 'admin' user has no password set (x in place of password).
AnswerC

Both root and admin have UID 0, which gives root privileges to admin.

Why this answer

The user 'admin' has UID 0 (root UID), giving it root privileges. This is a backdoor or misconfiguration.

374
MCQeasy

Based on the exhibit, what happens if the service 'myapp' crashes?

A.The service is disabled and will not start at boot
B.systemd will automatically restart it after 5 seconds
C.The service remains stopped until manually started
D.An alert is sent to the system administrator
AnswerB

Restart=always and RestartSec=5 cause automatic restart.

Why this answer

Option B is correct because the systemd service unit for 'myapp' includes the directive `Restart=on-failure` combined with `RestartSec=5`. When the service process crashes or exits with a non-zero status, systemd detects the failure and automatically schedules a restart after the specified 5-second delay. This behavior is defined in the service unit file and is a core feature of systemd's service management.

Exam trap

The trap here is that candidates assume a crashed service must be manually restarted or that systemd only handles boot-time behavior, overlooking the `Restart=` and `RestartSec=` directives that define automatic restart policies for runtime failures.

How to eliminate wrong answers

Option A is wrong because a crash does not disable the service; disabling is a separate administrative action using `systemctl disable`, which only affects boot-time behavior, not runtime restart policy. Option C is wrong because systemd's `Restart=on-failure` directive explicitly instructs the init system to restart the service automatically upon crash, so it does not remain stopped. Option D is wrong because systemd does not send alerts by default; while it can log the event via journald, alerting requires additional configuration (e.g., custom scripts, monitoring tools, or `OnFailure=` unit dependencies).

375
MCQeasy

A developer needs to temporarily allow incoming TCP connections on port 8080 for testing. Which iptables command adds a rule to the INPUT chain to accept this traffic?

A.iptables -A OUTPUT -p tcp --sport 8080 -j ACCEPT
B.iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
C.iptables -A FORWARD -p tcp --dport 8080 -j ACCEPT
D.iptables -I INPUT 1 -p tcp --dport 8080 -j DROP
AnswerB

Appends a rule to INPUT chain to accept TCP on port 8080.

Why this answer

Option B is correct because the INPUT chain processes traffic destined for the local system, and the `--dport 8080` flag matches incoming TCP packets with destination port 8080. The `-j ACCEPT` target allows these packets through, which is exactly what is needed to temporarily permit incoming TCP connections on port 8080 for testing.

Exam trap

The trap here is that candidates often confuse the INPUT chain with the FORWARD chain, or mistakenly think that `--sport` (source port) is appropriate for incoming traffic, when `--dport` (destination port) is required for packets arriving at the local system.

How to eliminate wrong answers

Option A is wrong because it adds a rule to the OUTPUT chain (which handles outgoing traffic) and uses `--sport 8080` (source port), which would match outgoing packets originating from port 8080, not incoming connections. Option C is wrong because the FORWARD chain handles traffic routed through the system, not traffic destined for the local host; adding a rule there would not affect incoming connections to the local system. Option D is wrong because it uses `-j DROP` to reject traffic, and while `-I INPUT 1` inserts the rule at the top, the action is to drop, not accept, the incoming TCP connections on port 8080.

Page 4

Page 5 of 7

Page 6

All pages