Linux Foundation Certified System Administrator LFCS (LFCS) — Questions 376450

513 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQmedium

Refer to the exhibit. The file script.sh has permissions -rwxr-x--- and is owned by root with group 'developers'. A user named 'alice' is a member of the 'developers' group. Which command allows alice to execute the script without changing the file's group ownership?

A.usermod -aG developers alice
B.chmod o+x script.sh
C.chmod u+x script.sh
D.chown alice script.sh
AnswerA

Adding alice to the developers group gives her the group execute permission.

Why this answer

Option A is correct because the script's permissions (-rwxr-x---) grant execute permission to the owner (root) and the group (developers), but not to others. Alice is already a member of the developers group, so the command 'usermod -aG developers alice' would not change her group membership (it would simply re-add her). However, the question asks which command allows Alice to execute the script without changing the file's group ownership.

Since Alice is already in the developers group, she already has execute permission via the group. The command in A is redundant but does not change group ownership, and it is the only option that does not alter the file's group or permissions in a way that violates the constraint. The core reasoning is that Alice already has group execute permission, so no command is actually needed, but among the options, A is the only one that does not change the file's group ownership.

Exam trap

The trap here is that candidates assume Alice does not have group execute permission and choose options that change file permissions or ownership, missing that the question's constraint ('without changing the file's group ownership') is a red herring — the real issue is that Alice already has access, so the only 'correct' command among the options is the one that does nothing harmful, but Linux Foundation often tests whether you recognize that group membership already grants access and that modifying the file is unnecessary.

How to eliminate wrong answers

Option B is wrong because 'chmod o+x script.sh' adds execute permission for 'others', which changes the file's permissions (not group ownership) but violates the implicit requirement that the file's permissions remain unchanged (the question asks for a command that allows execution without changing group ownership, but B changes permissions, which is not prohibited, but it is unnecessary since Alice already has group execute). However, the more precise reason: B grants execute to all users not in the file's group, which is a security risk and does not leverage the existing group permission. Option C is wrong because 'chmod u+x script.sh' adds execute permission for the owner (root), which does not affect Alice's ability to execute the script (she is not the owner) and does not change group ownership, but it is irrelevant and does not grant Alice execute permission.

Option D is wrong because 'chown alice script.sh' changes the file's owner to Alice, which directly changes the file's ownership (not group ownership, but the question says 'without changing the file's group ownership' — this changes owner, not group, but it is still a change to ownership, and it would give Alice owner execute permission, but the question explicitly says 'without changing the file's group ownership', implying no ownership changes at all; also, changing owner requires root privileges and is not the intended solution).

377
MCQmedium

A system administrator needs to create a new ext4 filesystem on /dev/sdb1 with a reserved block percentage of 2% instead of the default 5%. Which command should be used?

A.mkfs.ext4 -m 2 /dev/sdb1
B.mkfs.ext4 -R 2 /dev/sdb1
C.mkfs.ext4 -r 2 /dev/sdb1
D.tune2fs -m 2 /dev/sdb1
AnswerA

Correct: -m sets reserved blocks percentage.

Why this answer

Option A is correct because the `-m` flag in `mkfs.ext4` sets the reserved block percentage for the superuser, and specifying `-m 2` overrides the default of 5% to reserve only 2% of the blocks on the new ext4 filesystem on /dev/sdb1.

Exam trap

The trap here is that candidates confuse `-m` (reserved block percentage) with `-r` (revision number) or `-R` (RAID stride), or they incorrectly choose `tune2fs` which modifies an existing filesystem rather than creating a new one.

How to eliminate wrong answers

Option B is wrong because `-R` is not a valid flag for `mkfs.ext4`; it is used with `mkfs.ext2` for RAID stride options, not for reserved block percentage. Option C is wrong because `-r` in `mkfs.ext4` specifies the filesystem revision number, not the reserved block percentage. Option D is wrong because `tune2fs` modifies an existing filesystem's parameters (including reserved block percentage with `-m`), but the question explicitly asks for creating a new filesystem, not tuning an existing one.

378
Multi-Selecthard

Which TWO commands can be used to display the current working directory? (Choose exactly two.)

Select 2 answers
A.ls
B.echo $PWD
C.pwd
D.dirname
E.cd
AnswersB, C

Correct: prints the PWD variable.

Why this answer

Option B is correct because the shell stores the current working directory path in the environment variable `$PWD`, and `echo $PWD` prints its value. This is a reliable way to display the current directory, as the shell updates `PWD` automatically on every `cd` command.

Exam trap

The trap here is that candidates may confuse `ls` (which lists files) with displaying the current directory path, or think `dirname` or `cd` can show the current directory without additional arguments.

379
MCQhard

A security audit reveals that a sensitive file '/etc/shadow' has been modified. The file's permissions are set to 600 and owned by root. However, the audit logs show that a service account 'webapp' was able to read the file. The 'webapp' user is not in the root group. Which of the following is the most likely method the 'webapp' user used to read the file?

A.The file is a hard link to another file that is readable by 'webapp'.
B.The 'webapp' user exploited a SUID binary that reads the file.
C.The file has an Access Control List (ACL) granting read permission to 'webapp'.
D.The 'webapp' user used 'sudo' to read the file as root.
AnswerC

ACLs override base permissions and can grant access to specific users.

Why this answer

Option C is correct because an Access Control List (ACL) can grant specific permissions to a user or group beyond the traditional Unix permission model. Even though the file's mode is 600 (owner read/write only) and owned by root, a setfacl command could have added an ACL entry (e.g., 'u:webapp:r') that explicitly allows the 'webapp' user to read /etc/shadow. This is a common method to give a service account access to a sensitive file without changing its ownership or group membership.

Exam trap

The trap here is that candidates assume traditional Unix permissions (owner/group/other) are the only way to control access, overlooking that ACLs can grant specific users read permission even when the file's mode appears restrictive (e.g., 600).

How to eliminate wrong answers

Option A is wrong because a hard link shares the same inode and permissions as the original file; if /etc/shadow is mode 600 and owned by root, any hard link to it would also be mode 600 and owned by root, so 'webapp' could not read it via a hard link unless an ACL or other mechanism grants access. Option B is wrong because a SUID binary runs with the effective UID of the binary's owner (typically root), but the audit logs show 'webapp' read the file, not a SUID binary; the question asks how 'webapp' read the file, not how a binary accessed it on behalf of 'webapp'. Option D is wrong because using 'sudo' to read a file as root would require the 'webapp' user to have sudo privileges (e.g., an entry in /etc/sudoers), which is a separate configuration; the question does not indicate any sudo access, and the most likely method given the scenario is an ACL, not sudo.

380
MCQhard

A system administrator needs to replace all occurrences of 'oldhost' with 'newhost' in /etc/hosts, but only on lines that contain the string 'domain'. Which sed command accomplishes this?

A.sed -i '/domain/s/oldhost/newhost/g' /etc/hosts
B.sed 's/oldhost/newhost/g' /etc/hosts | grep domain
C.sed -i '/domain/s/oldhost/newhost/' /etc/hosts
D.sed -i '/domain/s/oldhost/newhost/g' /etc/hosts
E.sed -ne '/domain/s/oldhost/newhost/gp' /etc/hosts
AnswerA

This correctly restricts substitution to lines matching 'domain' and replaces all occurrences.

Why this answer

Option A is correct because it uses the `-i` flag for in-place editing, an address range `/domain/` to restrict the substitution to lines containing 'domain', and the `g` flag to replace all occurrences of 'oldhost' with 'newhost' on each matching line. This precisely meets the requirement to modify only the targeted lines in the file.

Exam trap

The trap here is that candidates often forget the `g` flag for global replacement, assuming `s` replaces all occurrences by default, or they omit the `-i` flag and think output redirection is sufficient for in-place editing.

How to eliminate wrong answers

Option B is wrong because it pipes the output to `grep domain`, which only displays matching lines but does not modify the file; the `-i` flag is missing, so changes are not saved. Option C is wrong because it lacks the `g` flag, so only the first occurrence of 'oldhost' on each matching line is replaced, not all occurrences. Option D is a duplicate of the correct answer (A) and is not wrong, but the question expects only one correct answer; however, since the options list A and D as identical, D is technically correct as well, but the exam likely expects A as the first correct choice.

Option E is wrong because the `-n` flag suppresses default output and `p` prints only the changed lines, but without `-i`, the file is not modified in-place.

381
MCQeasy

A Linux server hosts a critical web application and is connected to the corporate network via a bonded interface bond0, combining eth0 and eth1 in active-backup mode. The server has a static IP 192.168.1.100/24 and default gateway 192.168.1.1. Recently, users report intermittent connectivity. The administrator runs 'ip link show' and sees that eth0 and eth1 are both state UP, but bond0 shows 'state UP' and 'NO-CARRIER'. The bond primary slave is eth0. Also, 'ping 192.168.1.1' fails. What should the administrator do next?

A.Add a secondary IP address to eth0.
B.Restart the NetworkManager service.
C.Check the physical cable connection of eth0.
D.Change the bond mode to balance-rr to load balance traffic.
AnswerC

NO-CARRIER on the bond with the primary slave UP suggests a physical problem on eth0; checking the cable is the correct first step.

Why this answer

The bond interface showing NO-CARRIER indicates a physical link problem on the active slave. Since eth0 is the primary slave and bond0 has no carrier, the most likely cause is a disconnected or faulty cable on eth0. Checking the physical connection is the appropriate first step.

Changing the bond mode or restarting services would not resolve a physical issue, and adding a secondary IP is irrelevant.

382
MCQeasy

Which command displays the current status of all active services?

A.systemctl list-units --type=service --state=active
B.systemctl status --all
C.systemctl show --type=service
D.systemctl list-unit-files --type=service
AnswerA

This command filters for active services only.

Why this answer

Option A is correct because `systemctl list-units --type=service --state=active` filters systemd units to show only those of type 'service' that are currently in the 'active' state (i.e., running or exited but still considered active). This is the precise command to list all active services without showing inactive or failed units.

Exam trap

The trap here is that candidates often confuse `systemctl status --all` (which shows all units regardless of state) with listing only active services, or they mistakenly think `systemctl list-unit-files` shows current runtime status instead of disk-based enablement configuration.

How to eliminate wrong answers

Option B is wrong because `systemctl status --all` shows the status of all units (including non-service types like sockets, timers, and mounts) and includes inactive and failed units, not just active services. Option C is wrong because `systemctl show --type=service` displays detailed properties/parameters of service units (like environment variables or resource limits) rather than their current runtime status. Option D is wrong because `systemctl list-unit-files --type=service` lists the enablement state (enabled/disabled/static) of service unit files on disk, not their current active/inactive runtime status.

383
MCQeasy

An administrator wants to view the current memory usage in a human-readable format, showing totals for used and free memory. Which command should be used?

A.vmstat
B.free -h
C.top
D.cat /proc/meminfo
AnswerB

Shows human-readable memory summary.

Why this answer

The `free -h` command displays memory usage in a human-readable format (e.g., MiB, GiB) and shows totals for used and free memory, including buffers/cache and swap. This directly matches the requirement for a quick, readable summary of memory usage.

Exam trap

The trap here is that candidates may choose `cat /proc/meminfo` because it contains all memory details, but they overlook the requirement for a human-readable format and totals, which `free -h` provides directly.

How to eliminate wrong answers

Option A is wrong because `vmstat` reports virtual memory statistics, process, CPU, and I/O activity, but it does not present totals for used and free memory in a human-readable format by default; its output is in raw numbers and requires interpretation. Option C is wrong because `top` provides a real-time, dynamic view of system processes and memory usage, but it is interactive and not designed for a single, static human-readable summary of total used and free memory. Option D is wrong because `cat /proc/meminfo` outputs raw kernel memory statistics in kilobytes, which is not human-readable and requires manual calculation to derive totals for used and free memory.

384
MCQeasy

Refer to the exhibit. An administrator wants to bring up the eth1 interface using the existing connection. Which command should be used?

A.nmcli connection up eth1
B.nmcli device connect eth1
C.ifup eth1
D.ip link set eth1 up
AnswerA

This explicitly activates the named connection 'eth1'.

Why this answer

Option A is correct because `nmcli connection up eth1` activates the existing NetworkManager connection profile associated with the eth1 interface. This command ensures that the interface is brought up using the stored configuration (e.g., IP addressing, DNS, routes) rather than just setting the link state. NetworkManager manages connections as profiles, and `nmcli connection up` is the proper way to apply a profile to an interface.

Exam trap

The trap here is that candidates often confuse `nmcli device` with `nmcli connection` — the `device` subcommand manages physical interfaces, while `connection` manages logical profiles, and only `connection up` applies the full configuration from an existing profile.

How to eliminate wrong answers

Option B is wrong because `nmcli device connect eth1` attempts to create a new connection profile for the device, which is not appropriate when an existing connection should be used; it may overwrite or duplicate settings. Option C is wrong because `ifup eth1` is a legacy SysVinit command that relies on `/etc/network/interfaces` and is not integrated with NetworkManager, which is the default network service on modern Linux distributions (e.g., RHEL/CentOS 7+). Option D is wrong because `ip link set eth1 up` only brings the interface administratively up at Layer 2, but it does not apply any Layer 3 configuration (IP address, routes) or use the existing connection profile, leaving the interface without network connectivity.

385
MCQmedium

You are a systems administrator for a company that runs a web application on a Linux server with 16 GB of RAM and 4 CPU cores. The application uses Apache with mod_php and PostgreSQL. Recently, the server has been experiencing high load average (above 10) and the website is responding slowly. The 'top' command shows that many 'httpd' processes are in 'D' (uninterruptible sleep) state. The 'iostat -x 1' output shows high disk utilization (over 90%) and high average wait times (await > 200 ms) on the disk where PostgreSQL data is stored. The database is write-heavy, and you suspect that disk I/O is the bottleneck. Which of the following actions is most likely to improve the performance?

A.Enable the PostgreSQL query cache by setting 'query_cache_type' to 'on'.
B.Increase the PostgreSQL shared_buffers setting to 4 GB.
C.Increase the PostgreSQL max_connections setting to 200.
D.Decrease the Apache MaxClients setting to 50.
AnswerB

Increasing shared_buffers allows PostgreSQL to cache more data in memory, reducing the amount of disk I/O needed. This directly addresses the high disk utilization.

Why this answer

The high disk utilization (over 90%) and high await times (>200 ms) on the PostgreSQL data disk indicate that the database is I/O-bound. Increasing PostgreSQL's shared_buffers to 4 GB (25% of 16 GB RAM) allows more data to be cached in memory, reducing the frequency of disk writes and reads for write-heavy workloads. This directly alleviates the disk I/O bottleneck, lowering the load average and the number of httpd processes in 'D' state.

Exam trap

The trap here is that candidates may confuse PostgreSQL's shared_buffers with MySQL's query cache or think that reducing Apache connections will fix an I/O bottleneck, when the real solution is to increase database memory caching to reduce disk pressure.

How to eliminate wrong answers

Option A is wrong because PostgreSQL does not have a 'query_cache_type' setting; that is a MySQL/MariaDB feature, and enabling it would not address disk I/O. Option C is wrong because increasing max_connections to 200 would allow more concurrent database sessions, which would increase contention for the already saturated disk, worsening performance. Option D is wrong because decreasing Apache MaxClients to 50 would reduce the number of concurrent web requests, but the bottleneck is disk I/O on the PostgreSQL data disk, not Apache process limits; this action might reduce load slightly but does not address the root cause.

386
MCQeasy

Based on the tcpdump output in the exhibit, what can be concluded about the TCP handshake?

A.The connection attempt failed because only three packets are shown.
B.The connection was reset by the remote host.
C.The handshake is incomplete because there is no ACK from the server.
D.The TCP three-way handshake completed successfully.
AnswerD

SYN, SYN-ACK, ACK sequence indicates success.

Why this answer

The TCP three-way handshake completes successfully when three packets are exchanged: SYN, SYN-ACK, and ACK. The tcpdump output shows exactly these three packets, confirming a successful handshake. The presence of the final ACK from the client to the server's SYN-ACK indicates that the connection is established.

Exam trap

The trap here is that candidates may mistakenly think a three-packet handshake is incomplete or failed, when in fact the TCP three-way handshake is defined as exactly three packets, and the final ACK from the client completes it.

How to eliminate wrong answers

Option A is wrong because a successful TCP three-way handshake consists of exactly three packets (SYN, SYN-ACK, ACK), so seeing three packets does not indicate failure. Option B is wrong because a reset (RST) packet would appear in the output if the connection were reset by the remote host, but no RST flag is shown. Option C is wrong because the handshake is complete; the server sends a SYN-ACK (the second packet), and the client responds with an ACK (the third packet), which is the expected final step.

387
MCQmedium

A developer wants to change the ownership of a directory and all its contents recursively to user 'appuser' and group 'appgroup'. Which command accomplishes this?

A.chown -R appuser:appgroup /app
B.chown -R appuser /app && chgrp appgroup /app
C.chgrp -R appgroup /app && chown appuser /app
D.chown -R appuser: /app && chgrp -R appgroup /app
AnswerA

Correct: recursive owner:group change.

Why this answer

Option A is correct because the `chown -R appuser:appgroup /app` command recursively changes both the user and group ownership of the `/app` directory and all its contents. The `-R` flag ensures recursion, and the colon-separated `user:group` syntax sets both ownership attributes in a single command.

Exam trap

The trap here is that candidates often forget the `-R` flag on the second command in compound solutions, or they mistakenly believe `chown user:` sets a specific group rather than the user's default group, leading them to choose options that only partially apply the ownership change.

How to eliminate wrong answers

Option B is wrong because `chown -R appuser /app` changes only the user ownership recursively, but `chgrp appgroup /app` without `-R` changes only the group ownership of the `/app` directory itself, not its contents. Option C is wrong because `chgrp -R appgroup /app` changes group ownership recursively, but `chown appuser /app` without `-R` changes only the user ownership of the top-level directory, leaving all contents with the original user. Option D is wrong because `chown -R appuser: /app` sets the group to the user's default group (not `appgroup`), and the subsequent `chgrp -R appgroup /app` would override that group, but the first command already incorrectly sets the group.

388
Multi-Selecteasy

A user wants to view the contents of a compressed file file.txt.gz without decompressing it permanently. Which two commands can be used? (Choose two.)

Select 2 answers
A.gunzip -c file.txt.gz
B.zcat file.txt.gz
C.gzip -l file.txt.gz
D.gzip -d file.txt.gz
E.gzip -k file.txt.gz
AnswersA, B

Outputs decompressed content to stdout, leaving the .gz file untouched.

Why this answer

Option A is correct because `gunzip -c` decompresses the file to standard output, allowing the user to view the contents without modifying the original compressed file. Option B is correct because `zcat` is equivalent to `gunzip -c` and reads the compressed file directly, outputting the decompressed data to the terminal without permanent decompression.

Exam trap

The trap here is that candidates confuse `gzip -d` (which permanently decompresses) with `gunzip -c` (which outputs to stdout), or mistakenly think `gzip -l` shows file contents instead of metadata.

389
MCQmedium

A company runs a monitoring agent service (monitor.service) that must start after the network is fully up and the DNS resolver is ready. The service currently has the following dependencies in its unit file: [Unit] Description=Monitoring Agent After=network.target Wants=network.target [Service] ExecStart=/usr/bin/monitor The service starts, but often fails to resolve hostnames because DNS is not yet available. Which change should be made to the unit file to ensure the service only starts after DNS is ready?

A.Replace After=network.target with After=network-online.target and add Requires=network-online.target
B.Add a dependency: After=nss-lookup.target
C.Add Before=network.target to delay the start
D.Set Type=idle in the [Service] section
AnswerB

Ensures name resolution services are available.

Why this answer

Option B is correct because `nss-lookup.target` is a synchronization point that indicates the hostname resolution subsystem (including DNS) is fully operational. By adding `After=nss-lookup.target`, the monitor service will not start until DNS resolution is available, solving the hostname resolution failures. The existing `Wants=network.target` is insufficient because `network.target` only signals that basic network interfaces are configured, not that DNS services are ready.

Exam trap

The trap here is that candidates confuse `network-online.target` with DNS readiness, assuming network connectivity automatically implies DNS resolution is available, but DNS is a separate service that may not be synchronized with network interface activation.

How to eliminate wrong answers

Option A is wrong because `network-online.target` ensures the network stack is fully up (e.g., IP addresses assigned), but it does not guarantee DNS resolution is ready; DNS is a separate subsystem. Option C is wrong because `Before=network.target` would attempt to start the monitor service before the network is up, making the DNS problem worse. Option D is wrong because `Type=idle` only delays the service start until all other jobs are dispatched, but it does not wait for DNS readiness; it is a scheduling hint, not a dependency.

390
MCQmedium

A service unit file includes the following: [Install] WantedBy=multi-user.target. What does this directive accomplish?

A.The service is stopped when multi-user.target is stopped.
B.The service conflicts with multi-user.target.
C.The service is automatically started when the system enters multi-user.target.
D.The service is enabled by symlinking in multi-user.target.wants.
AnswerD

WantedBy= creates a symlink in the .wants directory of the target when the service is enabled.

Why this answer

The `WantedBy=multi-user.target` directive in the `[Install]` section of a systemd service unit file does not directly start the service when the target is entered. Instead, when the service is enabled (via `systemctl enable`), systemd creates a symbolic link from the service unit file into the `multi-user.target.wants/` directory. This symlink causes systemd to automatically start the service as a dependency when `multi-user.target` is activated, effectively enabling the service for that target.

Exam trap

The trap here is that candidates confuse the declarative `WantedBy` directive with an immediate start action (Option C), when in fact it only defines a dependency relationship that takes effect after the service is enabled via symlinking.

How to eliminate wrong answers

Option A is wrong because `WantedBy` does not define a stop behavior; stopping the target stops the service only if the service has a `PartOf=` or `BindsTo=` relationship, not from `WantedBy` alone. Option B is wrong because `WantedBy` establishes a weak dependency (a 'wants' relationship), not a conflict; a conflict would require `Conflicts=` in the `[Unit]` section. Option C is wrong because `WantedBy` does not directly start the service upon entering the target; it only causes the service to be pulled in as a dependency when the target is activated, which happens only if the service is enabled (symlinked).

391
MCQmedium

An administrator needs to permanently set a static IPv4 address 192.168.1.100/24 on interface eth0 using NetworkManager. Which command achieves this?

A.nmcli connection modify eth0 ipv4.addresses 192.168.1.100/24
B.nmcli connection modify eth0 ipv4.addresses 192.168.1.100/24 ipv4.method manual
C.nmcli device modify eth0 ipv4.addresses 192.168.1.100/24
D.nmcli connection modify 'System eth0' ipv4.addresses 192.168.1.100/24 ipv4.method manual
AnswerB

Correct: sets both address and method, making it persistent.

Why this answer

Option B is correct because `nmcli connection modify` is the proper command to permanently change a NetworkManager connection profile, and setting both `ipv4.addresses` and `ipv4.method manual` ensures the static IP is applied and the interface does not fall back to DHCP. Without setting the method to `manual`, NetworkManager may ignore the static address or override it with DHCP.

Exam trap

The trap here is that candidates often forget to set `ipv4.method manual` when configuring a static IP, assuming that providing an address alone is sufficient, or they mistakenly use `nmcli device modify` for a permanent change instead of `nmcli connection modify`.

How to eliminate wrong answers

Option A is wrong because it sets the IP address but does not change the IPv4 method from its default (often 'auto' or DHCP), so the static address may not be used or may be overridden. Option C is wrong because `nmcli device modify` only makes temporary runtime changes that do not survive a reboot or NetworkManager restart, as it modifies the device directly rather than the connection profile. Option D is wrong because it uses a connection name 'System eth0' which is a legacy naming convention from older NetworkManager versions; on modern systems the default connection name for eth0 is typically 'eth0' or 'Wired connection 1', so this command would likely fail or create a new profile.

392
MCQeasy

A user needs to see the contents of a gzip-compressed file 'data.txt.gz' without decompressing it. Which command is appropriate?

A.gunzip data.txt.gz
B.zcat data.txt.gz
C../data.txt.gz
D.gzcat data.txt.gz
AnswerB

Displays compressed file contents without decompressing.

Why this answer

The `zcat` command reads a gzip-compressed file and outputs its decompressed content to stdout without modifying the original file. This allows the user to view the contents of 'data.txt.gz' without permanently decompressing it.

Exam trap

The trap here is that candidates may confuse `zcat` with `gunzip` or assume `gzcat` is the correct command, but the LFCS exam expects knowledge of the standard `zcat` utility for viewing compressed files without decompression.

How to eliminate wrong answers

Option A is wrong because `gunzip` decompresses the file and replaces the .gz file with the uncompressed version, which does not meet the requirement to view contents without decompressing. Option C is wrong because attempting to execute a compressed file with `./data.txt.gz` will fail as it is not an executable binary and the shell cannot interpret the compressed data. Option D is wrong because `gzcat` is not a standard Linux command; while some systems may have it as an alias, the standard command on Linux is `zcat`.

393
MCQmedium

Refer to the exhibit. What is the most likely cause of the sshd service failure?

A.The OPTIONS environment variable is not set.
B.The service is not enabled to start at boot.
C.There is a syntax error in the unit file.
D.The sshd_config file is misconfigured.
AnswerD

sshd exiting with 255 often indicates bad configuration.

Why this answer

The exhibit shows that the sshd service fails to start, and the most likely cause is a misconfiguration in the sshd_config file. When sshd is started via systemd, a syntax error or invalid directive in /etc/ssh/sshd_config will cause the daemon to exit immediately, resulting in a failed status. This is a common issue because sshd validates its configuration file at startup and will refuse to run if it finds an error.

Exam trap

The trap here is that candidates often assume a unit file syntax error (Option C) is the cause, but systemd unit files are parsed before the service runs, so a unit file error would prevent the service from starting at all, whereas a misconfigured sshd_config allows the unit to start but causes the daemon to exit immediately after parsing the config.

How to eliminate wrong answers

Option A is wrong because the OPTIONS environment variable is not a standard systemd or sshd mechanism; sshd uses command-line arguments or the sshd_config file, not an OPTIONS variable. Option B is wrong because the service not being enabled to start at boot would not cause a failure when manually starting the service; it would simply not start automatically on boot, but 'systemctl start sshd' would still succeed if the configuration is valid. Option C is wrong because a syntax error in the unit file would typically produce a specific systemd error message (e.g., 'Failed to parse unit file') and would prevent the service from being started at all, whereas the exhibit likely shows a failure after the unit file is parsed successfully.

394
MCQmedium

A system administrator is tasked with setting up a new 2TB disk for a database server. The database requires high read/write performance and redundancy. The server has a hardware RAID controller, but the administrator wants to use Linux software RAID for flexibility. Which of the following RAID levels should the administrator choose to maximize performance while providing fault tolerance, assuming the disk will be part of a larger array in the future?

A.RAID 5
B.RAID 0
C.RAID 6
D.RAID 10
AnswerD

RAID 10 combines mirroring and striping for performance and redundancy.

Why this answer

RAID 10 (striping of mirrors) provides both high read/write performance and fault tolerance by combining the speed of RAID 0 striping with the redundancy of RAID 1 mirroring. Since the administrator plans to add more disks to the array in the future, RAID 10 scales well with additional pairs, maintaining performance and redundancy without the parity calculation overhead of RAID 5 or RAID 6.

Exam trap

The trap here is that candidates often choose RAID 5 or RAID 6 thinking they offer a good balance of performance and redundancy, but they overlook the significant write penalty and the fact that RAID 10 actually provides superior performance for write-intensive database workloads.

How to eliminate wrong answers

Option A is wrong because RAID 5 uses distributed parity, which incurs a write penalty (each write requires reading old data and parity, then writing new data and parity) and reduces write performance, especially with large disks like 2TB. Option B is wrong because RAID 0 offers no fault tolerance; a single disk failure destroys the entire array, which contradicts the requirement for redundancy. Option C is wrong because RAID 6 uses double parity, which further increases the write penalty (two parity calculations per write) and reduces performance compared to RAID 10, while also not scaling as efficiently when adding disks to an existing array.

395
MCQmedium

An administrator needs to set the reserved block percentage on an ext4 filesystem to 1% for a non-root filesystem. Which command accomplishes this?

A.tune2fs -m 0.5 /dev/sdb1
B.tune2fs -m 1 /dev/sdb1
C.tune2fs -r 1% /dev/sdb1
D.tune2fs -c 1 /dev/sdb1
AnswerB

Correct command.

Why this answer

Option B is correct because the `tune2fs -m` command sets the reserved block percentage for an ext4 filesystem, and `-m 1` sets it to exactly 1%. This is the standard way to adjust reserved space on a non-root ext4 filesystem, as root filesystems typically have a default of 5% reserved for system processes.

Exam trap

The trap here is confusing the `-m` (percentage) and `-r` (absolute blocks) options, leading candidates to incorrectly use `-r` with a percentage value like `1%`.

How to eliminate wrong answers

Option A is wrong because `-m 0.5` sets the reserved block percentage to 0.5%, not 1%. Option C is wrong because `-r` expects an absolute number of reserved blocks, not a percentage; the syntax `-r 1%` is invalid and would cause an error. Option D is wrong because `-c 1` sets the maximum mount count between filesystem checks, not the reserved block percentage.

396
MCQeasy

Refer to the exhibit. User alice attempts to create a file in /data/project but receives 'Permission denied'. User bob can create files successfully. What is the most likely reason?

A.The directory's SGID bit requires primary group membership for write access.
B.Alice is not a member of the project group.
C.The directory has an ACL that denies write to user alice.
D.Alice needs to run 'newgrp project' or log out and back in for her group membership to take effect.
AnswerD

Group membership changes apply only to new sessions.

Why this answer

Option C is correct. Although alice is a member of the project group, she was likely added after her current login session started; her supplementary groups are not updated until she logs out and back in or runs newgrp. Option A is false because groups shows she is in project.

Option B is false because SGID does not affect write permission for project members. Option D is speculative and not indicated.

397
MCQhard

A system administrator needs to ensure that a specific service, 'myapp', starts automatically after a system crash and also restarts if it fails. Which systemd unit directive should be used to achieve this behavior?

A.RemainAfterExit=yes
B.Restart=always
C.Restart=on-failure and WantedBy=multi-user.target
D.ExecStopPost=/bin/systemctl restart myapp.service
AnswerC

Restart=on-failure restarts the service only if it fails (non-zero exit), and WantedBy=multi-user.target ensures it starts at boot.

Why this answer

Option C is correct because the combination of `Restart=on-failure` ensures the service restarts automatically if it exits with a non-zero exit code or is terminated by a signal, and `WantedBy=multi-user.target` creates a dependency that starts the service at boot, including after a system crash. This satisfies both requirements: automatic start after crash (via systemd's dependency-based boot) and restart on failure (via the Restart directive).

Exam trap

The trap here is that candidates often confuse `Restart=always` with `Restart=on-failure`, not realizing that `always` restarts even on manual stops, which violates the typical requirement to only restart on failure, and they may overlook that `WantedBy=multi-user.target` is necessary for automatic start after a crash.

How to eliminate wrong answers

Option A is wrong because `RemainAfterExit=yes` only keeps the service unit in an 'active' state after its main process exits, but it does not cause the service to start after a crash or restart on failure. Option B is wrong because `Restart=always` would restart the service even if it is manually stopped by an administrator, which is not the desired behavior and can lead to unintended restarts; the requirement is to restart only on failure, not on manual stop. Option D is wrong because `ExecStopPost` runs a command after the service stops, but it does not inherently restart the service; using it to call `systemctl restart` is a workaround that bypasses systemd's built-in restart logic and can cause race conditions or infinite restart loops.

398
MCQmedium

An administrator needs to mount an XFS filesystem with options to optimize for a database workload. Which mount option would reduce metadata updates to improve performance?

A.noexec
B.nodiratime
C.relatime
D.noatime
AnswerD

Disables atime updates, reducing metadata writes.

Why this answer

The `noatime` mount option disables updates to the inode access time (atime) on every file read. For database workloads, this eliminates a significant source of metadata write I/O, reducing disk contention and improving overall performance by avoiding unnecessary journal updates on XFS.

Exam trap

The trap here is that candidates confuse `relatime` (which reduces but does not eliminate atime updates) with `noatime`, or incorrectly assume `nodiratime` is sufficient for database optimization, when only `noatime` fully removes metadata write overhead for all files.

How to eliminate wrong answers

Option A is wrong because `noexec` prevents execution of binaries on the filesystem, which does not affect metadata updates or database I/O performance. Option B is wrong because `nodiratime` only disables atime updates for directories, not for regular files, so it provides only partial reduction in metadata writes. Option C is wrong because `relatime` updates atime only if the previous atime is older than the mtime or ctime, which still generates some metadata writes and is less aggressive than `noatime` for write-heavy database workloads.

399
MCQhard

An administrator needs to replace all occurrences of the string 'foo' with 'bar' in all files under /etc/config, but only in files ending with .conf. The replacement must be done in-place, and backup copies should be created with a .bak extension. Which command accomplishes this?

A.find /etc/config -name '*.conf' -exec sed -i .bak 's/foo/bar/g' {} +
B.find /etc/config -name '*.conf' -exec sed 's/foo/bar/g' {} \;
C.find /etc/config -name '*.conf' -exec sed -i.bak 's/foo/bar/g' {} +
D.find /etc/config -name '*.conf' -exec sed -i 's/foo/bar/g' {} +
AnswerC

-i.bak creates backup with .bak extension.

Why this answer

Option C is correct because it uses `sed -i.bak` which creates a backup file with the .bak extension before performing the in-place substitution, and the `find -exec ... +` variant efficiently processes multiple files at once. The `-i` option with an argument (no space) specifies the backup suffix directly, satisfying the requirement for backup copies.

Exam trap

The trap here is that candidates confuse the syntax `-i .bak` (with a space, which is incorrect) with `-i.bak` (no space, which is correct), or they forget that `-i` without a suffix does not create backups, leading them to choose options that either fail or omit the required backup step.

How to eliminate wrong answers

Option A is wrong because `-i .bak` (with a space) is interpreted as `-i` with an empty backup suffix and `.bak` as a separate argument, causing sed to fail or behave unexpectedly. Option B is wrong because it lacks the `-i` flag entirely, so changes are written to stdout instead of being saved in-place, and no backups are created. Option D is wrong because `-i` without a suffix does not create backup files, violating the requirement for .bak backups.

400
MCQhard

A server runs a custom application that listens on TCP port 8080. The administrator wants to ensure the application starts automatically on boot and restarts if it crashes. Which systemd unit file directive should be used to achieve the restart behavior?

A.RestartSec=5
B.Type=notify
C.RemainAfterExit=yes
D.Restart=on-failure
AnswerD

This directive tells systemd to restart the service when it exits unexpectedly.

Why this answer

The `Restart=on-failure` directive in a systemd unit file instructs systemd to automatically restart the service unit when it exits with a non-zero exit code, is terminated by a signal (including SIGKILL), or times out. This directly satisfies the requirement for the application to restart if it crashes, as a crash typically results in an unclean exit that triggers the restart condition.

Exam trap

The trap here is that candidates often confuse `RestartSec` with the restart policy itself, or assume `Type=notify` or `RemainAfterExit=yes` imply automatic restart behavior, when in fact only `Restart=` directives control restart logic.

How to eliminate wrong answers

Option A is wrong because `RestartSec=5` specifies a delay (5 seconds) before attempting a restart, but it does not enable restart behavior on its own; it only modifies the timing if a restart is already configured via `Restart=`. Option B is wrong because `Type=notify` tells systemd that the service will send a notification (via sd_notify) when it is fully started, but it has no effect on restart behavior after a crash. Option C is wrong because `RemainAfterExit=yes` makes systemd consider the service as active even after the main process exits, which is used for one-shot services that set up state; it does not cause automatic restarts on failure.

401
MCQmedium

A system administrator needs to add a new user 'alice' with UID 1050 and a home directory at /home/alice. Which command should be used?

A.useradd -u 1050 -d /home/alice -m alice
B.useradd -U 1050 -h /home/alice alice
C.useradd --uid 1050 --home /home/alice alice
D.useradd --create-home --skel /etc/skel -u 1050 alice
AnswerA

Correct syntax. -u sets UID, -d sets home directory, -m creates it.

Why this answer

Option A is correct because useradd -u sets UID, -d sets home directory, -m creates the home directory. Option B uses incorrect flags -U and -h. Option C uses --home but not --create-home.

Option D uses --create-home but without -d, it defaults to /home/alice with UID 1050, but the home directory path is not explicitly set to /home/alice.

402
MCQeasy

A system administrator needs to configure a static IP address on a CentOS 7 server. Which file should be edited to set the IP address permanently?

A./etc/netplan/01-netcfg.yaml
B./etc/network/interfaces
C./etc/hostname
D./etc/sysconfig/network-scripts/ifcfg-eth0
AnswerD

Correct file for CentOS 7 static IP configuration.

Why this answer

On CentOS 7, network interfaces are configured via scripts located in /etc/sysconfig/network-scripts/, with each interface having a file named ifcfg-<interface>. The ifcfg-eth0 file stores static IP settings such as IPADDR, NETMASK, and GATEWAY, which are read by the network service (network.service) to apply persistent configuration.

Exam trap

The trap here is that candidates familiar with Ubuntu or Debian systems may incorrectly choose /etc/network/interfaces (Option B) or /etc/netplan/01-netcfg.yaml (Option A), forgetting that CentOS 7 uses the Red Hat-style ifcfg scripts in /etc/sysconfig/network-scripts/.

How to eliminate wrong answers

Option A is wrong because /etc/netplan/01-netcfg.yaml is used by Netplan, a network configuration utility for Ubuntu (starting from 17.10) and not by CentOS 7, which uses the legacy ifcfg system. Option B is wrong because /etc/network/interfaces is the configuration file for Debian/Ubuntu systems using ifupdown, not for CentOS 7. Option C is wrong because /etc/hostname only sets the system's hostname, not IP address configuration; it contains a single line with the hostname and has no effect on network interface addressing.

403
MCQmedium

To check the disk usage of the /var/log directory in a human-readable format, which command is appropriate?

A.du -sh /var/log
B.ls -lh /var/log
C.df -h /var/log
D.fdisk -l /var/log
AnswerA

du -sh gives a summary of the total disk usage for the specified directory.

Why this answer

The `du -sh /var/log` command is correct because `du` (disk usage) estimates file and directory space usage, and the `-s` option summarizes the total for the specified directory, while `-h` prints sizes in human-readable format (e.g., K, M, G). This directly answers the requirement to check disk usage of the /var/log directory in a human-readable form.

Exam trap

The trap here is that candidates confuse `du` (directory usage) with `df` (filesystem usage), or mistakenly think `ls -lh` shows total directory size, when in fact `ls` only lists individual file sizes without summing subdirectory contents.

How to eliminate wrong answers

Option B is wrong because `ls -lh /var/log` lists the contents of the directory with file sizes, not the total disk usage of the directory itself; it does not aggregate space used by subdirectories. Option C is wrong because `df -h /var/log` reports the free and used space on the filesystem that contains /var/log, not the disk usage of the directory itself. Option D is wrong because `fdisk -l /var/log` is used to manipulate or display partition tables on block devices, not to check disk usage of a directory; it would fail on a regular file or directory.

404
MCQhard

An administrator runs 'ls -la' and sees the following entry for a file: 'lrwxrwxrwx 1 root root 24 Jan 10 12:00 link -> /etc/passwd'. If the target file /etc/passwd is deleted, what happens to the link file?

A.The link becomes a hard link to the deleted file's inode
B.The link becomes a broken symbolic link
C.The link becomes a regular file with the same content
D.The link is automatically deleted
AnswerB

The symlink still exists but points to a non-existent target, making it broken.

Why this answer

The entry 'lrwxrwxrwx' indicates a symbolic link (symlink), which stores a path to the target file rather than sharing its inode. When the target /etc/passwd is deleted, the symlink still exists but points to a non-existent path, making it a broken (dangling) symlink. Accessing it will result in a 'No such file or directory' error.

Exam trap

The trap here is that candidates confuse symbolic links with hard links, assuming the link would become a regular file or automatically delete, when in fact a symlink simply becomes broken and persists until manually removed.

How to eliminate wrong answers

Option A is wrong because a symbolic link does not share the target's inode; only hard links do, and deleting the target does not convert a symlink into a hard link. Option C is wrong because a symbolic link is not a regular file and does not contain the target's content; it only stores a path string, and deleting the target does not copy content into the link. Option D is wrong because symbolic links are not automatically deleted when their target is removed; they persist as broken links until explicitly removed.

405
MCQeasy

A user reports that they cannot reach a remote server by hostname but can reach it by IP address. Which configuration file is most likely misconfigured?

A./etc/resolv.conf
B./etc/sysconfig/network
C./etc/hosts
D./etc/nsswitch.conf
AnswerA

/etc/resolv.conf specifies DNS servers; if misconfigured, DNS queries fail, causing hostname resolution to fail.

Why this answer

The /etc/resolv.conf file configures the system's DNS resolver, specifying the nameservers to query for hostname-to-IP resolution. If a user can reach a server by IP but not by hostname, it indicates that DNS resolution is failing, which is most commonly due to a missing or incorrect nameserver entry in /etc/resolv.conf.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf with /etc/hosts or /etc/nsswitch.conf, thinking that a hostname resolution failure must be due to a missing static entry or a misconfigured lookup order, rather than the fundamental DNS resolver configuration.

How to eliminate wrong answers

Option B is wrong because /etc/sysconfig/network is a Red Hat/CentOS-specific file for setting global network parameters (e.g., hostname, gateway), not for DNS resolver configuration. Option C is wrong because /etc/hosts provides static hostname-to-IP mappings; if it were misconfigured, the user might not reach the server by hostname, but the fact that they can reach it by IP suggests DNS is the issue, not a missing or incorrect static entry. Option D is wrong because /etc/nsswitch.conf controls the order of name service lookups (e.g., 'hosts: files dns'), but a misconfiguration here would affect the lookup order, not the actual DNS resolver configuration; the core problem is the resolver itself, not the order.

406
MCQeasy

A system administrator needs to check the current CPU load and memory usage on a Linux server. Which command should be used to display a dynamic, real-time view of running processes and system resource utilization?

A.uptime
B.top
C.ps aux
D.free -h
AnswerB

'top' displays a dynamic, real-time view of processes and resource usage.

Why this answer

Option B (top) is correct because it provides a dynamic, real-time view of running processes and system resource utilization, including CPU load, memory usage, and process details. It updates continuously by default, making it ideal for monitoring live system performance.

Exam trap

The trap here is that candidates may confuse static commands like ps aux or free -h with the dynamic, real-time requirement, or assume uptime provides process-level detail, when only top (or similar tools like htop) continuously updates process and resource data.

How to eliminate wrong answers

Option A (uptime) is wrong because it only displays how long the system has been running, the number of users, and load averages for 1, 5, and 15 minutes; it does not show a dynamic, real-time view of processes or memory usage. Option C (ps aux) is wrong because it provides a static snapshot of all running processes at the moment of execution, not a continuously updating real-time display. Option D (free -h) is wrong because it shows memory and swap usage in a human-readable format, but it is a static report and does not display running processes or CPU load in real time.

407
MCQhard

An administrator wants to print the last field of each line from a CSV file 'data.csv' (comma-separated). Which awk command accomplishes this?

A.awk -F, '{print $NF}' data.csv
B.cut -d, -f2 data.csv
C.cut -d, -f1 data.csv
D.awk '{print $NF}' data.csv
AnswerA

Correctly sets comma as field separator.

Why this answer

Option A is correct because `awk -F, '{print $NF}' data.csv` sets the field separator to a comma with `-F,`, and `$NF` references the last field (NF is the number of fields, so $NF is the value of the last field). This prints the final column of each line in a CSV file.

Exam trap

The trap here is that candidates often forget to specify the field separator with `-F,` in awk, or they confuse `cut` options (like `-f2` for a specific field instead of `$NF` for the last field), leading them to pick a command that prints a fixed column rather than the last column dynamically.

How to eliminate wrong answers

Option B is wrong because `cut -d, -f2` prints the second field, not the last field. Option C is wrong because `cut -d, -f1` prints the first field, not the last field. Option D is wrong because `awk '{print $NF}'` uses the default field separator (whitespace), not a comma, so it will not correctly parse CSV fields and will likely print the last whitespace-separated token instead of the last comma-separated field.

408
MCQmedium

A network interface eth0 is not receiving an IP address via DHCP. Which command can be used to troubleshoot the DHCP client process?

A.dhclient -v eth0
B.systemctl status dhcpd
C.nmcli dev show eth0
D.dhcpd -t
AnswerA

Runs the DHCP client with verbose output, useful for troubleshooting.

Why this answer

The `dhclient -v eth0` command runs the DHCP client in verbose mode on interface eth0, which is the correct tool to troubleshoot the DHCP client process. It shows detailed messages about the DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK exchange, helping identify where the process fails. This directly addresses the issue of the interface not receiving an IP address via DHCP.

Exam trap

The trap here is confusing the DHCP client process (dhclient) with the DHCP server process (dhcpd), leading candidates to choose options that manage or test the server instead of the client.

How to eliminate wrong answers

Option B is wrong because `systemctl status dhcpd` checks the status of the DHCP server daemon (dhcpd), not the DHCP client process; the client process is managed by dhclient or NetworkManager, not dhcpd. Option C is wrong because `nmcli dev show eth0` displays the current configuration and state of the interface as managed by NetworkManager, but it does not initiate or debug the DHCP client transaction itself. Option D is wrong because `dhcpd -t` tests the syntax of the DHCP server configuration file (typically /etc/dhcp/dhcpd.conf), which is irrelevant to troubleshooting the client-side DHCP process.

409
MCQmedium

Based on the exhibit, a system administrator runs ping to 8.8.8.8 and gets 'Destination Host Unreachable'. What is the most likely cause?

A.The IP address 192.168.10.15 is not configured on eth0.
B.A firewall is blocking ICMP traffic.
C.The gateway 192.168.10.1 is not reachable from this host.
D.The default route is missing.
AnswerC

The ping error indicates the gateway cannot be reached, likely because it's down or not on the same network.

Why this answer

The 'Destination Host Unreachable' message indicates that the host has no route to the destination network or the next-hop gateway is not reachable. Since the ping target is 8.8.8.8 (a public IP), the host must forward traffic to its default gateway. If the gateway 192.168.10.1 is not reachable (e.g., due to a down interface, ARP failure, or missing neighbor entry), the kernel will immediately return this ICMP error without attempting to send the packet.

Exam trap

The trap here is that candidates confuse 'Destination Host Unreachable' (which indicates a local routing or next-hop reachability issue) with 'Request Timed Out' (which typically indicates a remote firewall or network congestion), leading them to incorrectly select a firewall blocking ICMP.

How to eliminate wrong answers

Option A is wrong because the IP address 192.168.10.15 is the source address used for outbound traffic; even if it were not configured on eth0, the ping would fail with a different error (e.g., 'connect: Network is unreachable' or no source IP), not 'Destination Host Unreachable'. Option B is wrong because a firewall blocking ICMP would typically cause a timeout (no response) or 'Request timed out', not an immediate 'Destination Host Unreachable' which is generated by the local host's IP stack, not by a remote firewall. Option D is wrong because if the default route were missing entirely, the host would return 'Network is unreachable' (or 'connect: No route to host') for any off-subnet destination, not 'Destination Host Unreachable' which implies a route exists but the next-hop is unreachable.

410
MCQmedium

A temporary contractor 'contractor1' has left the company. The administrator needs to remove the user account and all associated files in the home directory. Which command accomplishes this?

A.userdel contractor1
B.passwd -d contractor1
C.userdel -r contractor1
D.deluser --remove-home contractor1
AnswerC

Removes the user and their home directory (-r).

Why this answer

userdel -r removes the user and their home directory and mail spool.

411
Multi-Selectmedium

Which two statements are true about systemd socket activation? (Choose two.)

Select 2 answers
A.The socket unit file must have an [Install] section.
B.Socket activation requires the service to be of type 'socket'.
C.The service unit must include 'Sockets=<socket unit>' to bind the service to the socket.
D.A service can be started on demand when a connection arrives on a socket.
E.Socket activation only works with TCP sockets.
AnswersC, D

This directive links the service to the socket unit.

Why this answer

Option C is correct because the service unit must include a 'Sockets=' directive (e.g., 'Sockets=myapp.socket') to explicitly bind the service to the corresponding socket unit. This tells systemd which socket(s) the service should accept connections from when activated. Without this directive, the service will not receive the file descriptors for the socket, and activation will fail.

Exam trap

The trap here is that candidates often confuse the 'Type=' directive in the service unit (e.g., 'Type=socket') with the socket unit's role, leading them to incorrectly select Option B, when in fact the service type is independent of socket activation.

412
MCQeasy

A system administrator notices that a process is consuming 100% CPU and is unresponsive. Which command should be used to immediately stop the process if the PID is 2345?

A.kill -9 2345
B.pkill -9 processname
C.systemctl stop processname
D.kill -15 2345
AnswerA

SIGKILL immediately terminates the process and cannot be caught.

Why this answer

Option A is correct because `kill -9 2345` sends the SIGKILL signal (signal 9) to process ID 2345, which immediately terminates the process without allowing it to clean up or ignore the signal. This is the appropriate action for an unresponsive process consuming 100% CPU, as SIGKILL cannot be caught or blocked by the process.

Exam trap

The trap here is that candidates may choose `kill -15` (SIGTERM) thinking it is safer, but the question explicitly requires immediate stoppage of an unresponsive process, where only SIGKILL guarantees termination.

How to eliminate wrong answers

Option B is wrong because `pkill -9 processname` would require the process name, not the PID, and the question specifies that the PID is known (2345); using `pkill` with a name could accidentally terminate other processes with similar names. Option C is wrong because `systemctl stop processname` is used to manage systemd services, not arbitrary user processes, and it sends SIGTERM (signal 15) which the unresponsive process may ignore. Option D is wrong because `kill -15 2345` sends SIGTERM, which requests graceful termination but can be ignored or blocked by a process that is stuck or unresponsive, making it ineffective for immediate stoppage.

413
MCQhard

Your company has a server that hosts a critical application. The application runs under a service account 'appuser'. Due to a security audit, it was discovered that 'appuser' has a password that never expires, which is against company policy. The policy requires that all user passwords expire after 60 days. Additionally, the application developers have requested that 'appuser' should not be allowed to change its own password via the 'passwd' command to prevent accidental lockouts. You need to enforce password expiry for 'appuser' but also ensure that only root can change its password. Which of the following approaches is the best course of action?

A.Run 'chage -M 60 appuser' and then 'passwd -e appuser' to expire the password immediately.
B.Run 'chage -M 60 -d 0 appuser' and then 'usermod -r appuser' to make it a system account.
C.Run 'chage -M 60 -d 0 appuser' and then 'passwd -l appuser' to lock the password, ensuring that the application uses sudo to run commands as appuser.
D.Run 'chage -M 60 -W 7 appuser' and then modify /etc/shadow to set the password field to '!', and configure the application to use SSH keys for authentication.
AnswerD

Disables password authentication and prevents password changes; SSH keys allow access; password expiry becomes moot.

Why this answer

Option C is the best. By setting the password to '!' in /etc/shadow, password authentication is disabled, and using SSH keys ensures continued access without allowing password changes. Password expiry becomes irrelevant.

Option A: passwd -e is not standard; setting password to expire and allowing user to change it violates the requirement. Option B: usermod -r removes user from system, inappropriate. Option D: locking password with passwd -l prevents any password auth, but then the application must use a different method like sudo, which may be complex; option C is simpler.

414
MCQhard

An admin notices a PV in a VG has failed. The VG is still accessible with redundancy. Which command sequence should be used to replace the faulty PV with a new one (/dev/sde) while the VG is active and without data loss?

A.pvcreate /dev/sde; vgreduce VG_name /dev/sdb; vgextend VG_name /dev/sde; pvmove /dev/sdb
B.pvcreate /dev/sde; pvmove /dev/sdb /dev/sde; vgextend VG_name /dev/sde; vgreduce VG_name /dev/sdb
C.pvcreate /dev/sde; vgextend VG_name /dev/sde; pvmove /dev/sdb /dev/sde; vgreduce VG_name /dev/sdb
D.vgreduce --removemissing VG_name; pvcreate /dev/sde; vgextend VG_name /dev/sde; pvmove /dev/sde
AnswerC

Correct sequence.

Why this answer

Option C is correct because it first creates the new PV on /dev/sde, extends the VG to include it, then uses pvmove to migrate data from the failing PV (/dev/sdb) to the new PV while the VG is active, and finally removes the faulty PV from the VG with vgreduce. This sequence ensures no data loss and maintains VG availability throughout the replacement process.

Exam trap

The trap here is that candidates often try to remove the failed PV first (using vgreduce or vgreduce --removemissing) before adding the new one, not realizing that data must be migrated off the failing PV while it is still in the VG to avoid data loss.

How to eliminate wrong answers

Option A is wrong because it attempts to reduce the VG before moving data off the failing PV, which would cause data loss if the PV still holds logical volumes. Option B is wrong because it tries to pvmove data from /dev/sdb to /dev/sde before /dev/sde is added to the VG, which will fail since pvmove requires both source and target PVs to be members of the same VG. Option D is wrong because it uses vgreduce --removemissing to forcibly remove the failing PV without first migrating its data, leading to data loss, and also attempts pvmove on the new PV (/dev/sde) which has no data to move.

415
MCQmedium

After extending the logical volume, the df output still shows 100G. What is the most likely reason?

A.The filesystem on the logical volume has not been resized.
B.lvresize must be used instead of lvextend.
C.The kernel has not detected the new size; reboot required.
D.The mount point must be remounted with the 'remount' option.
AnswerA

Need to run resize2fs or xfs_growfs.

Why this answer

Option A is correct because `lvextend` only increases the size of the logical volume at the block device level. The filesystem (e.g., ext4, XFS) still sees the original size until it is explicitly resized with a command like `resize2fs` (for ext4) or `xfs_growfs` (for XFS). The `df` command reports filesystem usage, not the underlying block device size, so the filesystem must be grown to match the LV.

Exam trap

The trap here is that candidates assume extending the logical volume automatically resizes the filesystem, but the LFCS exam tests the explicit two-step process: LV extension followed by filesystem resize.

How to eliminate wrong answers

Option B is wrong because `lvresize` and `lvextend` are functionally equivalent for increasing LV size; both require a subsequent filesystem resize. Option C is wrong because the kernel detects the new LV size immediately via device-mapper; no reboot is needed, and `df` still shows the old size only because the filesystem hasn't been resized. Option D is wrong because remounting does not resize the filesystem; it only changes mount options, and the filesystem metadata remains unchanged.

416
MCQmedium

A systems administrator is troubleshooting a server that runs a database application. The server has 64 GB of RAM and 16 CPU cores. The administrator notices that the system is using a significant amount of swap space even though there is plenty of free memory. The 'free -m' command shows: total memory = 65536, used = 50000, free = 15536, buffers/cache = 10000, swap total = 8192, swap used = 6000. Which of the following is the most likely cause?

A.The vm.dirty_ratio and vm.dirty_background_ratio are set too high.
B.The vm.swappiness value is set too high.
C.The database is configured to use huge pages, which are not swappable.
D.The vm.vfs_cache_pressure is set too low.
AnswerB

A high swappiness value (e.g., 100) makes the kernel more likely to swap pages out to disk even when there is free memory available.

Why this answer

Option B is correct because a high vm.swappiness value (default 60) causes the kernel to aggressively swap out anonymous pages even when ample free memory exists. With 15 GB free and 10 GB in buffers/cache, the system should not be using 6 GB of swap unless swappiness is set too high, forcing premature swapping.

Exam trap

Linux Foundation often tests the misconception that swap usage only occurs when memory is full, but the trap here is that vm.swappiness can cause swapping even with abundant free memory, leading candidates to overlook the kernel's proactive swapping behavior.

How to eliminate wrong answers

Option A is wrong because vm.dirty_ratio and vm.dirty_background_ratio control when dirty pages are written to disk, not swap usage; they affect I/O performance, not memory pressure. Option C is wrong because huge pages are locked in memory and not swappable, so they would reduce swap usage, not increase it. Option D is wrong because vm.vfs_cache_pressure controls the tendency to reclaim dentry/inode caches, not anonymous page swapping; a low value would preserve cache, not cause swap usage.

417
MCQhard

An administrator runs 'pwck' and receives an error indicating a user in /etc/passwd has no matching group in /etc/group. What is the most likely cause and the appropriate corrective action?

A.The user's GID in /etc/passwd is invalid; use usermod -g to set a valid group.
B.The user's secondary group in /etc/group is missing; add the user back to the group.
C.The group was deleted with groupdel but the user's primary group in /etc/passwd was not updated; recreate the group.
D.The user's password hash is corrupted; run 'pwconv' to synchronize.
AnswerA

Correct: usermod -g can change the primary group to an existing one.

Why this answer

Option D is correct: the user may belong to a group that was removed; the admin should assign an existing group. Option A is wrong because groupdel does not automatically modify /etc/passwd. Option B is backwards.

Option C is incomplete; verifying password hashes is not directly related.

418
Multi-Selecthard

An administrator wants to find all files larger than 100MB in the /home directory. Which three commands or command sequences achieve this? (Choose three.)

Select 3 answers
A.find /home -type f -size +100M
B.find /home -type f -size +100000000c
C.find /home -type f -size +100MB
D.find /home -type f -size +102400k
E.find /home -type f -size 100M
AnswersA, B, D

Finds files larger than 100 megabytes.

Why this answer

Option A is correct because the `find` command with `-size +100M` matches files larger than 100 megabytes. The `M` suffix is a standard size specifier in GNU find, where `+` means 'greater than' and `M` means mebibytes (1024*1024 bytes). This directly fulfills the requirement to find files larger than 100MB in /home.

Exam trap

The trap here is that candidates confuse the valid `M` suffix with the invalid `MB` suffix, or forget that `+` is required for 'greater than' and mistakenly select the exact-match option.

419
Multi-Selectmedium

Which TWO commands can be used to display the group membership of a user? (Choose two.)

Select 2 answers
A.id -Gn username
B.cat /etc/passwd | grep username
C.id -g username
D.groups username
E.grep username /etc/group
AnswersA, D

Correct: shows all group names.

Why this answer

Options B and D are correct. id -Gn shows all group names for a user. groups also shows all groups. groups <user> is also correct. Option A shows only primary group. Option C shows only groups where user is explicitly listed, missing primary if inherited.

Option E shows group ID only.

420
Multi-Selecthard

Which THREE actions will affect the state of a systemd service that is currently running? (Choose three.)

Select 3 answers
A.systemctl kill myapp.service
B.systemctl reload myapp.service
C.systemctl disable myapp.service
D.systemctl daemon-reload
E.systemctl stop myapp.service
AnswersA, B, E

Sends a signal to the service process.

Why this answer

Option A is correct because `systemctl kill myapp.service` sends a signal (default SIGTERM) to the main process of the running service, which can terminate or alter its state. This directly changes the service from a running state to a stopped or failed state depending on the signal and process behavior.

Exam trap

The trap here is that candidates often confuse `disable` (which only affects future boots) with `stop` (which affects the current runtime state), or think `daemon-reload` immediately impacts running services when it only updates unit definitions for subsequent operations.

421
MCQmedium

An administrator has enabled quotas on the /home filesystem by adding usrquota,grpquota to /etc/fstab and remounting. Then ran quotacheck -cug /home and it completed successfully. However, users are still able to write beyond their assigned soft limits. What step is missing?

A.Setting limits with edquota.
B.Running repquota to view quotas.
C.Setting limits with setquota.
D.Running quotaon to activate quotas.
AnswerD

Correct: quotaon enables quota enforcement after quotacheck.

Why this answer

Option B is correct because quotacheck only creates the quota database files; quotaon must be run to activate enforcement. Option A is for viewing quotas. Options C and D set limits but without quotaon, limits are not enforced.

422
MCQeasy

You are a Linux administrator for a small company. A developer has deployed a web application on a server with IP 192.168.1.50. The application needs to connect to a database server at 10.0.0.100 on TCP port 3306. Both servers are on the same physical network but different subnets (192.168.1.0/24 and 10.0.0.0/24) connected by a router. The default gateway for the app server is 192.168.1.1, and for the DB server is 10.0.0.1. You have verified that the app server can ping the DB server by IP address successfully. However, the application fails to connect to the database. You have used telnet from the app server to test connectivity on port 3306 and it fails (connection refused). On the DB server, you check that the MySQL service is listening on 0.0.0.0:3306 and that the local firewall (firewalld) allows incoming connections on port 3306. What is the most likely cause of the connection failure?

A.The network cable is faulty.
B.The app server's firewall is blocking outgoing connections to port 3306.
C.The router does not have a route to 192.168.1.0/24 from the DB server's subnet, so return packets are dropped.
D.The database service is only listening on the loopback interface (127.0.0.1).
AnswerC

Even though ping works due to ICMP being handled differently, TCP connections require consistent routing. A missing return route would cause TCP SYNs to be sent but ACKs never received, resulting in connection timeout or refused.

Why this answer

The app server can ping the DB server, confirming Layer 3 connectivity, but telnet fails on port 3306, indicating a Layer 4 issue. Since the DB server's MySQL is listening on 0.0.0.0:3306 and firewalld allows the port, the most likely cause is that the router lacks a return route from the 10.0.0.0/24 subnet to the 192.168.1.0/24 subnet, causing return packets from the DB server to be dropped. This asymmetric routing prevents the TCP handshake from completing, even though ICMP (ping) may work if the router forwards it differently.

Exam trap

The trap here is that candidates assume a successful ping implies full IP connectivity, but ICMP and TCP may be routed differently; the exam tests whether you understand that TCP requires symmetric routing for the handshake to complete, and a missing return route can cause a 'connection refused' even when the service is up and firewalls are open.

How to eliminate wrong answers

Option A is wrong because a faulty network cable would cause ping to fail, but ping succeeds, so physical connectivity is intact. Option B is wrong because the app server's firewall blocking outgoing connections would not cause a 'connection refused' from telnet; it would instead result in a timeout or no route to host, and the question states the local firewall on the DB server is already configured to allow port 3306. Option D is wrong because the MySQL service is explicitly listening on 0.0.0.0:3306 (all interfaces), not just 127.0.0.1, so it is reachable from external IPs.

423
MCQhard

Refer to the exhibit. An administrator attempts to mount all filesystems using mount -a, but it fails. The error message indicates that UUID=jkl012 is not found. Which of the following is the most likely cause?

A.The swap partition is not formatted or missing.
B.The /dev/mapper/vg_data-lv_data device does not exist.
C.The NFS share is unreachable.
D.The /home filesystem type is incorrect.
AnswerA

Correct cause.

Why this answer

The error 'UUID=jkl012 not found' indicates that the system cannot locate a device with that UUID. Since the swap partition is typically referenced by UUID in /etc/fstab and is not required for normal filesystem mounting, a missing or unformatted swap partition would cause mount -a to fail when it tries to mount the swap entry. This is the most likely cause because swap is often the only filesystem that can be missing without affecting other mounts, yet mount -a processes all entries including swap.

Exam trap

Linux Foundation often tests the misconception that mount -a only mounts regular filesystems, when in fact it also processes swap entries, so candidates overlook swap as the cause of a UUID error.

How to eliminate wrong answers

Option B is wrong because if /dev/mapper/vg_data-lv_data did not exist, the error would likely reference that device path or a 'special device does not exist' message, not a UUID mismatch. Option C is wrong because an unreachable NFS share would produce a timeout or 'mount.nfs: Connection refused' error, not a UUID not found error. Option D is wrong because an incorrect filesystem type for /home would produce a 'wrong fs type, bad option, bad superblock' error, not a UUID lookup failure.

424
MCQhard

A server with multiple network interfaces has intermittent connectivity issues. The administrator suspects routing table misconfiguration. Which command would show the current routing table?

A.All of the above
B.ip route show
C.netstat -r
D.route -n
AnswerA

All three commands display the routing table.

Why this answer

Option A is correct because all three commands—`ip route show`, `netstat -r`, and `route -n`—display the kernel's IPv4 routing table on a Linux system. `ip route show` is the modern iproute2 tool, `netstat -r` reads from /proc/net/route, and `route -n` shows the table in numeric format. Since each command provides the same core routing information, any of them would allow the administrator to diagnose the routing table misconfiguration.

Exam trap

The trap here is that candidates often think only one command is correct (e.g., `ip route show` because it's modern), but the LFCS exam expects you to recognize that multiple legacy and modern tools can achieve the same task, making 'All of the above' the correct answer when all listed options are valid.

How to eliminate wrong answers

Option B is wrong because it is not incorrect—`ip route show` is a valid command that displays the routing table, but it is only one of the correct options, not the sole answer. Option C is wrong because `netstat -r` is a valid command that shows the routing table, but it is not the only correct choice. Option D is wrong because `route -n` is a valid command that displays the routing table without resolving hostnames, but it is also not the only correct choice.

The question asks for 'which command would show the current routing table,' and all three are equally valid, making 'All of the above' the comprehensive answer.

425
MCQmedium

You are managing a Linux server that hosts a shared project directory /projects/alpha, owned by the group 'alpha' (GID 2001). The directory has permissions 2770 (setgid, rwx for owner and group, no access for others). User 'jane' (UID 1501) has a primary group 'staff' (GID 1001) and is not in the 'alpha' group. She reports being unable to list or modify files in /projects/alpha. You need to give her access as a member of the 'alpha' group without changing her primary group. Which command sequence should you use?

A.usermod -aG alpha jane; usermod -G '' jane; usermod -aG alpha jane
B.usermod -aG alpha jane
C.usermod -g alpha jane
D.usermod -G alpha jane
AnswerB

This correctly adds Jane to the supplementary group 'alpha' without affecting her existing supplementary groups, and preserves her primary group.

Why this answer

Option C is correct because usermod -aG alpha jane adds Jane to the supplementary group 'alpha' without removing her from other supplementary groups, and the -a flag is essential to avoid overwriting existing supplementary group memberships. The setgid bit on the directory ensures new files inherit group ownership. Option A fails because it changes her primary group, which may break other permissions.

Option B clears all supplementary groups before adding alpha. Option D uses -G without -a, which would replace all supplementary groups with just alpha.

426
Multi-Selectmedium

Which TWO commands can be used to view the last 10 lines of a file and also follow new lines as they are written?

Select 2 answers
A.tail -f -n 10
B.cat -n
C.tail -n 10
D.head -n 10
E.less +F
AnswersA, E

Shows last 10 lines and follows.

Why this answer

Option A is correct because `tail -f -n 10` displays the last 10 lines of a file and then follows new lines as they are appended, using the `-f` (follow) flag. This is the standard way to monitor a log file in real time while initially showing the most recent 10 lines.

Exam trap

Linux Foundation often tests the distinction between `tail -n 10` (static view) and `tail -f -n 10` (dynamic follow), and candidates may overlook the `-f` flag or confuse `head` with `tail`.

427
MCQmedium

Based on the exhibit, which process is using the most physical memory (RES)?

A.mysqld (PID 9101)
B.Not determinable from exhibit
C.nginx (PID 5678)
D.systemd (PID 1234)
AnswerA

RES is 102456, the highest among listed processes.

Why this answer

The exhibit shows the output of the `top` command, where the RES column indicates the resident memory (physical RAM) used by each process. mysqld (PID 9101) has a RES value of 2.5g, which is significantly higher than nginx (PID 5678) with 128m and systemd (PID 1234) with 48m, making it the process using the most physical memory.

Exam trap

The trap here is that candidates may confuse the VIRT (virtual memory) column with RES, or assume that a process with a higher PID or name familiarity uses more memory, rather than reading the RES values directly from the exhibit.

How to eliminate wrong answers

Option B is wrong because the exhibit clearly displays the RES column for each process, allowing direct comparison of physical memory usage. Option C is wrong because nginx (PID 5678) shows only 128m in the RES column, which is far less than mysqld's 2.5g. Option D is wrong because systemd (PID 1234) has only 48m in the RES column, the smallest value among the listed processes.

428
MCQmedium

You administer a Linux server that acts as a network gateway. It has two network interfaces: eth0 (external, with IP 203.0.113.10/24, gateway 203.0.113.1) and eth1 (internal, with IP 192.168.1.1/24). The server is running firewalld and has IP forwarding enabled. Internal hosts (192.168.1.0/24) can access the internet through NAT, which is configured using firewalld's masquerade on the external zone. However, you need to allow a specific internal server (192.168.1.100) to be reachable from the internet on TCP port 443 (HTTPS). You add a port forwarding rule using firewall-cmd: 'firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toport=443:toaddr=192.168.1.100'. After reloading the firewall, external users still cannot connect to 203.0.113.10:443. You verify that the internal server is running HTTPS and that its local firewall allows port 443. What is the most likely reason the port forwarding is not working?

A.The port forwarding rule should be added to the internal zone instead of the external zone.
B.The internal server has a different default gateway.
C.The rule needs to include masquerade for the destination address; use a rich rule with 'masquerade'.
D.IP forwarding is not enabled on the system.
AnswerC

In firewalld, simple port forwarding often does not work without masquerade on the external zone. A rich rule with 'masquerade' is required, e.g., 'firewall-cmd --add-rich-rule="rule family=ipv4 destination address=203.0.113.10 forward-port port=443 protocol=tcp to-port=443 to-addr=192.168.1.100"' which implicitly uses masquerade? Actually standard practice is to use a rich rule. Option C is the best answer.

Why this answer

Option C is correct because a simple port forward rule in firewalld does not automatically rewrite the source IP address for return traffic. Without masquerade on the forwarded traffic, the internal server sees the original external source IP and sends its response directly to that IP, bypassing the gateway. Adding a rich rule with 'masquerade' for the destination address ensures that the gateway performs SNAT on the forwarded packets, so the internal server sees the gateway as the source and returns traffic through it.

Exam trap

The trap here is that candidates assume a port forward rule alone is sufficient for bidirectional communication, overlooking the need for source NAT (masquerade) on the forwarded traffic to ensure proper return path routing.

How to eliminate wrong answers

Option A is wrong because port forwarding for externally initiated connections must be placed in the zone associated with the incoming interface (external), not the internal zone; the internal zone handles traffic from the internal network. Option B is wrong because the internal server's default gateway is irrelevant for inbound connections that are forwarded by the gateway; the server only needs to respond to the gateway's IP (192.168.1.1) for the return path to work. Option D is wrong because the question states that IP forwarding is enabled and internal hosts already access the internet through NAT, confirming that forwarding is active.

429
MCQhard

An administrator needs to set up a shared directory /project for the group 'projectteam' (GID 5000). All members of the group should be able to create and delete files, but only the file owner can modify their own files. The directory should also ensure that new files inherit the group ownership. Which set of commands achieves this?

A.chown root:projectteam /project; chmod 2775 /project; setfacl -m g:projectteam:rwx /project
B.chown root:projectteam /project; chmod 2770 /project; setfacl -d -m o::--- /project
C.chown root:projectteam /project; chmod 2775 /project
D.chown root:projectteam /project; chmod 1770 /project; setfacl -m m::rwx /project
AnswerB

SGID (2) inherits group; 770 gives group rwx; default ACL denies others.

Why this answer

Option B is correct because it sets the SGID bit (2770) so new files inherit the group 'projectteam', grants rwx to the group, and uses a default ACL with `setfacl -d -m o::---` to remove 'other' permissions, ensuring only the file owner can modify their own files while group members can create/delete but not modify others' files.

Exam trap

Linux Foundation often tests the distinction between SGID (2xxx) and sticky bit (1xxx), and candidates confuse them, thinking the sticky bit ensures group inheritance, or they overlook that removing 'other' permissions is necessary to prevent unauthorized access.

How to eliminate wrong answers

Option A is wrong because the SGID bit (2) is set but the default ACL `-m g:projectteam:rwx` is redundant and doesn't restrict 'other' permissions, allowing non-group users to read files. Option C is wrong because it only sets SGID and 2775, which gives 'other' read/execute access, violating the requirement that only group members can create/delete files. Option D is wrong because 1770 sets the sticky bit instead of SGID, so new files don't inherit group ownership, and `setfacl -m m::rwx` sets a mask but doesn't enforce owner-only modification or remove 'other' permissions.

430
MCQmedium

A server needs to forward packets between two networks: 10.0.1.0/24 on eth0 and 10.0.2.0/24 on eth1. Which sysctl parameter must be enabled?

A.net.ipv4.conf.all.rp_filter = 1
B.net.ipv4.ip_forward = 1
C.net.ipv4.conf.all.accept_source_route = 1
D.net.ipv4.conf.all.send_redirects = 0
AnswerB

This enables IP forwarding between interfaces.

Why this answer

Option B is correct because enabling `net.ipv4.ip_forward = 1` allows the Linux kernel to forward IP packets between network interfaces, which is required for a server to route traffic between the 10.0.1.0/24 and 10.0.2.0/24 subnets. Without this parameter, the kernel drops any packet not destined for the local system, preventing inter-network communication.

Exam trap

The trap here is that candidates often confuse security-related sysctl parameters (like rp_filter or send_redirects) with the actual forwarding control, or mistakenly think that enabling source route acceptance is needed for routing between subnets.

How to eliminate wrong answers

Option A is wrong because `net.ipv4.conf.all.rp_filter = 1` enables reverse path filtering, which helps prevent IP spoofing by dropping packets that arrive on an interface that is not the best route back to the source; it does not enable packet forwarding. Option C is wrong because `net.ipv4.conf.all.accept_source_route = 1` allows the system to process IPv4 source-routed packets, a security risk that is unrelated to forwarding between networks. Option D is wrong because `net.ipv4.conf.all.send_redirects = 0` disables the sending of ICMP redirect messages, which is a security hardening measure but does not enable or disable packet forwarding.

431
Multi-Selecthard

Which THREE of the following commands can be used to search for a string in multiple files and display the matching lines?

Select 3 answers
A.find /path -name '*.txt' -type f
B.ack 'pattern' /path
C.grep -r 'pattern' /path
D.rg 'pattern' /path
E.sort /path/file
AnswersB, C, D

Similar to grep, recursive.

Why this answer

Option B is correct because `ack` is a Perl-based grep replacement that recursively searches for a pattern in files under a given path, displaying matching lines by default. It is designed for source code and text files, making it a valid tool for this task.

Exam trap

The trap here is that candidates may confuse file-location commands like `find` with content-search commands, or assume that `sort` can filter lines based on a pattern, when it only reorders lines.

432
MCQeasy

Refer to the exhibit. The /data directory needs to be resized to 15GB. What is the first step?

A.Unmount the filesystem.
B.Resize the partition using fdisk.
C.Create a new partition and copy data.
D.Resize the filesystem using resize2fs.
AnswerA

Unmounting is necessary before any resize operation.

Why this answer

The first step to resize a filesystem is to unmount it, because most filesystem resizing tools (such as resize2fs for ext4) require the filesystem to be unmounted to safely modify the underlying block device without risking data corruption. Attempting to resize a mounted filesystem can lead to inconsistent metadata and data loss. Unmounting ensures no processes are actively writing to the filesystem during the resize operation.

Exam trap

Linux Foundation often tests the misconception that you can resize the filesystem first with resize2fs while it is still mounted, but the correct sequence always begins with unmounting to ensure data integrity.

How to eliminate wrong answers

Option B is wrong because resizing the partition using fdisk is a later step that must be performed after unmounting the filesystem, and fdisk operates on the partition table, not the filesystem itself. Option C is wrong because creating a new partition and copying data is an unnecessarily complex and risky approach that is not required when the existing partition can be resized. Option D is wrong because resize2fs cannot be safely run on a mounted filesystem (unless the filesystem supports online resizing, which is not assumed here), and the question asks for the first step, which must be unmounting before any resizing tool is used.

433
MCQhard

An administrator wants to limit the CPU usage of a service to at most 50% of a single CPU core. Which directive should be set in the [Service] section of the unit file?

A.CPUQuota=50%
B.CPUAccounting=true
C.CPUWeight=100
D.CPUShares=512
AnswerA

Sets a hard limit of 50% CPU time.

Why this answer

Option A is correct because `CPUQuota=` is the systemd directive that limits the CPU time a service can use, expressed as a percentage of a single CPU core. Setting `CPUQuota=50%` restricts the service to at most 50% of one core's time, effectively capping its CPU usage to half a core.

Exam trap

The trap here is that candidates often confuse relative CPU shares (like `CPUWeight` or `CPUShares`) with absolute CPU limits (`CPUQuota`), or mistakenly think `CPUAccounting=true` alone restricts CPU usage.

How to eliminate wrong answers

Option B is wrong because `CPUAccounting=true` enables CPU usage tracking and accounting for the unit, but it does not impose any limit on CPU usage. Option C is wrong because `CPUWeight=100` sets the relative weight for CPU time distribution among competing services under the CFS scheduler, not a hard limit. Option D is wrong because `CPUShares=512` is a legacy cgroup v1 parameter that also controls relative CPU share, not an absolute cap, and is deprecated in favor of `CPUWeight` in cgroup v2.

434
Multi-Selecthard

Which TWO commands can be used to change the ownership of a file to a specific user and group? (Select two.)

Select 2 answers
A.chown alice:staff file.txt
B.chmod 755 file.txt
C.chgrp staff file.txt
D.usermod -G staff alice
E.passwd alice
AnswersA, C

Changes user to alice and group to staff.

Why this answer

Option A is correct because the `chown` command with the syntax `chown alice:staff file.txt` directly changes both the user owner to `alice` and the group owner to `staff` in a single operation. This is the standard and most direct method for changing file ownership in Linux.

Exam trap

The trap here is that candidates often confuse `chmod` (permissions) with `chown` (ownership), or think that modifying a user's group membership with `usermod` will automatically change file ownership, which it does not.

435
Drag & Dropmedium

Order the steps to configure a static IP address on a CentOS/RHEL 7 system using ifcfg files.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static IP configuration requires editing the ifcfg file, restarting network, and verification.

436
Matchingmedium

Match each logical volume management (LVM) term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A disk or partition used by LVM

Pool of physical volumes

Virtual block device created from a volume group

Smallest allocatable unit in a physical volume

Maps to a physical extent in a logical volume

Why these pairings

These are core LVM concepts.

437
Multi-Selecteasy

Which TWO commands are used to modify user account attributes such as password age, expiration, or lock status? (Choose two.)

Select 2 answers
A.chage
B.useradd
C.chsh
D.usermod
E.passwd
AnswersA, D

Used for password aging and account expiration.

Why this answer

Options A and D are correct. chage is used for password aging. usermod can lock/unlock accounts (-L/-U) and set account expiration (-e). Option B (passwd) is used to change password, but not to set expiration directly (though -x can set max days). Option C (chsh) changes shell.

Option E (useradd) creates users, not modify existing.

438
Multi-Selectmedium

Which two statements are true about LVM snapshots? (Choose two.)

Select 2 answers
A.Snapshots require the same amount of space as the original volume.
B.Snapshots are read-only by default.
C.Snapshots use copy-on-write technology.
D.Snapshots can be used to restore the original volume.
E.Snapshots are only supported on ext4 filesystems.
AnswersC, D

COW ensures original data is preserved until overwritten, then copied to snapshot.

Why this answer

Option C is correct because LVM snapshots use copy-on-write (COW) technology, which means that only the data blocks that are changed after the snapshot is created are copied to the snapshot volume. This makes snapshots space-efficient, as they do not duplicate the entire original volume at creation time.

Exam trap

The trap here is that candidates often assume snapshots are read-only (like many other snapshot implementations) or that they require full duplication of the source volume, but LVM snapshots are read-write by default and use copy-on-write to minimize space usage.

439
MCQhard

A Linux server experiences intermittent high load averages but low CPU utilization. The administrator suspects an I/O bottleneck. Which command best identifies the specific device causing the bottleneck?

A.sar -d 1
B.vmstat 1
C.top -d 1
D.iostat -x 1
AnswerD

Shows extended I/O stats per device, identifying bottlenecks.

Why this answer

Option D is correct because `iostat -x 1` provides extended device statistics, including `%util`, `await`, and `svctm`, which directly indicate the specific block device causing an I/O bottleneck. The `-x` flag reports per-device metrics like average I/O queue size and service time, making it the precise tool to identify a slow or overloaded disk under high load with low CPU usage.

Exam trap

The trap here is that candidates see high `wa` in `vmstat` or `top` and assume those tools are sufficient to identify the I/O bottleneck, but they lack per-device granularity, which `iostat -x` uniquely provides.

How to eliminate wrong answers

Option A is wrong because `sar -d 1` reports historical disk activity but requires the `sysstat` package and typically shows aggregate data without the per-device granularity and extended metrics (like `%util`) needed to pinpoint the specific bottleneck device in real time. Option B is wrong because `vmstat 1` shows system-wide I/O statistics (bi/bo) and CPU wait time (`wa`), but it does not break down I/O by individual device, so it cannot identify which specific disk is causing the bottleneck. Option C is wrong because `top -d 1` displays process-level CPU and memory usage, not per-device I/O statistics; while it can show high `wa` CPU, it cannot isolate the specific block device responsible.

440
Multi-Selecteasy

A system administrator needs to check the firewall rules on a Linux server using firewalld. Which two commands can be used to list the current rules? (Choose two.)

Select 2 answers
A.systemctl status firewalld
B.iptables -S
C.iptables -L
D.firewall-cmd --list-all-zones
E.firewall-cmd --list-all
AnswersD, E

Lists rules for all zones.

Why this answer

Option D is correct because `firewall-cmd --list-all-zones` displays the firewall rules for all zones configured in firewalld, showing services, ports, and rules per zone. Option E is correct because `firewall-cmd --list-all` lists the rules for the default zone, providing a concise view of active firewall configuration. Both commands are native to firewalld and directly query its runtime and permanent rules via D-Bus.

Exam trap

The trap here is that candidates confuse legacy iptables commands with firewalld's native tools, assuming `iptables -L` or `-S` are equivalent to listing firewalld rules, when in fact they bypass firewalld's zone abstraction and may not reflect the current dynamic configuration.

441
MCQmedium

Scenario: You are managing a Linux server that hosts a web application. The application runs under the user 'webapp' and the group 'webgroup'. Recently, a new intern 'john' (username 'john') needs to be able to view and modify files in /var/www/html, which is owned by root:webgroup with permissions 775. John is currently a member of the group 'staff', but not 'webgroup'. The security policy requires that John must be able to edit files without using sudo, and his primary group must remain 'staff'. Which of the following actions should you take to meet the requirements?

A.Add John to the 'webgroup' supplementary group with 'usermod -a -G webgroup john'.
B.Change the group ownership of /var/www/html to 'staff' and set the setgid bit.
C.Change John's primary group to 'webgroup' with 'usermod -g webgroup john'.
D.Set the setgid bit on /var/www/html with 'chmod g+s /var/www/html'.
AnswerA

Correct: John gains the group permissions of webgroup, allowing read/write access to the directory, while his primary group remains 'staff'.

Why this answer

Option A is correct because adding John to the 'webgroup' supplementary group with `usermod -a -G webgroup john` grants him group-level access to /var/www/html (owned by root:webgroup with permissions 775) without changing his primary group 'staff'. This allows him to view and modify files as a member of 'webgroup', satisfying the security policy that he must not use sudo and his primary group must remain unchanged.

Exam trap

The trap here is that candidates may confuse the setgid bit (Option D) with granting group membership, or incorrectly assume that changing the primary group (Option C) is acceptable despite the explicit requirement to keep it as 'staff'.

How to eliminate wrong answers

Option B is wrong because changing the group ownership of /var/www/html to 'staff' would grant access to all members of 'staff', which violates the principle of least privilege and does not specifically give John access as a member of 'webgroup'. Option C is wrong because changing John's primary group to 'webgroup' with `usermod -g webgroup john` would violate the requirement that his primary group must remain 'staff'. Option D is wrong because setting the setgid bit on /var/www/html with `chmod g+s /var/www/html` only ensures new files inherit the group ownership of the directory, but does not grant John membership in 'webgroup' or access to the directory itself.

442
MCQhard

A database administrator wants to compress a large directory of log files for archival. The administrator uses the command: tar -cvf logs.tar.gz logs/. The command completes successfully but the resulting archive is only 10 MB while the original directory is 100 MB. What is the most likely reason?

A.The 'tar' command used relative paths and missed some files.
B.The logs directory contains many small files, causing high tar overhead.
C.The 'z' flag was omitted, so the archive is not compressed.
D.The log files are already compressed individually.
AnswerC

Without the -z option, tar creates an uncompressed archive; the .gz extension is misleading.

Why this answer

Option C is correct because the command `tar -cvf logs.tar.gz logs/` does not include the `-z` flag, which is required to invoke gzip compression. Without `-z`, `tar` creates an uncompressed archive, and the `.gz` extension is misleading—the file is actually a plain tar archive. The resulting 10 MB size is simply the tarred version of the logs directory, not a compressed one, which explains why it is much smaller than the original 100 MB of uncompressed files.

Exam trap

The trap here is that candidates see the `.tar.gz` extension and assume compression is automatically applied, but the `-z` flag must be explicitly provided; Linux Foundation often tests this exact nuance to catch those who overlook the flag syntax.

How to eliminate wrong answers

Option A is wrong because `tar` with the `-c` flag archives the entire directory tree; relative paths do not cause files to be missed unless the path is incorrect, and the command completed successfully with no errors. Option B is wrong because many small files would increase tar overhead (metadata), making the archive larger, not smaller—this would not reduce the size from 100 MB to 10 MB. Option D is wrong because if the log files were already compressed individually, the tar archive would still be roughly the same size as the original (since compression is already applied), not 90% smaller; the dramatic size reduction indicates the archive is uncompressed and simply lacks the original file data overhead.

443
Multi-Selecthard

Which THREE files or directories are commonly used to configure network interfaces on a RHEL/CentOS system?

Select 3 answers
A./etc/rc.d/rc.local
B./etc/resolv.conf
C./etc/sysconfig/network
D./etc/sysconfig/network-scripts/
E./etc/nsswitch.conf
AnswersB, C, D

This file configures DNS resolver settings.

Why this answer

Option B is correct because /etc/resolv.conf is the primary configuration file for DNS resolver settings on RHEL/CentOS systems. It specifies the nameserver IP addresses, search domains, and resolver options used by the system's glibc resolver library to perform DNS lookups. Without this file, domain name resolution will fail, making it essential for network interface configuration.

Exam trap

The trap here is that candidates often confuse /etc/resolv.conf as a static configuration file, but on modern systems it is frequently auto-generated by NetworkManager or dhclient, leading to the misconception that it is not a 'commonly used' configuration file for network interfaces.

444
MCQhard

A storage administrator is troubleshooting a system where a new SCSI disk is detected by the kernel but not visible in /dev/disk/by-id/. What is the most likely cause?

A.The device mapper target is not set for the disk.
B.The disk does not have a valid partition table.
C.The scsi_mod kernel module is not loaded.
D.The udev daemon has not processed the device yet; run 'udevadm trigger' to generate links.
AnswerD

udev creates symbolic links; if not triggered, links may not appear immediately.

Why this answer

Option C is correct: udev rules may not have been applied yet, so symbolic links are missing. Option A is wrong because the SCSI driver is already loaded (detected). Option B is wrong because the disk is detected.

Option D is wrong because the device mapper does not affect /dev/disk/by-id/.

445
Multi-Selectmedium

Which TWO commands can change a user's primary group?

Select 2 answers
A.groupdel groupname
B.groupmod -g newGID groupname
C.usermod -g groupname username
D.usermod -G groupname username
E.useradd -g groupname username
AnswersB, C

Changing a group's GID updates the GID in /etc/passwd for users whose primary group is that group.

Why this answer

Options A and D are correct. usermod -g changes the primary group for existing user. groupmod -g changes the GID of a group, but if that group is the primary group of a user, the user's primary GID changes accordingly. Option B changes supplementary groups. Option C deletes group.

Option E adds a new user with specified primary group.

446
Multi-Selectmedium

Which TWO commands can be used to create a new physical volume for use with LVM? (Choose two.)

Select 2 answers
A.mkfs.ext4 /dev/sdb1
B.pvresize /dev/sdb1
C.pvcreate /dev/sdb1
D.fdisk /dev/sdb (then set type to 8e)
E.pvdisplay /dev/sdb1
AnswersC, D

pvcreate directly initializes a physical volume.

Why this answer

Option C is correct because `pvcreate /dev/sdb1` initializes a block device (or partition) as a physical volume (PV) for LVM, writing LVM metadata to the device. This is the standard command to create a new PV, making it available for inclusion in a volume group.

Exam trap

The trap here is that candidates may confuse filesystem creation (`mkfs`) with LVM physical volume creation, or mistake query commands (`pvdisplay`) or resize commands (`pvresize`) for creation commands, leading them to select incorrect options that do not actually initialize a new PV.

447
Multi-Selectmedium

Which TWO commands can be used to check and repair an ext4 file system that is mounted as /data? (Choose two.)

Select 2 answers
A.tune2fs /dev/sdb1
B.e2fsck -fy /dev/sdb1
C.xfs_repair /dev/sdb1
D.fsck -f /dev/sdb1
E.resize2fs /dev/sdb1
AnswersB, D

e2fsck is the ext2/3/4 filesystem checker; -fy forces check and auto-repairs.

Why this answer

Options B and D are correct. fsck with -f forces a check even if clean; e2fsck is specific to ext2/3/4. Option A is incorrect because tune2fs does not check/repair. Option C is wrong because xfs_repair is for XFS.

Option E is wrong because resize2fs resizes, not repairs.

448
Multi-Selectmedium

An administrator is configuring LVM and wants to display information about physical volumes, volume groups, and logical volumes. Which two commands provide this information? (Choose two.)

Select 2 answers
A.pvscan, vgscan, lvscan
B.pvck, vgck, lvck
C.pvcreate, vgcreate, lvcreate
D.pvdisplay, vgdisplay, lvdisplay
E.pvs, vgs, lvs
AnswersD, E

Provide detailed information.

Why this answer

Options D and E are correct because both `pvdisplay`, `vgdisplay`, `lvdisplay` (option D) and `pvs`, `vgs`, `lvs` (option E) are standard LVM commands that display detailed or summary information about physical volumes, volume groups, and logical volumes, respectively. Option D provides verbose output with attributes like PE size, allocation policies, and device paths, while option E offers a compact, customizable tabular view ideal for scripting or quick inspection.

Exam trap

The trap here is that candidates often confuse the 'scan' commands (option A) with 'display' commands, assuming that scanning also shows detailed information, when in fact `pvscan` only lists discovered PVs without showing attributes like PE size or free space.

449
MCQmedium

A system administrator is troubleshooting a server that fails to mount an XFS filesystem on /dev/sdb1 during boot. The filesystem was recently created. Which command should the administrator run to check the filesystem for corruption?

A.fsck.ext4 /dev/sdb1
B.xfs_check /dev/sdb1
C.xfs_repair /dev/sdb1
D.xfs_admin /dev/sdb1
AnswerC

xfs_repair is the tool for checking and repairing XFS filesystems.

Why this answer

Option B is correct because xfs_repair is the appropriate tool for repairing XFS filesystems. Option A is wrong because fsck.ext4 is for ext4 filesystems, not XFS. Option C is wrong because xfs_check is deprecated and not recommended; it has been replaced by xfs_repair.

Option D is wrong because xfs_admin is used for tuning parameters, not checking for corruption.

450
MCQeasy

A system administrator needs to find all files in /var/log that have been modified in the last 7 days. Which command accomplishes this?

A.find /var/log -mtime +7
B.find /var/log -mtime 7
C.find /var/log -mtime -7
D.find /var/log -atime -7
AnswerC

Correctly lists files modified less than 7 days ago.

Why this answer

Option C is correct because the `-mtime -7` option in the `find` command matches files whose content was modified less than 7 days ago (i.e., within the last 7 days). The minus sign before the number indicates 'less than' or 'within the last N days', which is exactly what the system administrator needs to find files modified in the last 7 days.

Exam trap

The trap here is confusing the meaning of the `+` and `-` prefixes with `-mtime`; candidates often mistakenly think `+7` means 'within the last 7 days' when it actually means 'older than 7 days'.

How to eliminate wrong answers

Option A is wrong because `-mtime +7` matches files modified more than 7 days ago (i.e., older than 7 days), which is the opposite of what is required. Option B is wrong because `-mtime 7` matches files modified exactly 7 days ago (i.e., between 6 and 7 days ago), not within the last 7 days. Option D is wrong because `-atime -7` matches files accessed (read) in the last 7 days, not modified; the `-atime` flag checks access time, not modification time.

Page 5

Page 6 of 7

Page 7

All pages