CCNA Essential Commands Questions

75 of 99 questions · Page 1/2 · Essential Commands · Answers revealed

1
MCQeasy

A user wants to find all files in /var/log that have been modified within the last 2 days. Which command should they use?

A.find /var/log -mtime -2
B.find /var/log -mmin -2880
C.find /var/log -mtime +2
D.find /var/log -mtime 2
AnswerA

Finds files modified less than 2 days ago.

Why this answer

Option A is correct because the `find` command with `-mtime -2` searches for files whose content was last modified less than 2 days ago (i.e., within the last 48 hours). The minus sign before the number indicates 'less than' or 'within the last N days', which matches the user's requirement to find files modified within the last 2 days.

Exam trap

The trap here is that candidates often confuse the meaning of the plus (+) and minus (-) signs with `-mtime`, mistakenly thinking `+2` means 'within the last 2 days' or that `-mtime 2` (without sign) means 'within 2 days', when in fact the signs control the direction of the time comparison.

How to eliminate wrong answers

Option B is wrong because `-mmin -2880` would find files modified within the last 2880 minutes (which is exactly 2 days), but the question asks for files modified within the last 2 days, not exactly 2 days ago; however, the more precise issue is that `-mmin` counts minutes, not days, and while 2880 minutes equals 2 days, the command would work but is not the standard or expected answer for this context. Option C is wrong because `-mtime +2` finds files modified more than 2 days ago (greater than 48 hours), which is the opposite of what is needed. Option D is wrong because `-mtime 2` (without a plus or minus sign) finds files modified exactly 2 days ago (i.e., between 48 and 72 hours ago), not within the last 2 days.

2
Multi-Selectmedium

Which THREE of the following statements about Linux file permissions are correct?

Select 3 answers
A.The command 'chmod a+w file' removes write permission for all.
B.The command 'chmod 400 secret.txt' sets read-only permission for the owner only.
C.The command 'chmod 755 file' sets permissions to rwxr-xr-x.
D.The command 'chmod u+x script.sh' adds execute permission for the owner.
E.The command 'chmod 644 file' sets permissions to rw-rw-rw-.
AnswersB, C, D

400 is r-------- (owner read only).

Why this answer

Option B is correct because the numeric permission mode 400 corresponds to read (4) for the owner, with no permissions for the group or others (0 and 0). This sets the file's permissions to r--------, meaning only the owner can read the file, and no one can write or execute it.

Exam trap

The trap here is that candidates often confuse the numeric permission values (e.g., thinking 644 gives rw-rw-rw- instead of rw-r--r--) or misinterpret the symbolic mode syntax, such as assuming 'a+w' removes write permission when it actually adds it.

3
MCQhard

A DevOps engineer wants to list all running processes sorted by memory usage in descending order. Which command should be used?

A.ps aux --sort=-%mem
B.ps aux --sort=%mem
C.ps aux --sort=+mem
D.ps aux --sort=-%cpu
AnswerA

Sorts by memory in descending order.

Why this answer

Option A is correct because `ps aux` lists all running processes, and `--sort=-%mem` sorts them by memory usage in descending order (the minus sign indicates descending). This is the standard way to identify memory-heavy processes for troubleshooting or resource monitoring.

Exam trap

The trap here is that candidates often confuse `%mem` with `mem` or `%cpu` with `%mem`, and may overlook the minus sign for descending order, leading them to pick ascending sort options or the wrong resource metric.

How to eliminate wrong answers

Option B is wrong because `--sort=%mem` sorts by memory usage in ascending order (lowest first), not descending as required. Option C is wrong because `--sort=+mem` uses an invalid sort key; the correct key is `%mem` (with percent sign), and the plus sign is redundant but would still sort ascending if the key were valid. Option D is wrong because `--sort=-%cpu` sorts by CPU usage descending, not memory usage, which does not meet the requirement.

4
Multi-Selectmedium

Which THREE of the following commands can be used to view the contents of a compressed file named 'file.gz' without permanently decompressing it? (Choose exactly three.)

Select 3 answers
A.gzip file.gz
B.zmore file.gz
C.gunzip file.gz
D.zcat file.gz
E.zless file.gz
AnswersB, D, E

Correct: displays with more.

Why this answer

Option B is correct because `zmore` is a utility that allows you to view the contents of a compressed file (such as `file.gz`) page by page without permanently decompressing it. It internally decompresses the file on the fly and pipes the output through `more`, making it ideal for inspecting large compressed files without modifying the original archive.

Exam trap

The trap here is that candidates mistakenly think `gunzip` or `gzip` can be used to view file contents without permanent decompression, confusing compression/decompression commands with viewing utilities like `zcat`, `zmore`, and `zless`.

5
Multi-Selecteasy

Which TWO commands can display the current environment variables?

Select 2 answers
A.set
B.echo $HOME
C.env
D.export
E.printenv
AnswersC, E

env displays all environment variables.

Why this answer

The `env` command (option C) is correct because it displays all current environment variables along with their values. It is a standard Unix/Linux command specifically designed for this purpose, and it is commonly used in scripting and troubleshooting to inspect the environment.

Exam trap

The trap here is that candidates often confuse `set` (which shows all shell variables) with `env` (which shows only environment variables), or they think `echo $HOME` is a way to list all variables, when it only shows one specific variable.

6
MCQhard

A developer needs to extract the third column from a CSV file where columns are separated by commas, but some fields contain commas within double quotes. Which command correctly handles this?

A.cut -d',' -f3 file.csv
B.awk -F',' '{ print $3 }' file.csv
C.awk 'BEGIN { FPAT = "[^,]*|\\"[^\\"]+\\"" } { print $3 }' file.csv
D.sed 's/[^,]*,[^,]*,\\([^,]*\\).*/\1/' file.csv
AnswerC

FPAT regex matches non-comma sequences or quoted strings.

Why this answer

Option C is correct because it uses `awk` with the `FPAT` variable to define a field pattern that correctly handles commas inside double-quoted fields. The pattern `[^,]*|\"[^\"]+\"` matches either a sequence of non-comma characters or a double-quoted string (including any commas within it), ensuring that the third column is extracted accurately even when fields contain embedded commas.

Exam trap

The trap here is that candidates often default to using `cut` or simple `awk` with a delimiter, not realizing that CSV files with quoted fields require a pattern-based field definition like `FPAT` to correctly parse embedded commas.

How to eliminate wrong answers

Option A is wrong because `cut -d',' -f3` splits fields solely on commas without any awareness of quoting, so it will incorrectly treat commas inside double-quoted fields as delimiters, breaking the column structure. Option B is wrong because `awk -F','` also uses a simple comma delimiter and does not handle quoted fields, leading to the same issue as `cut`. Option D is wrong because the `sed` command uses a regex that assumes fields are separated by commas and does not account for quoted fields containing commas; it will fail to correctly isolate the third column when such fields are present.

7
MCQhard

Refer to the exhibit. The output of 'ps aux' shows a process named 'process_hog' with PID 1234 consuming 99.5% CPU. The process is stuck in an infinite loop and does not respond to SIGTERM. Which signal should be used to forcefully terminate it?

A.kill -2 1234
B.kill -9 1234
C.kill -15 1234
D.kill -19 1234
AnswerB

SIGKILL is the ultimate signal that forcefully terminates the process.

Why this answer

Option B is correct because SIGKILL (9) cannot be caught or ignored and will terminate the process immediately. Option A is wrong because SIGTERM (15) was already attempted and ignored. Option C is wrong because SIGSTOP (19) suspends, does not terminate.

Option D is wrong because SIGINT (2) is typically not effective for background processes and may also be ignored.

8
MCQhard

You are managing a Linux server that hosts a critical web application. The server is running low on disk space in the root filesystem, and you need to free up space urgently. You run 'df -h' and see that /dev/sda1 is mounted on / and is 95% full. You also notice that /var/log/messages is over 2 GB in size. The application writes logs to /var/log/app.log, which is also large. The server has a separate /var partition that has plenty of free space. The application must continue running with minimal downtime. You need to compress and rotate logs without losing any data, and ensure that the root filesystem has at least 10% free space. Which of the following actions should you take first to achieve this goal?

A.Delete /var/log/app.log and /var/log/messages to free space quickly.
B.Stop the application, truncate /var/log/app.log, then restart the application.
C.Use logrotate with the 'copytruncate' option to rotate /var/log/app.log and move the rotated file to /var/old_logs/.
D.Compress /var/log/app.log using gzip and keep it in place.
AnswerC

This rotates the log without interrupting the application and moves it to a partition with space, freeing root.

Why this answer

Option C is correct because logrotate with the 'copytruncate' option allows the application to continue writing to the same file descriptor while the current log is copied and then truncated to zero length. This avoids any application downtime and the rotated log can be moved to the separate /var partition (which has free space) for compression or archiving, freeing space on the root filesystem without data loss.

Exam trap

The trap here is that candidates often choose to delete or truncate logs directly, not realizing that running processes hold file descriptors and that truncation does not immediately free disk space until the file descriptor is closed, or they overlook the 'copytruncate' option which allows zero-downtime rotation.

How to eliminate wrong answers

Option A is wrong because deleting log files while the application is running can cause the application to lose its file handle, potentially crash or stop logging, and data is permanently lost. Option B is wrong because stopping the application causes downtime, which violates the 'minimal downtime' requirement, and truncating the file in place does not free disk space until the file descriptor is released (the space is still held by the running process). Option D is wrong because compressing the log file in place does not free space on the root filesystem (the compressed file still occupies space on /), and the application may still be writing to the file, causing data loss or corruption.

9
MCQmedium

An administrator wants to terminate a process with PID 1234 and all its child processes. Which command should be used?

A.pkill -P 1234
B.kill -9 -1234
C.kill -15 1234
D.kill -9 1234
AnswerB

Sends SIGKILL to the entire process group.

Why this answer

Option B is correct because the `kill` command with a negative PID (e.g., `kill -9 -1234`) sends the signal to the process group identified by the absolute value of the PID. Since process group IDs typically equal the PID of the group leader, using `-1234` targets the entire process group, terminating PID 1234 and all its child processes. The `-9` (SIGKILL) ensures immediate termination without cleanup.

Exam trap

The trap here is that candidates often assume `kill -9 1234` terminates the entire process tree, but it only kills the specified process, leaving child processes orphaned; the negative PID syntax is the correct way to target a process group.

How to eliminate wrong answers

Option A is wrong because `pkill -P 1234` kills processes whose parent PID is 1234, not the process itself or its entire process tree; it only targets direct children, not grandchildren or the parent. Option C is wrong because `kill -15 1234` sends SIGTERM to PID 1234 only, allowing it to terminate gracefully but does not affect child processes. Option D is wrong because `kill -9 1234` sends SIGKILL to PID 1234 alone, leaving child processes orphaned (they may be reparented to init) rather than terminating them.

10
MCQhard

A cron job runs a script every hour but sometimes fails because the script cannot find commands like 'tar' and 'gzip'. The script works when run manually from a terminal. What is the best fix?

A.Run the cron job as root.
B.Modify the script to source the user's .bashrc.
C.Use absolute paths for all commands in the script.
D.Add a PATH statement to the cron job definition.
AnswerC

Absolute paths ensure the script finds the commands regardless of the environment's PATH.

Why this answer

Option C is correct because cron jobs run in a minimal environment with a restricted PATH (often just /usr/bin:/bin). When the script uses commands like 'tar' and 'gzip' without absolute paths, the shell cannot locate them. Using absolute paths (e.g., /bin/tar, /bin/gzip) ensures the script always finds the commands regardless of the environment.

Exam trap

The trap here is that candidates think adding a PATH to the cron job definition (Option D) is the best fix, but the LFCS exam emphasizes absolute paths as the more robust and portable solution for scripts run by cron.

How to eliminate wrong answers

Option A is wrong because running as root does not fix the PATH issue; root also has a minimal PATH in cron and this unnecessarily escalates privileges. Option B is wrong because sourcing .bashrc may not work reliably in cron (non-interactive shell) and .bashrc often contains interactive-only aliases or functions that can break the script. Option D is wrong because adding a PATH statement to the cron job definition (e.g., PATH=/usr/local/bin:/usr/bin:/bin) is a valid alternative but is not the 'best fix' — absolute paths are more explicit, avoid dependency on the cron environment, and are the recommended best practice for scripts run by cron.

11
MCQhard

A system administrator wants to kill a process with PID 1234 that is not responding to SIGTERM. Which command will forcefully terminate it?

A.kill -1 1234
B.kill -15 1234
C.kill -SIGTERM 1234
D.kill -9 1234
AnswerD

Sends SIGKILL, forcing termination.

Why this answer

Option D is correct because kill -9 (SIGKILL) sends signal 9, which cannot be caught, blocked, or ignored by the process. Unlike SIGTERM (signal 15), SIGKILL forces the kernel to immediately terminate the process without allowing it to clean up, making it the appropriate choice when a process is unresponsive to SIGTERM.

Exam trap

The trap here is that candidates often confuse signal numbers or assume that SIGTERM (signal 15) is always sufficient, not realizing that a process can mask or ignore it, while SIGKILL (signal 9) is the only signal that cannot be handled.

How to eliminate wrong answers

Option A is wrong because kill -1 sends SIGHUP (hangup signal), which typically causes a process to reload its configuration or terminate gracefully, not forcefully terminate. Option B is wrong because kill -15 sends SIGTERM, which is the default polite termination signal that the process can catch and ignore, so it is ineffective when the process is not responding to SIGTERM. Option C is wrong because kill -SIGTERM is equivalent to kill -15, sending the same signal that the process is already ignoring, so it will not forcefully terminate it.

12
MCQeasy

A user wants to continuously monitor the last 20 lines of a log file that is being written to by a running service. Which command achieves this?

A.head -20 /var/log/syslog
B.less /var/log/syslog
C.tail -f /var/log/syslog
D.cat /var/log/syslog
AnswerC

tail -f displays the last lines and updates in real time.

Why this answer

Option C is correct because the `tail -f` command displays the last 10 lines of a file by default and then continues to output new lines as they are appended, making it ideal for real-time monitoring of a growing log file. The `-20` option is not specified here, but `tail -f` without a line count still shows the last 10 lines and follows updates; if exactly 20 lines were required, the command would be `tail -20 -f /var/log/syslog`. The `-f` flag (follow) keeps the file open and polls for changes, typically using inotify on Linux, to output new data immediately.

Exam trap

The trap here is that candidates often confuse `tail -f` with `tail -n 20` (which shows the last 20 lines but does not follow) or mistakenly think `head` can monitor the end of a file, leading them to choose option A or B without recognizing the need for the `-f` flag to achieve continuous monitoring.

How to eliminate wrong answers

Option A is wrong because `head -20` displays the first 20 lines of the file, not the last lines, and it does not continuously monitor for new entries. Option B is wrong because `less` opens the file for interactive viewing and does not automatically follow new lines unless used with the `+F` option (which enables follow mode), but the plain `less` command does not provide continuous monitoring. Option D is wrong because `cat` outputs the entire file content to the terminal and then exits, with no ability to watch for updates or limit output to the last lines.

13
MCQhard

Based on the exhibit, which process will be affected if the root user runs 'kill 5678'?

A.The www-data process with PID 5678
B.The root process (PID 1234)
C.All www-data processes
D.No process, because root cannot kill www-data processes
AnswerA

kill 5678 terminates the process with that PID.

Why this answer

The 'kill 5678' command sends the default SIGTERM (signal 15) to the process with PID 5678. Since the root user has the CAP_KILL capability and is not subject to the ordinary permission checks that restrict non-root users, root can send signals to any process, including those owned by www-data. Therefore, the www-data process with PID 5678 will be terminated.

Exam trap

The trap here is that candidates may mistakenly believe root cannot kill processes owned by other users, or they may confuse the PID argument with a process name, thinking 'kill 5678' affects all processes of a given user or name.

How to eliminate wrong answers

Option B is wrong because 'kill 5678' targets the process with PID 5678, not PID 1234; the root process (PID 1234) is unaffected unless it coincidentally has PID 5678. Option C is wrong because 'kill 5678' sends a signal only to the specific process with PID 5678, not to all www-data processes; to target all www-data processes, one would need to use a command like 'killall www-data' or 'pkill -u www-data'. Option D is wrong because root can indeed kill any process on the system, including those owned by www-data, due to the superuser's unrestricted signal capability.

14
MCQmedium

A user 'dba' tries to login via SSH and fails. Based on the exhibit, what is the most likely cause?

A.The file /home/dba/file.txt is corrupt.
B.The user 'dba' has an invalid login shell.
C.The user 'dba' is not in the 'docker' group.
D.The home directory /home/dba does not have correct permissions.
AnswerB

/bin/false prevents login.

Why this answer

Option B is correct because the exhibit shows that the user 'dba' has an invalid login shell (e.g., /sbin/nologin or /bin/false). When the login shell is set to a non-interactive shell, SSH authentication succeeds but the session immediately closes, preventing the user from logging in. This is a common configuration for system accounts or users who should not have interactive shell access.

Exam trap

The trap here is that candidates often assume SSH login failures are always due to authentication (password/key) or file permissions, but the LFCS exam frequently tests the subtle point that an invalid login shell causes a successful authentication followed by an immediate session termination, which appears as a login failure.

How to eliminate wrong answers

Option A is wrong because a corrupt file in the user's home directory does not prevent SSH login; SSH authentication and session establishment occur before any user files are accessed. Option C is wrong because group membership (e.g., 'docker') is irrelevant to SSH login; SSH only checks the user's authentication credentials and shell validity. Option D is wrong because incorrect home directory permissions would cause issues after login (e.g., unable to read .bashrc), but they do not prevent the SSH authentication process itself; SSH only requires the home directory to exist and be accessible for reading the user's SSH configuration files like ~/.ssh/authorized_keys.

15
MCQeasy

A system administrator needs to find all files in /var/log that have been modified in the last 24 hours. Which command accomplishes this?

A.find /var/log -mtime 0
B.find /var/log -newer /var/log/syslog
C.find /var/log -mtime -1
D.find /var/log -mtime 1
AnswerC

Correctly finds files modified less than 1 day ago, i.e., within the last 24 hours.

Why this answer

Option C is correct because `find /var/log -mtime -1` finds files modified less than 1 day ago (i.e., within the last 24 hours). The `-mtime` option with a negative number (`-1`) matches files whose content was modified less than n*24 hours ago, which is exactly what the question requires.

Exam trap

The trap here is confusing `-mtime -1` (modified less than 24 hours ago) with `-mtime 1` (modified between 24 and 48 hours ago) or `-mtime 0` (modified exactly 24 hours ago), leading candidates to pick the wrong numeric argument.

How to eliminate wrong answers

Option A is wrong because `-mtime 0` finds files modified exactly 24 hours ago (i.e., between 24 and 48 hours ago), not within the last 24 hours. Option B is wrong because `-newer /var/log/syslog` compares modification times against a specific file, not a time range, and assumes `/var/log/syslog` exists and was last modified exactly 24 hours ago, which is unreliable. Option D is wrong because `-mtime 1` finds files modified between 24 and 48 hours ago, not within the last 24 hours.

16
MCQmedium

A system administrator is troubleshooting a user's report that a command 'myapp' is not found. The administrator checks the PATH variable and sees it includes /usr/local/bin. The administrator verifies that the binary 'myapp' exists in /usr/local/bin with permissions 755. However, running 'myapp' still fails with 'command not found'. What is the most likely cause?

A.The user's PATH does not include /usr/local/bin
B.The binary is a shell script missing a shebang
C.The shell's hash table is stale; run 'hash -r'
D.The binary does not have execute permission for the user
AnswerC

Correct: the shell caches command locations, and may not have updated after the binary was added.

Why this answer

Option C is correct because the shell caches the locations of executables in a hash table to avoid searching PATH repeatedly. When a new binary is added to a directory already in PATH, the shell may still have a stale entry (or no entry) for that command, causing it to report 'command not found' even though the binary exists. Running 'hash -r' clears the entire hash table, forcing the shell to re-scan PATH on the next invocation.

Exam trap

Linux Foundation often tests the concept that the shell's hash table can cause 'command not found' errors even when the binary exists and permissions are correct, leading candidates to incorrectly focus on PATH or permissions.

How to eliminate wrong answers

Option A is wrong because the administrator checked the PATH variable and confirmed it includes /usr/local/bin, so the user's PATH does include that directory. Option B is wrong because a missing shebang would cause the script to be interpreted by the current shell (which might fail or behave unexpectedly), but it would not produce a 'command not found' error; the shell would still attempt to execute it. Option D is wrong because the administrator verified the binary has permissions 755, which grants execute permission to the owner, group, and others, so the user does have execute permission.

17
MCQmedium

A DevOps engineer wants to measure how long a specific command takes to execute. Which command should be used?

A.date
B.uptime
C.wall
D.time
AnswerD

Measures the execution time of a command.

Why this answer

Option D is correct because the `time` command is specifically designed to measure the execution duration of a command, reporting real time, user CPU time, and system CPU time. It wraps the target command and tracks the elapsed wall-clock time and resource usage, making it the precise tool for benchmarking command performance.

Exam trap

The trap here is that candidates may confuse `time` with `date` or `uptime` because they all display time-related information, but only `time` measures the execution duration of a specific command.

How to eliminate wrong answers

Option A is wrong because `date` displays or sets the system date and time, but does not measure the duration of a command's execution. Option B is wrong because `uptime` shows how long the system has been running since last boot, along with load averages, not the execution time of a specific command. Option C is wrong because `wall` sends a message to all logged-in users' terminals and has no timing functionality.

18
MCQmedium

Refer to the exhibit. The administrator receives alerts that the root filesystem is almost full. Which command could free up space by removing old log files?

A.find /var/log -name '*.log' -mtime +30 -delete
B.truncate -s 0 /var/log/syslog
C.rm -rf /var/log/*
D.du -sh /var/log
AnswerA

Removes old log files safely.

Why this answer

Option A is correct because the `find` command with `-name '*.log'` targets log files, `-mtime +30` selects files modified more than 30 days ago, and `-delete` removes them. This safely frees space by purging only old logs, preserving recent logs needed for troubleshooting.

Exam trap

Linux Foundation often tests the distinction between commands that merely display disk usage (like `du`) versus those that actually remove files, and the danger of using `rm -rf` with wildcards on system directories like /var/log.

How to eliminate wrong answers

Option B is wrong because `truncate -s 0 /var/log/syslog` empties a single log file but does not remove old log files; it only clears the current syslog, which may still be needed and does not address multiple old log files. Option C is wrong because `rm -rf /var/log/*` deletes all files in /var/log, including critical logs and possibly active log files, which could break logging services and cause data loss. Option D is wrong because `du -sh /var/log` only shows disk usage of the directory; it does not free any space or remove any files.

19
MCQhard

A system administrator is managing a production web server running CentOS 7. The server hosts a critical application that depends on the 'httpd' package. Recently, the administrator attempted to install an updated version of httpd using 'yum update httpd', but the update failed with a dependency error: 'Error: Package: httpd-2.4.6-97.el7.centos.x86_64 requires libapr-1.so.0()(64bit)'. The administrator verifies that the apr package is installed (apr-1.5.2-6.el7.x86_64) and that the required library file exists at /usr/lib64/libapr-1.so.0. Despite this, yum continues to fail with the same error. After checking the yum repository configuration, the administrator notices that the base repository lists 'mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os' and the 'baseurl' is commented out. The system's /etc/yum.conf has 'keepcache=1'. What is the most likely cause of the dependency error, and which command should the administrator run to resolve it?

A.The yum cache is corrupted; delete /var/cache/yum manually and run 'yum makecache'.
B.The dependency is satisfied but yum's dependency resolver has a bug; use 'rpm -Uvh httpd.rpm --nodeps' to bypass dependency check.
C.The repository metadata is stale; run 'yum clean all' then 'yum update'.
D.The installed apr package is from a different version than what httpd expects; install a newer apr from a different repository.
AnswerC

Cleaning metadata refreshes dependency resolution, likely resolving the false error.

Why this answer

Option A is correct. The dependency error despite the library being present suggests stale repository metadata. yum clean all clears the cache and forces fresh metadata download, which often resolves such false positives. Option B is incorrect because the apr version provides the required library.

Option C is similar to A but manual deletion is unnecessary. Option D bypasses dependency checks and risks breaking the system.

20
Matchingmedium

Match each Linux permission type to its symbolic representation.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

r

w

x

s (owner execute)

t (other execute)

Why these pairings

These are standard permission symbols in Linux.

21
MCQeasy

A user wants to set the permissions of a file to 'rwxr-xr--'. Which octal permission value should they use with chmod?

A.754
B.755
C.754
D.744
AnswerA, C

Correct: rwxr-xr-- corresponds to 754.

Why this answer

The permissions 'rwxr-xr--' correspond to owner: rwx (7), group: r-x (5), others: r-- (4). The octal value 754 is derived by summing the binary bits for each triad: read (4), write (2), execute (1). Thus, chmod 754 sets the exact permissions requested.

Exam trap

The trap here is that candidates often confuse the order of the octal digits (owner, group, others) or miscompute the group/others values, leading them to pick 755 (granting extra execute) or 744 (missing group execute).

How to eliminate wrong answers

Option B (755) is wrong because it sets others to r-x (5) instead of r-- (4), granting execute permission to others unnecessarily. Option D (744) is wrong because it sets group to r-- (4) instead of r-x (5), denying group execute permission. Option A and C are identical and both correct; the duplication is an artifact of the answer choices.

22
MCQhard

A process is consuming 99% CPU and is unresponsive to normal shutdown requests. After running 'top', you see the PID is 1234. What is the most appropriate command to stop the process gracefully first?

A.kill -15 1234
B.kill -19 1234
C.kill -2 1234
D.kill -9 1234
AnswerA

SIGTERM is the default and polite way to terminate a process.

Why this answer

The correct answer is A: kill -15 1234. The SIGTERM signal (15) is the standard way to request a process terminate gracefully, allowing it to clean up resources, close files, and perform shutdown routines. This is the most appropriate first step before escalating to stronger signals, as it gives the process a chance to exit normally.

Exam trap

The trap here is that candidates often jump to kill -9 (SIGKILL) as the first solution when a process is unresponsive, but the LFCS exam emphasizes the principle of escalating signals gracefully, starting with SIGTERM.

How to eliminate wrong answers

Option B is wrong because kill -19 sends SIGSTOP, which pauses the process but does not terminate it; the process remains in memory and can be resumed with SIGCONT, so it does not stop the process gracefully. Option C is wrong because kill -2 sends SIGINT, which is typically used to interrupt a foreground process from the terminal (like Ctrl+C) and may not be effective for a background or daemon process that is unresponsive to normal shutdown requests. Option D is wrong because kill -9 sends SIGKILL, which forcefully terminates the process without allowing any cleanup; this should be a last resort after graceful methods fail, not the first attempt.

23
MCQhard

A system administrator needs to find all files in /home that are owned by user 'alice' and have been modified in the last 7 days. The administrator then wants to compress those files into a single archive named alice_recent.tar.gz. Which of the following commands accomplishes this?

A.find /home -user alice -mtime -7 -exec tar -rf alice_recent.tar.gz {} +
B.find /home -user alice -mtime -7 -print | cpio -o > alice_recent.tar.gz
C.tar -czf alice_recent.tar.gz -T <(find /home -user alice -mtime -7)
D.find /home -user alice -mtime -7 | tar -cvf alice_recent.tar.gz
AnswerA

Correctly appends found files to a tar archive (creates if not exists). Then compress: gzip alice_recent.tar.

Why this answer

Option A is correct because it uses `find` with `-user alice` and `-mtime -7` to locate files owned by alice modified within the last 7 days, then executes `tar -rf` with `{} +` to append those files to an archive. The `-r` flag appends files to an existing archive (or creates one if it doesn't exist), and `{} +` efficiently passes multiple filenames to a single `tar` invocation, avoiding command-line length limits.

Exam trap

The trap here is that candidates often assume `tar` can read filenames from stdin via pipe without the `-T` option, or they confuse `cpio` with `tar` formats, leading them to choose options that produce incorrect archive types or fail to include the files.

How to eliminate wrong answers

Option B is wrong because `cpio -o` creates a cpio archive, not a gzip-compressed tar archive; the output would be a cpio file named `.tar.gz`, which is misleading and not a valid tar.gz. Option C is wrong because process substitution `<(...)` is a bash feature that may not be available in all POSIX shells (e.g., `sh`), and the command would fail in a standard LFCS exam environment; also, `tar -czf` with `-T` expects a file, not a process substitution, though it works in bash, it's not portable. Option D is wrong because piping `find` output to `tar -cvf` does not pass filenames as arguments; `tar` expects filenames from stdin only with the `-T` option, so this command would either ignore stdin or produce an empty archive.

24
MCQeasy

To display the first 10 lines of a file named 'log.txt', which command is correct?

A.less log.txt
B.tail log.txt
C.head log.txt
D.cat log.txt
AnswerC

Outputs the first 10 lines by default.

Why this answer

The `head` command is designed to display the first 10 lines of a file by default. Running `head log.txt` outputs the first 10 lines of the file without any additional options, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse `head` with `tail` or assume `less` or `cat` are appropriate for displaying only the first few lines, when in fact `head` is the specific command for that purpose.

How to eliminate wrong answers

Option A is wrong because `less` is a pager that displays the file interactively, allowing scrolling both forward and backward, but it does not default to showing only the first 10 lines; it shows the beginning of the file and waits for user input. Option B is wrong because `tail` displays the last 10 lines of a file by default, not the first 10 lines. Option D is wrong because `cat` outputs the entire contents of the file to the terminal, not just the first 10 lines.

25
MCQmedium

A system administrator wants to display a list of all currently running processes with their parent process IDs. Which command is most appropriate?

A.pstree
B.jobs
C.top
D.ps -ef
AnswerD

Shows all processes with parent PID in the PPID column.

Why this answer

Option D (ps -ef) is correct because the 'ps' command with the '-e' flag displays all processes, and the '-f' flag provides a full-format listing that includes the PPID (parent process ID) in the output. This directly meets the requirement to list all currently running processes with their parent process IDs.

Exam trap

The trap here is that candidates may confuse 'pstree' (which shows parent-child relationships visually) with 'ps -ef' (which lists numeric PPIDs), or assume 'top' is suitable for a static list, when the question specifically asks for a list with parent process IDs, not a tree or dynamic view.

How to eliminate wrong answers

Option A is wrong because pstree displays processes in a tree hierarchy showing parent-child relationships, but it does not show the numeric parent process ID (PPID) in its default output; it focuses on the tree structure rather than a list with PPIDs. Option B is wrong because the 'jobs' command lists only background jobs associated with the current shell session, not all running processes on the system. Option C is wrong because 'top' provides a dynamic, real-time view of running processes and can display PPID if configured, but it is not a static list command and does not output a simple list of all processes with their PPIDs by default.

26
MCQeasy

A system administrator notices that the disk space on the root filesystem is at 95% usage. After investigating, they find that a large log file named 'access.log' in /var/log is taking up significant space. The administrator deletes the file using 'rm /var/log/access.log' but the disk usage remains at 95%. Running 'df -h' still shows the same usage. What is the most likely cause and the correct next step?

A.The file is compressed and needs to be decompressed. Use 'gzip -d access.log' first.
B.The filesystem is marked as full in the superblock. Use 'fsck' to repair the filesystem.
C.The file is still open by a process. Use 'lsof | grep access.log' to identify the process and restart it.
D.The file has multiple hard links. Use 'find / -links +1' to locate all hard links and delete them.
AnswerC

Deleted open files still consume space; finding and restarting the process releases the space.

Why this answer

When a file is deleted with 'rm' while it is still open by a running process, the file's directory entry is removed, but the inode and data blocks remain allocated until the process closes the file descriptor. This causes 'df' to still report the space as used. The correct next step is to use 'lsof' to find the process holding the file open and restart it, which releases the file descriptor and frees the disk space.

Exam trap

The trap here is that candidates assume 'rm' immediately frees disk space, but they overlook that open file descriptors by running processes (e.g., syslog, Apache) keep the data blocks allocated until the process is restarted or the descriptor is closed.

How to eliminate wrong answers

Option A is wrong because the file was already deleted, not compressed; 'gzip -d' would fail on a removed file and does not address the open file handle issue. Option B is wrong because the filesystem is not marked as full in the superblock; 'fsck' repairs filesystem metadata corruption, not space accounting for open deleted files. Option D is wrong because hard links would cause the file to still exist under another name, but 'rm' would only remove one link; however, 'df' would show freed space only after all links are removed, but the question states the file was deleted and space remains, which points to an open file descriptor, not multiple hard links.

27
MCQhard

An administrator wants to ensure that a background process continues running after logout. Which command should be used to start the process?

A.nohup sleep 100 &
B.runproc sleep 100 &
C.sleep 100 &
D.sleep 100 & disown
AnswerA

nohup ignores SIGHUP, so process continues after logout.

Why this answer

The correct answer is A because `nohup` allows a process to ignore the SIGHUP signal that is sent to background processes when the parent shell exits, ensuring it continues running after logout. The `&` places the command in the background, and `nohup` redirects output to `nohup.out` by default, making it the standard way to run a process immune to hangups.

Exam trap

The trap here is that candidates often think `&` alone or `disown` alone is sufficient to keep a process running after logout, but without `nohup`, the process will still receive SIGHUP and terminate when the shell exits.

How to eliminate wrong answers

Option B is wrong because `runproc` is not a standard Linux command; it does not exist in the LFCS exam context and would not provide any hangup immunity. Option C is wrong because `sleep 100 &` runs the process in the background but does not protect it from SIGHUP; when the shell exits, the background job will receive SIGHUP and terminate. Option D is wrong because `disown` removes a job from the shell's job table but does not prevent SIGHUP from being sent to the process; the process will still receive SIGHUP and terminate upon shell logout unless it was started with `nohup` or has otherwise set itself to ignore SIGHUP.

28
MCQmedium

A security policy requires that all users in the 'webadmin' group should have read and write access to files in /var/www/html. New files created in that directory should automatically be assigned to the 'webadmin' group and have group read/write permissions. Which combination of permissions and group ownership should be set on /var/www/html?

A.chmod o+t /var/www/html; chmod 1775 /var/www/html; chown root:webadmin /var/www/html
B.chmod g+s /var/www/html; chmod 2755 /var/www/html; chown root:webadmin /var/www/html
C.chmod u+s /var/www/html; chown root:webadmin /var/www/html
D.chmod g+s /var/www/html; chmod 2775 /var/www/html; chown root:webadmin /var/www/html
AnswerD

Setgid bit ensures new files inherit group, and permissions allow group write.

Why this answer

Option D is correct because setting the setgid bit (g+s) on /var/www/html ensures that new files inherit the directory's group ('webadmin'), and the 2775 permissions grant group read/write/execute (rwx) while the setgid bit is represented by the leading 2. This combination satisfies the security policy: group ownership inheritance and group read/write access for all new files.

Exam trap

The trap here is that candidates often confuse the setgid bit (g+s) with the sticky bit (o+t) or setuid bit (u+s), and may overlook that the numeric mode must include the leading 2 (or 2xxx) to enable setgid, not just the symbolic chmod g+s.

How to eliminate wrong answers

Option A is wrong because 'chmod o+t' sets the sticky bit, which only prevents users from deleting files they don't own, and 1775 sets no setgid bit, so new files will not inherit the 'webadmin' group. Option B is wrong because 2755 grants group permissions of r-x (read/execute only), not rw- (read/write), failing the requirement for group write access. Option C is wrong because 'chmod u+s' sets the setuid bit (affects user ownership, not group), and without the setgid bit, new files will not automatically be assigned to the 'webadmin' group.

29
MCQmedium

A system administrator needs to stop a misbehaving process gracefully, allowing it to clean up resources. The process is unresponsive to the standard SIGTERM signal. What should the administrator do next?

A.Use 'kill -15' again, wait a few seconds, then use 'kill -9' if still unresponsive.
B.Wait for the process to finish on its own.
C.Use 'kill -9' immediately.
D.Send SIGTERM again with a higher priority.
AnswerA

This is the recommended procedure: try graceful termination first, then force kill if needed.

Why this answer

Option A is correct because the standard escalation path for terminating an unresponsive process is to first send SIGTERM (signal 15) to request a graceful shutdown, then after a brief wait, send SIGKILL (signal 9) if the process has not terminated. This allows the process a chance to clean up resources before being forcibly killed, which is the recommended practice in Linux process management.

Exam trap

The trap here is that candidates may think SIGKILL is the immediate solution for any unresponsive process, but the LFCS exam emphasizes the proper escalation sequence (SIGTERM first, then SIGKILL) to ensure graceful resource cleanup.

How to eliminate wrong answers

Option B is wrong because waiting indefinitely for a misbehaving process to finish on its own is not a valid administrative action; the process is already unresponsive and may never terminate, leading to resource starvation. Option C is wrong because using 'kill -9' immediately bypasses the process's cleanup handlers and can leave resources (e.g., temporary files, network sockets) in an inconsistent state, which is considered a last resort. Option D is wrong because SIGTERM does not have a 'priority' concept; signals are delivered as-is, and sending the same signal again with no change in behavior will not overcome the process's unresponsiveness.

30
MCQmedium

A system administrator needs to find all files under /var/log that have been modified within the last 7 days. Which command accomplishes this task?

A.find /var/log -atime -7
B.find /var/log -mmin -10080
C.find /var/log -mtime -7
D.find /var/log -ctime -7
AnswerC

-mtime -7 finds files modified less than 7 days ago.

Why this answer

Option C is correct because the `find` command with `-mtime -7` searches for files whose content was modified (i.e., changed) within the last 7 days. The `-mtime` flag uses a 24-hour period, so `-7` means files modified less than 7 days ago, which matches the requirement to find files modified within the last 7 days under /var/log.

Exam trap

The trap here is that candidates often confuse `-mtime` (modification time) with `-ctime` (change time) or `-atime` (access time), leading them to pick an option that checks the wrong timestamp for the task of finding recently modified files.

How to eliminate wrong answers

Option A is wrong because `-atime -7` searches for files accessed (read) within the last 7 days, not modified, which is a different timestamp. Option B is wrong because `-mmin -10080` uses minutes (10080 minutes = 7 days) and would work for the same purpose, but it is not listed as correct; the question expects the `-mtime` flag, and `-mmin` is a valid alternative but not the intended answer here. Option D is wrong because `-ctime -7` searches for files whose metadata (inode) changed within the last 7 days, such as permissions or ownership, not the file content modification.

31
MCQeasy

A user wants to view the contents of a compressed log file /var/log/syslog.2.gz without decompressing it first. Which command should they use?

A.gunzip /var/log/syslog.2.gz
B.cat /var/log/syslog.2.gz
C.zcat /var/log/syslog.2.gz
D.less /var/log/syslog.2.gz
AnswerC

zcat reads gzip files directly.

Why this answer

Option C is correct because `zcat` is a utility that reads compressed files (typically gzip-compressed) and outputs their decompressed content to standard output without permanently decompressing the file. This allows the user to view the contents of `/var/log/syslog.2.gz` directly in the terminal.

Exam trap

The trap here is that candidates may confuse `zcat` with `gunzip` or assume `less` can handle compressed files natively, but the LFCS exam expects knowledge of the specific command designed for viewing compressed files without decompression.

How to eliminate wrong answers

Option A is wrong because `gunzip` permanently decompresses the file, replacing the `.gz` file with an uncompressed version, which is not what the user wants. Option B is wrong because `cat` cannot interpret gzip compression; it will output raw binary data, which is unreadable. Option D is wrong because `less` does not natively handle gzip-compressed files; it would display binary garbage unless used with a wrapper like `zless` or a pipe from `zcat`.

32
MCQeasy

A user reports that they cannot delete a file named 'important.txt' located in their home directory. The file is owned by the user and the user has write permission on the directory. Running 'rm important.txt' produces the error: 'rm: cannot remove 'important.txt': Operation not permitted'. The user has also tried using 'sudo rm' but gets the same error. Which of the following is the most likely cause and correct solution?

A.The file has an ACL that denies deletion. Use 'setfacl -b important.txt' to remove ACLs.
B.The file has the immutable attribute set. Use 'lsattr important.txt' and if the 'i' attribute is present, remove it with 'chattr -i important.txt'.
C.The file is currently in use by another process. Use 'lsof' to find the process and kill it.
D.The directory has the sticky bit set, preventing deletion. Use 'chmod o-t .' to remove the sticky bit.
AnswerB

The immutable attribute prevents deletion; removing it allows deletion.

Why this answer

The error 'Operation not permitted' despite the user owning the file and having write permission on the directory indicates a filesystem-level restriction rather than a permission or ACL issue. The immutable attribute (i) on the file prevents any modification, including deletion, even by the root user. Running 'lsattr' reveals the attribute, and 'chattr -i' removes it, allowing deletion.

Exam trap

The trap here is that candidates confuse 'Operation not permitted' with standard permission errors, overlooking the immutable attribute as a filesystem-level override that affects even root and is not visible with 'ls -l'.

How to eliminate wrong answers

Option A is wrong because ACLs (Access Control Lists) do not produce an 'Operation not permitted' error for a file owner; they would show 'Permission denied' if applicable, and 'setfacl -b' removes all ACLs, which is unnecessary here. Option C is wrong because a file in use by another process would typically give a 'Text file busy' or 'Device or resource busy' error, not 'Operation not permitted', and killing the process would not resolve an immutable attribute. Option D is wrong because the sticky bit on a directory affects deletion of files owned by other users, not the file owner; the user owns the file, so the sticky bit does not block deletion, and 'chmod o-t' removes the sticky bit from the current directory, which is not the issue.

33
MCQeasy

A user reports that a shell script 'backup.sh' in /home/user/scripts fails to execute. What is the most likely cause?

A.The script is not in the user's PATH.
B.The script does not have execute permission for the user.
C.The script must be owned by root.
D.The script does not have a shebang line (#!/bin/bash) at the top.
AnswerB

Missing execute permission is the most common cause of 'Permission denied' errors when running a script.

Why this answer

The most likely cause is that the script lacks execute permission for the user. In Linux, a file must have the execute bit set (e.g., `chmod +x backup.sh`) to be run as a script. Without it, the shell will refuse to execute the file, even if the user has read access and the script is syntactically correct.

Exam trap

The trap here is that candidates often assume a missing shebang (Option D) is the primary cause, but the LFCS exam tests that execute permission is the fundamental requirement for running any script directly.

How to eliminate wrong answers

Option A is wrong because the script is being executed directly (e.g., `./backup.sh` or via a full path), so PATH is irrelevant; PATH only matters when invoking a command by name without a path. Option C is wrong because script ownership does not affect execution; any user with execute permission can run it, regardless of owner. Option D is wrong because while a shebang is good practice, the shell will still attempt to execute the script using the default shell (usually /bin/sh) if no shebang is present; the script would run, not fail to execute entirely.

34
MCQhard

Refer to the exhibit. A user attempts to create a file in /backup/snapshots/ but receives an error. What is the most likely cause?

A.The /backup filesystem is mounted read-only.
B.The /backup directory does not exist.
C.The user does not have write permission on /backup.
D.The /backup filesystem is full.
AnswerA

The '(ro)' flag indicates a read-only mount.

Why this answer

The error occurs because the /backup filesystem is mounted read-only, which prevents any write operations, including file creation, regardless of directory permissions or available space. This is a common scenario when a filesystem is intentionally mounted with the 'ro' option in /etc/fstab or via the mount command to protect data integrity.

Exam trap

The trap here is that candidates often focus on file permissions or disk space, overlooking the filesystem-level mount option that overrides all other write mechanisms.

How to eliminate wrong answers

Option B is wrong because if the /backup directory did not exist, the error would typically be 'No such file or directory' rather than a permission or write failure, and the user is attempting to create a file in /backup/snapshots/, implying the parent exists. Option C is wrong because write permission on /backup is irrelevant if the underlying filesystem is mounted read-only; even root cannot write to a read-only filesystem without remounting. Option D is wrong because a full filesystem would produce a 'No space left on device' error, not a generic write failure, and the question does not indicate disk space exhaustion.

35
Multi-Selecteasy

Which TWO commands can be used to display the current working directory?

Select 2 answers
A.which pwd
B.pwd
C.date
D.echo $PWD
E.whoami
AnswersB, D

Prints working directory.

Why this answer

The `pwd` command (B) is the standard POSIX command that prints the full pathname of the current working directory. The shell variable `$PWD` (D) is automatically set by the shell to the current working directory, so `echo $PWD` outputs the same path. Both are valid ways to display the current working directory.

Exam trap

Linux Foundation often tests the distinction between commands that display the working directory and commands that merely locate or describe other things, tricking candidates into selecting `which pwd` because it contains the letters 'pwd'.

36
Multi-Selectmedium

Which THREE commands can be used to view the contents of a compressed archive file without extracting it? (Select three.)

Select 3 answers
A.tar -tvf archive.tar.gz
B.zcat archive.gz
C.gunzip archive.gz
D.less archive.gz
E.bunzip2 archive.bz2
AnswersA, B, D

Lists contents of tar archive.

Why this answer

Options A, B, and E are correct: tar -tvf lists contents of a tarball; zcat shows gzip file content; less can read compressed files if configured. Option C (gunzip) decompresses; Option D (bunzip2) decompresses bzip2.

37
MCQmedium

A system administrator has a cron job that runs a backup script. The script requires the variable BACKUP_DIR to be set, but the administrator cannot modify the script. Which is the most appropriate place to define the variable for cron?

A.In the crontab file with the line 'BACKUP_DIR=/var/backups' before the command
B.In /etc/profile.d/backup.sh
C.In /etc/environment
D.In ~/.bash_profile
AnswerA

crontab allows variable definitions.

Why this answer

Cron jobs run in a minimal environment and do not source shell profiles or login scripts. Defining BACKUP_DIR directly in the crontab file before the command ensures the variable is set in the cron execution context, which is the only reliable way to pass environment variables to cron without modifying the script.

Exam trap

The trap here is that candidates assume cron inherits the user's login environment or sources profile files, but cron explicitly does not, making inline crontab variable definitions the only correct approach.

How to eliminate wrong answers

Option B is wrong because /etc/profile.d/ scripts are sourced only by interactive login shells, not by cron, which uses a non-interactive, non-login shell. Option C is wrong because /etc/environment is read by PAM (pam_env.so) during login sessions, but cron does not use PAM for environment setup. Option D is wrong because ~/.bash_profile is sourced only for interactive login shells, and cron does not invoke a login shell.

38
MCQhard

A system administrator monitors a server that periodically becomes unresponsive for a few seconds. Investigation reveals that the kernel OOM killer is being invoked, but standard memory usage monitoring tools like 'free' and 'top' show less than 50% memory usage. The server runs a web server and a database. Which of the following is the most likely cause and diagnostic step?

A.The server is experiencing a fork bomb. Use 'ps -ef | wc -l' to count processes.
B.The database is using swap space excessively. Use 'swapon -s' to check swap usage.
C.The web server is leaking file descriptors. Use 'lsof -n' to check open files.
D.The kernel is using a large amount of memory for slab caches. Use 'slabtop' to examine kernel memory allocations.
AnswerD

Slab caches can consume significant memory not shown in standard memory tools; 'slabtop' helps identify this.

Why this answer

Option D is correct because the kernel OOM killer can be triggered by high slab cache usage, which is memory allocated for kernel data structures like inode and dentry caches. Standard tools like 'free' and 'top' may show low overall memory usage because they report only user-space memory, while slab caches are accounted separately. Using 'slabtop' allows the administrator to identify which kernel slab caches are consuming excessive memory, often due to a large number of small files or heavy filesystem metadata operations.

Exam trap

The trap here is that candidates assume OOM kills are always due to user-space memory exhaustion, overlooking that kernel slab caches can consume significant memory and trigger the OOM killer even when 'free' and 'top' show low usage.

How to eliminate wrong answers

Option A is wrong because a fork bomb would cause a rapid increase in process count and high CPU usage, not periodic unresponsiveness with low memory usage as reported by 'free' and 'top'; 'ps -ef | wc -l' would show an abnormally high number of processes, but the scenario describes memory pressure without high process count. Option B is wrong because excessive swap usage would be reflected in 'free' or 'top' as high swap usage, and the OOM killer is invoked when physical memory is exhausted, not when swap is used; 'swapon -s' shows swap devices and their usage, but the problem is kernel memory, not swap. Option C is wrong because a file descriptor leak would cause the process to hit the file descriptor limit (ulimit -n), leading to 'too many open files' errors, not OOM kills; 'lsof -n' lists open files but does not directly relate to kernel memory exhaustion.

39
MCQhard

You are a system administrator for a company that runs a web server on a Linux system. The web server logs are stored in /var/log/nginx/access.log. The log file grows rapidly and rotates weekly via logrotate. The system has been running for several months. Recently, the development team reported that the web server is responding slowly. You suspect that the disk I/O might be high due to log file activity. You check the disk usage and find that /var/log/nginx/access.log is 4 GB, and the rotated logs (access.log.1.gz, access.log.2.gz, etc.) total another 10 GB. The /var partition has 20 GB total, so it's 70% full. You decide to reduce the disk usage by compressing the current log file and truncating it without stopping the nginx service. Which command sequence should you use to safely achieve this?

A.:> /var/log/nginx/access.log && cp /var/log/nginx/access.log /var/log/nginx/access.log.bak && gzip /var/log/nginx/access.log.bak
B.cp /var/log/nginx/access.log /var/log/nginx/access.log.bak && :> /var/log/nginx/access.log && gzip /var/log/nginx/access.log.bak
C.rm /var/log/nginx/access.log && touch /var/log/nginx/access.log && chmod 644 /var/log/nginx/access.log
D.mv /var/log/nginx/access.log /var/log/nginx/access.log.bak && touch /var/log/nginx/access.log && gzip /var/log/nginx/access.log.bak
AnswerB

Correct: copies the file, truncates the original (keeping inode), compresses the copy.

Why this answer

Option B is correct because it first copies the current log file to a backup, then truncates the original file in place using the shell null command (`:>`) without stopping nginx, and finally compresses the backup. This ensures nginx continues writing to the same inode (file descriptor remains valid) and the disk space is reclaimed after compression.

Exam trap

The trap here is that candidates often choose `mv` and `touch` (Option D) thinking it's the standard logrotate method, but without signaling nginx, the old file descriptor remains attached to the moved file, causing the new empty file to be ignored and log data to be written to the renamed file instead.

How to eliminate wrong answers

Option A is wrong because it truncates the log file before copying it, resulting in an empty backup and loss of log data. Option C is wrong because `rm` removes the file entirely, breaking nginx's open file descriptor and causing it to log to a deleted inode until restarted; `touch` creates a new file with a different inode, and the permission reset is unnecessary. Option D is wrong because `mv` moves the file to a new name, which changes the inode; nginx continues writing to the old inode (now renamed), and the new `touch`ed file is not used until nginx is restarted or signaled, causing log loss or misdirection.

40
MCQmedium

A backup script must create a compressed archive of the /etc directory, preserving file permissions and timestamps. Which command should be used?

A.gzip -r /etc > backup.tar.gz
B.cpio -ov < /etc > backup.cpio
C.rsync -av /etc /backup/etc
D.tar -czvf backup.tar.gz /etc
AnswerD

tar with -czvf creates a gzipped archive preserving permissions and timestamps.

Why this answer

Option D is correct because the `tar -czvf` command creates a compressed archive (via gzip) that preserves file permissions and timestamps by default when run as root. The `-c` flag creates the archive, `-z` compresses it with gzip, `-v` provides verbose output, and `-f` specifies the archive filename. Tar is the standard Unix tool for bundling files into a single archive while retaining metadata like ownership, permissions, and timestamps.

Exam trap

The trap here is that candidates confuse `gzip` (which compresses individual files) with `tar` (which archives directories), or they think `rsync` creates an archive file when it actually creates a directory copy, not a compressed archive.

How to eliminate wrong answers

Option A is wrong because `gzip -r` recursively compresses individual files in place, not creating a single archive; it would replace each file with a .gz version, losing the directory structure and not preserving permissions in a bundled format. Option B is wrong because `cpio -ov < /etc` reads from stdin, but `/etc` is a directory, not a file list; cpio requires a list of files piped via `find` or similar, and without `--preserve-modification-time` it does not preserve timestamps by default. Option C is wrong because `rsync -av` synchronizes files to a destination directory, not creating a single compressed archive file; it preserves permissions and timestamps but produces a directory copy, not a portable archive like tar.gz.

41
MCQeasy

Which command displays the amount of free and used memory in the system?

A.free -h
B.df -h
C.ps aux
D.netstat -i
AnswerA

free displays memory usage.

Why this answer

The `free -h` command displays the total, used, and free physical memory (RAM) and swap space in a human-readable format (e.g., GiB, MiB). The `-h` flag converts raw byte counts into appropriate units, making it the correct tool for checking memory usage.

Exam trap

The trap here is that candidates confuse `df` (disk free) with `free` (memory free) due to similar names, or assume `ps aux` shows total memory usage when it only shows per-process values.

How to eliminate wrong answers

Option B is wrong because `df -h` reports disk filesystem usage (mounted partitions), not memory. Option C is wrong because `ps aux` lists running processes and their resource usage (CPU, memory per process), not the system-wide free and used memory totals. Option D is wrong because `netstat -i` displays network interface statistics (packets, errors, collisions), not memory information.

42
MCQmedium

A system administrator is troubleshooting a performance issue. They need to identify which process is consuming the most CPU time over the last 24 hours. Which command should be used?

A.ps aux --sort=-%cpu
B.sar -u -f /var/log/sa/sa$(date +%d)
C.top -b -n1
D.uptime
AnswerB

Reads historical CPU usage from sysstat data file.

Why this answer

Option B is correct because the `sar -u -f /var/log/sa/sa$(date +%d)` command reads historical CPU usage data from the system activity report (SAR) file for the current day. The `-u` flag reports CPU utilization, and the `-f` flag specifies the file, allowing the administrator to analyze CPU time trends over the last 24 hours, which is essential for identifying the process consuming the most CPU time over that period.

Exam trap

The trap here is that candidates often choose `ps aux --sort=-%cpu` or `top` because they are familiar with real-time process monitoring, but the question explicitly asks for data 'over the last 24 hours,' which requires historical log analysis, not a current snapshot.

How to eliminate wrong answers

Option A is wrong because `ps aux --sort=-%cpu` shows only a snapshot of current processes sorted by CPU usage at the moment the command runs, not historical data over the last 24 hours. Option C is wrong because `top -b -n1` runs a single batch-mode snapshot of current processes, again providing only real-time CPU usage, not historical trends. Option D is wrong because `uptime` displays system load averages for the last 1, 5, and 15 minutes, not per-process CPU time or historical data over 24 hours.

43
MCQmedium

A junior admin runs 'ls -l' and sees permissions '-rwxrwxr-x' on a file. What is the octal representation?

A.755
B.770
C.775
D.777
AnswerC

rwxrwxr-x = 775.

Why this answer

The permissions '-rwxrwxr-x' break down as: owner (rwx = 4+2+1 = 7), group (rwx = 4+2+1 = 7), others (r-x = 4+0+1 = 5). This gives the octal value 775. Option C is correct because it matches this calculation exactly.

Exam trap

The trap here is that candidates often misread the last three characters 'r-x' as 'rwx' or 'r--', leading them to choose 777 or 755 instead of correctly calculating 775.

How to eliminate wrong answers

Option A (755) is wrong because it represents owner rwx (7), group r-x (5), others r-x (5), which would require group permissions to be r-x, not rwx. Option B (770) is wrong because it represents owner rwx (7), group rwx (7), others --- (0), which would deny all permissions to others, but the file shows r-x for others. Option D (777) is wrong because it represents owner rwx (7), group rwx (7), others rwx (7), which would give write permission to others, but the file shows r-x (no write) for others.

44
MCQhard

The backup script fails to run as user 'backup' with sudo. What is the issue?

A.The script has a restrictive umask.
B.The script does not have execute permission for the 'backup' user.
C.The script is not owned by 'backup'.
D.The 'backup' user is not in the sudoers file.
AnswerB

Only root has execute permission.

Why this answer

Option B is correct because for a script to be executed via sudo, the user (backup) must have execute permission on the script file. Even if sudo is configured to allow the user to run the script, the operating system enforces file permission checks at execution time. Without the execute bit set for the backup user (or for others, depending on the sudo runas context), the kernel will refuse to execve() the script, resulting in a 'Permission denied' error.

Exam trap

The trap here is that candidates often assume sudo bypasses all file permission checks, but in reality, sudo only bypasses the permission to run the command as another user—the kernel still enforces file execute permissions on the target script.

How to eliminate wrong answers

Option A is wrong because a restrictive umask affects the default permissions of newly created files, not the ability to execute an existing script via sudo. Option C is wrong because file ownership is irrelevant for execution via sudo; sudo runs commands with elevated privileges and does not require the target user to own the script. Option D is wrong because the question states the script fails to run as user 'backup' with sudo, implying sudo is being invoked; if the user were not in the sudoers file, sudo would not even attempt to run the script, and the error would be about sudo privileges, not script execution.

45
Multi-Selecteasy

Which TWO commands can be used to display the contents of a text file that has been compressed with gzip without decompressing it to disk?

Select 2 answers
A.xzcat file.gz
B.gzip -l file.gz
C.zcat file.gz
D.gunzip -c file.gz
E.bzcat file.gz
AnswersC, D

Decompresses and prints to stdout.

Why this answer

Option C is correct because `zcat` is a standard utility that reads gzip-compressed files and decompresses the output to stdout, allowing you to view the contents without writing a decompressed file to disk. It is functionally equivalent to `gunzip -c` and is commonly used for inspecting compressed log files or text data.

Exam trap

The trap here is that candidates often confuse compression tools and their corresponding cat utilities (e.g., `xzcat` for xz, `bzcat` for bzip2, `zcat` for gzip), leading them to select a command that works on a different compression format.

46
Multi-Selectmedium

Which TWO commands can be used to list the contents of a tar archive without extracting it?

Select 2 answers
A.tar -tvf archive.tar
B.tar -ztvf archive.tar.gz
C.tar --list archive.tar
D.tar -xjf archive.tar.bz2
E.tar -xvf archive.tar
AnswersA, B

tar -tvf lists the contents of a tar archive verbosely without extracting.

Why this answer

Option A is correct because `tar -tvf archive.tar` lists the contents of a tar archive without extracting it. The `-t` flag tells tar to list the archive's table of contents, `-v` provides verbose output (showing file permissions, ownership, size, and timestamp), and `-f` specifies the archive file. This works for uncompressed tar archives.

Exam trap

The trap here is that candidates often confuse the `-t` (list) flag with `-x` (extract) or forget that compressed archives require an additional decompression flag (like `-z` or `-j`) even for listing, leading them to pick extraction options like D or E.

47
Multi-Selectmedium

Which TWO commands can be used to display the contents of a text file page by page? (Select two.)

Select 2 answers
A.cat file.txt
B.head file.txt
C.more file.txt
D.less file.txt
E.tail file.txt
AnswersC, D

Allows paging forward.

Why this answer

Option C is correct because the `more` command displays the contents of a text file one screen at a time, pausing after each page and waiting for user input (e.g., pressing the spacebar) to continue. This makes it a classic pager utility for viewing files page by page.

Exam trap

The trap here is that candidates might confuse `cat` (which dumps all content) with a pager, or think `head` or `tail` can show the entire file page by page, but they only show a fixed number of lines from the beginning or end.

48
MCQhard

A systems administrator needs to add a new user 'jdoe' with a home directory in /export/home, a UID of 1500, and an expiry date of 2025-12-31. Which command should they use?

A.useradd -u 1500 -d /export/home/jdoe -e 2025-12-31 jdoe
B.useradd -u 1500 -d /export/home/jdoe -c 2025-12-31 jdoe
C.useradd -u 1500 -m -e 2025-12-31 jdoe
D.useradd -u 1500 -b /export/home -e 2025-12-31 jdoe
AnswerA

Correct: sets UID, home directory, and expiry.

Why this answer

Option A is correct because the `useradd` command with `-u 1500` sets the UID, `-d /export/home/jdoe` explicitly specifies the home directory path (without creating it unless `-m` is also used), and `-e 2025-12-31` sets the account expiry date in YYYY-MM-DD format. This matches all requirements: UID 1500, home directory at /export/home/jdoe, and expiry on 2025-12-31.

Exam trap

The trap here is confusing the `-c` (comment) option with `-e` (expiry) and assuming `-b` (base directory) works the same as `-d` (explicit home directory), leading candidates to pick options that set the wrong field or fail to place the home directory in the specified path.

How to eliminate wrong answers

Option B is wrong because `-c` is used to set the GECOS comment field (e.g., full name), not the expiry date; using `-c 2025-12-31` would incorrectly store the date as a comment. Option C is wrong because `-m` creates the home directory in the default base directory (usually /home), not in /export/home, and omits the explicit `-d` path, so the home directory would be /home/jdoe instead of /export/home/jdoe. Option D is wrong because `-b /export/home` sets the default base directory for new users, but without `-d` the home directory would be /export/home/jdoe only if the default naming convention is used; however, `-b` does not override the need for `-d` to explicitly set the path, and the command as written would still create /export/home/jdoe, but the option `-b` is intended for setting a system-wide default, not for specifying an individual user's home directory — the correct approach for a single user is `-d`.

49
MCQmedium

Refer to the exhibit. The nginx service failed to start. What is the most likely immediate next step to diagnose the issue?

A.Run journalctl -u nginx.service -x -n 50
B.Run apt-get install nginx
C.Run systemctl restart nginx
D.Run nginx -t to test configuration
AnswerD

Tests configuration syntax, often the cause of exit-code 1.

Why this answer

Option D is correct because `nginx -t` tests the configuration file syntax and validity before attempting to start the service. Since nginx failed to start, a configuration error is a common cause, and this command immediately identifies syntax errors or missing directives without restarting the service.

Exam trap

The trap here is that candidates often jump to checking logs (Option A) first, but the LFCS exam emphasizes that configuration validation is the fastest and most direct diagnostic step when a service fails to start, especially for nginx where syntax errors are common.

How to eliminate wrong answers

Option A is wrong because `journalctl -u nginx.service -x -n 50` shows recent logs for the nginx service, which is useful after a failure but is not the most immediate next step; the configuration test should come first to quickly pinpoint syntax errors. Option B is wrong because `apt-get install nginx` reinstalls the package, which is unnecessary and does not diagnose why the existing installation failed to start. Option C is wrong because `systemctl restart nginx` attempts to restart the service without checking the configuration, which could cause the same failure again or mask the underlying issue.

50
MCQeasy

Based on the exhibit, what is the average CPU idle percentage over the last 15 minutes?

A.65.0%
B.2.0
C.1.5
D.2.5
AnswerA

The %Cpu(s) line shows 65.0 id (idle).

Why this answer

The average CPU idle percentage over the last 15 minutes is calculated from the 'idle' value in the 'average' row of the 'mpstat' output. In the exhibit, the 'average' row shows an 'idle' value of 65.0, meaning the CPU was idle 65.0% of the time on average across all CPUs over the 15-minute interval. Therefore, the correct answer is 65.0%.

Exam trap

Linux Foundation often tests the ability to correctly identify the 'idle' column in the 'average' row of 'mpstat' output, as candidates may mistakenly pick a value from a per-CPU row or confuse 'idle' with other columns like 'sys' or 'iowait'.

How to eliminate wrong answers

Option B (2.0) is wrong because it likely confuses the 'idle' value with the 'sys' or 'usr' column, or misreads the output; the 'idle' value is 65.0, not 2.0. Option C (1.5) is wrong because it might represent the 'iowait' or 'soft' column average, which is not the idle percentage. Option D (2.5) is wrong because it could be a misinterpretation of the 'guest' or 'steal' column, or a miscalculation of the idle average; the correct idle average is 65.0.

51
MCQmedium

A user is unable to write to a file. The output of 'ls -l file' shows '-r--r--r--'. Which command will grant write permission to the owner?

A.chmod o+w file
B.chmod u+w file
C.chmod a+w file
D.chmod g+w file
AnswerB

Adds write permission for the owner.

Why this answer

The file's permissions are '-r--r--r--', meaning the owner has only read permission. The 'chmod u+w file' command adds write permission for the owner (u) because 'u' refers to the user/owner. This directly addresses the owner's lack of write access.

Exam trap

The trap here is that candidates often confuse 'u' (owner) with 'o' (others) or mistakenly use 'a' (all) when only owner write is needed, leading to incorrect or overly permissive commands.

How to eliminate wrong answers

Option A is wrong because 'o+w' adds write permission for 'others', not the owner, so the owner still cannot write. Option C is wrong because 'a+w' adds write permission for all categories (owner, group, others), which is overly permissive and not the minimal command to grant write access only to the owner. Option D is wrong because 'g+w' adds write permission for the group, not the owner, leaving the owner's permissions unchanged.

52
MCQmedium

A user is unable to execute a script in their home directory. The script has permissions -rw-r--r--. Which command will allow the user to execute the script?

A.chmod a-x script.sh
B.chmod u+x script.sh
C.chmod o+x script.sh
D.chmod 755 script.sh
AnswerB

Adds execute permission only for the owner, which is the user.

Why this answer

The script currently has permissions -rw-r--r--, meaning the owner (user) has read and write but not execute permission. The command `chmod u+x script.sh` adds execute permission for the user (owner), which is the minimal change needed to allow the user to run the script. This directly addresses the problem without granting unnecessary permissions to others.

Exam trap

The trap here is that candidates often confuse the 'user' (u) with 'others' (o) or think that removing execute (a-x) or setting 755 is the fix, but the question specifically requires the user to execute the script, so only adding execute for the owner (u+x) is correct.

How to eliminate wrong answers

Option A is wrong because `chmod a-x` removes execute permission for all users, which would make the script even less executable. Option C is wrong because `chmod o+x` adds execute permission only for others, not for the user who owns the script and needs to run it. Option D is wrong because `chmod 755` sets permissions to rwxr-xr-x, which does grant execute to the owner, but it also unnecessarily adds read and execute for group and others, violating the principle of least privilege and potentially introducing security risks.

53
MCQmedium

A developer reports that a compiled binary 'app' fails to execute with 'Permission denied' error when run from a mounted directory '/mnt/software'. The binary has execute permissions for all users. What is the most likely cause?

A.SELinux is blocking execution.
B.The binary is linked against missing libraries.
C.The filesystem is mounted with the 'noexec' option.
D.The binary is setuid but owned by a user other than root.
AnswerC

The 'noexec' mount option prevents execution of binaries.

Why this answer

Option C is correct because if the filesystem is mounted with the 'noexec' option, no binaries can be executed from it, even if they have execute permissions. Option A (setuid) would not cause 'Permission denied' but rather may require root ownership. Option B (SELinux) could cause denial but is more specific; noexec is a common misconfiguration.

Option D (missing libraries) results in 'cannot execute binary file' or 'error while loading shared libraries'.

54
MCQeasy

A user wants to find the location of the 'grep' binary. Which command should they use?

A.man grep
B.which grep
C.uname -a
D.grep -r 'grep' /usr/bin
AnswerB

Displays the full path of the grep command.

Why this answer

The 'which' command is specifically designed to locate the binary (executable) of a command by searching the directories listed in the user's PATH environment variable. Option B, 'which grep', will output the full path to the grep binary, such as '/usr/bin/grep', directly answering the user's request.

Exam trap

The trap here is that candidates may confuse documentation commands (man) or system information commands (uname) with binary location commands, or mistakenly think a recursive grep search is an efficient way to find a binary, when 'which' is the standard, straightforward tool for this task.

How to eliminate wrong answers

Option A is wrong because 'man grep' displays the manual page for grep, which provides documentation and usage information, not the filesystem location of the binary. Option C is wrong because 'uname -a' prints system information (kernel name, hostname, kernel release, etc.), which is unrelated to locating a command's binary. Option D is wrong because 'grep -r' performs a recursive text search for the string 'grep' within files under /usr/bin, which is inefficient, may return many irrelevant matches, and does not reliably identify the grep binary itself.

55
Multi-Selecthard

Which TWO commands can be used to create a new empty file?

Select 2 answers
A.touch file
B.mkdir file
C.cat file
D.> file
E.echo 'text' > file
AnswersA, D

Creates an empty file if it does not exist.

Why this answer

Option A is correct because the `touch` command is specifically designed to create an empty file if it does not already exist, or update its timestamps if it does. Option D is correct because using the shell redirection operator `>` with no command before it (or with a null command) creates an empty file by truncating any existing content or creating a new zero-byte file.

Exam trap

The trap here is that candidates may think `echo 'text' > file` creates an empty file because they focus on the redirection operator, but the echo command always writes at least a newline, so the file is not empty.

56
MCQeasy

A user needs to view the contents of a compressed log file /var/log/syslog.gz without first decompressing it. Which command should they use?

A.zcat /var/log/syslog.gz
B.gzip -d /var/log/syslog.gz
C.gunzip /var/log/syslog.gz
D.cat /var/log/syslog.gz
AnswerA

Correct: prints compressed file to stdout.

Why this answer

Option A is correct because `zcat` is specifically designed to read the contents of gzip-compressed files without permanently decompressing them. It decompresses the data on the fly and sends the output to stdout, allowing the user to view the log file's contents directly from the terminal.

Exam trap

The trap here is that candidates may confuse commands that permanently decompress files (like `gzip -d` or `gunzip`) with commands that only display the contents, leading them to choose an option that alters the file system state instead of just viewing the data.

How to eliminate wrong answers

Option B is wrong because `gzip -d` permanently decompresses the file, replacing `syslog.gz` with an uncompressed `syslog` file, which alters the original compressed archive. Option C is wrong because `gunzip` is equivalent to `gzip -d` and also permanently decompresses the file, removing the `.gz` version. Option D is wrong because `cat` reads raw binary data and will output garbled, unreadable content when applied to a gzip-compressed file, as it does not perform any decompression.

57
MCQmedium

Refer to the exhibit. A user attempts to read /etc/passwd and receives "Permission denied". What is the most likely reason?

A.The user is not in the root group.
B.The file has the immutable attribute set.
C.The user does not have read permission on the file.
D.The user does not have execute permission on the /etc directory.
AnswerD

Even with file read permission, the user must have execute permission on the directory to access the file.

Why this answer

To read a file, a user needs both read permission on the file itself and execute permission on every directory in the path leading to it. The /etc directory typically has permissions 755 (drwxr-xr-x), which grants execute permission to the owner and group but not to others. If the user is not the owner and not in the group, they lack execute (x) on /etc, which prevents them from traversing into the directory to access /etc/passwd, even if the file's permissions would otherwise allow reading.

Exam trap

The trap here is that candidates assume 'Permission denied' always means missing read permission on the file itself, but the LFCS exam tests the subtle requirement of directory execute permission for path traversal, especially on directories like /etc that are not world-executable.

How to eliminate wrong answers

Option A is wrong because being in the root group does not grant any special file access; group membership only matters if the file's group permissions allow access, and /etc/passwd is typically world-readable (644), so group membership is irrelevant. Option B is wrong because the immutable attribute (chattr +i) prevents modification or deletion of a file, not reading; a user can still read an immutable file if they have read permission. Option C is wrong because /etc/passwd typically has permissions 644 (rw-r--r--), meaning all users have read permission; the 'Permission denied' error in this context is not due to missing read permission on the file itself.

58
MCQeasy

To compress a file while preserving the original file, which command should be used?

A.gzip file.txt
B.gzip -d file.txt.gz
C.gzip -1 file.txt
D.gzip -k file.txt
AnswerD

The -k option keeps the original file after compression.

Why this answer

Option D is correct because the `-k` (or `--keep`) flag in `gzip` instructs the utility to compress the file while retaining the original uncompressed file. By default, `gzip` replaces the original file with a compressed version (appending `.gz`), so `-k` is the explicit option to preserve the source file.

Exam trap

Linux Foundation often tests the default behavior of `gzip` (which deletes the original) versus the `-k` flag, trapping candidates who assume compression always preserves the source file without an explicit option.

How to eliminate wrong answers

Option A is wrong because `gzip file.txt` compresses the file and, by default, deletes the original `file.txt`, leaving only `file.txt.gz`. Option B is wrong because `gzip -d file.txt.gz` decompresses the archive, which does not compress a file and also removes the `.gz` file unless `-k` is used. Option C is wrong because `gzip -1 file.txt` sets the compression level to fastest (level 1), but still removes the original file; the `-1` flag does not affect file preservation.

59
MCQeasy

Refer to the exhibit. The /var partition is 100% full. Which command can be used to find the largest files in /var/log to free up space?

A.ls -lS /var/log
B.find /var/log -size +100M
C.du -ah /var/log | sort -rh | head
D.df -h /var/log
AnswerC

du recursively calculates disk usage, sorts by size human-readable, and head shows the top entries.

Why this answer

Option C is correct because it uses `du -ah` to list all files and directories in /var/log with human-readable sizes, pipes the output to `sort -rh` to sort them in reverse numerical order (largest first), and then uses `head` to display only the top entries. This combination efficiently identifies the largest files consuming space, allowing the administrator to target specific files for cleanup.

Exam trap

The trap here is that candidates may choose `ls -lS` (option A) because it sorts by size, but they overlook that it does not recurse into subdirectories, making it ineffective for a directory tree like /var/log that typically contains multiple subdirectories.

How to eliminate wrong answers

Option A is wrong because `ls -lS /var/log` lists files sorted by size, but it does not recurse into subdirectories, so it will miss large files in subdirectories like /var/log/journal or /var/log/nginx. Option B is wrong because `find /var/log -size +100M` only finds files larger than 100 MB, but the /var partition could be full due to many smaller files accumulating to fill the space, and it does not sort or prioritize the largest files. Option D is wrong because `df -h /var/log` shows the disk usage of the /var/log filesystem (or partition), not the sizes of individual files, so it cannot identify which files to delete.

60
MCQhard

A system administrator configures a new server with multiple disks. After partitioning and formatting, they mount a partition to /data. Several days later, they notice that the /data filesystem is full, but 'du -sh /data' reports only 2 GB used, while the partition is 100 GB. 'df -h' shows /data is 98% full. What is the most likely cause and the correct action?

A.The filesystem is fragmented. Run 'e4defrag' to defragment.
B.The filesystem has reserved blocks for root. Reduce the reserved percentage with 'tune2fs -m 0'.
C.The 'du' command is not counting hidden files (dot files). Use 'du -sh .*' to include them.
D.There are deleted files still held open by processes. Use 'lsof /data' to find and restart those processes.
AnswerD

Deleted open files consume space but are not counted by 'du'; 'lsof' can find them.

Why this answer

Option D is correct because when a file is deleted but still held open by a running process, the filesystem does not release the disk blocks until the process closes the file descriptor. This causes 'df' to report the space as used, while 'du' cannot see the deleted file's data, leading to the discrepancy. Using 'lsof /data' identifies the processes holding the deleted files, and restarting them frees the space.

Exam trap

The trap here is that candidates often confuse the 'du' vs 'df' discrepancy with hidden files or reserved blocks, but the key clue is that 'du' shows far less usage than 'df', which points to unlinked but still-open files.

How to eliminate wrong answers

Option A is wrong because filesystem fragmentation does not cause a discrepancy between 'du' and 'df'; fragmentation affects performance, not space accounting. Option B is wrong because reserved blocks for root (default 5% on ext4) are counted as used by 'df' but are not the cause of a 98% full partition when only 2 GB is used; reducing the reserved percentage would free space but does not explain the discrepancy. Option C is wrong because 'du -sh /data' already counts all files including hidden files (dot files) by default; the '-sh' option sums the total size, and hidden files are included in that total.

61
MCQmedium

A system administrator needs to list all files in the current directory, including hidden files, in a long listing format sorted by modification time (oldest first). Which command achieves this?

A.ls -lihrt
B.ls -lart
C.ls -lat
D.ls -lrt
AnswerB

Correct: long, all, reverse, time.

Why this answer

Option B is correct because `ls -lart` combines the `-l` (long listing), `-a` (include hidden files starting with dot), `-r` (reverse order), and `-t` (sort by modification time, newest first). The reverse flag flips the sort to oldest first, meeting the requirement exactly.

Exam trap

The trap here is that candidates often remember `-lt` for time-sorted listing but forget that `-a` is required to include hidden files, or they confuse the order and omit `-r` to reverse to oldest first.

How to eliminate wrong answers

Option A is wrong because `ls -lihrt` includes `-i` (inode number) and `-h` (human-readable sizes), which are not requested, and while it sorts by time and reverses, it lacks `-a` so hidden files are omitted. Option C is wrong because `ls -lat` sorts by modification time but newest first, not oldest first, as the `-r` flag is missing. Option D is wrong because `ls -lrt` sorts by time and reverses to oldest first, but it lacks `-a`, so hidden files are not listed.

62
MCQeasy

A user needs to view the contents of a large text file one screen at a time. Which command is best for this?

A.nl file.txt
B.more file.txt
C.cat file.txt
D.less file.txt
AnswerD

less is a full-featured pager that allows scrolling up and down.

Why this answer

Option D is correct because `less` is a terminal pager that allows forward and backward navigation through a file, making it ideal for viewing large text files one screen at a time. Unlike `more`, `less` supports scrolling both up and down, and it does not load the entire file into memory, which is efficient for large files.

Exam trap

The trap here is that candidates often confuse `more` and `less` because both display content one screen at a time, but `less` is the more powerful and recommended tool for interactive viewing, and the LFCS exam expects you to know that `less` is the best choice for this task.

How to eliminate wrong answers

Option A is wrong because `nl` numbers lines and outputs the entire file to stdout without pausing, so it is not suitable for viewing one screen at a time. Option B is wrong because while `more` does display content one screen at a time, it only allows forward navigation (space bar) and cannot scroll backward, making it less flexible than `less` for interactive viewing. Option C is wrong because `cat` concatenates and outputs the entire file to stdout at once, which will flood the terminal and is not designed for paging.

63
Multi-Selecthard

Which THREE commands can change the priority of an already running process?

Select 3 answers
A.kill -STOP
B.top (press 'r')
C.chrt
D.nice
E.renice
AnswersB, C, E

top's interactive 'r' command allows changing the nice value of a running process.

Why this answer

Option B is correct because the `top` interactive command allows you to change the priority (nice value) of a running process by pressing 'r' and entering the PID and new nice value. This directly modifies the process's scheduling priority without restarting it.

Exam trap

The trap here is that candidates often confuse `nice` (which only sets priority for new processes) with `renice` (which modifies running processes), or mistakenly think `kill -STOP` changes priority when it actually halts the process.

64
MCQmedium

What is the purpose of the chmod 755 command in this exhibit?

A.Add execute permission for the owner only
B.Remove write permission for others
C.Set the setuid bit
D.Set permissions to rwxr-xr-x
AnswerD

755 corresponds to rwxr-xr-x.

Why this answer

The chmod 755 command sets the file permissions to rwxr-xr-x, meaning the owner has read, write, and execute permissions (7), while the group and others have read and execute permissions (5). This is a common permission set for executable scripts and directories to allow execution without granting write access to non-owners.

Exam trap

The trap here is that candidates often confuse the octal value 755 with adding execute only for the owner (option A) or think it removes write for others (option B), when in fact 755 sets a specific permission mask that includes execute for all and write only for the owner.

How to eliminate wrong answers

Option A is wrong because chmod 755 adds execute permission for the owner, group, and others, not just the owner. Option B is wrong because chmod 755 does not remove write permission for others; it sets the others permission to r-x (read and execute), which already excludes write, but the command is not specifically removing write—it is setting the entire permission triad. Option C is wrong because the setuid bit is set using chmod 4xxx (e.g., chmod 4755), not chmod 755, which uses the octal value 0 for the setuid/setgid/sticky bits.

65
MCQhard

A system administrator runs 'grep -r 'error' /var/log' and gets many false positives. They want to search only for the exact word 'error' as a whole word, case-insensitively, and display line numbers. Which command should they use?

A.grep -rwi 'error' /var/log
B.grep -rin 'error' /var/log
C.grep -rwn 'error' /var/log
D.grep -rwin 'error' /var/log
AnswerD

Correct: recursive, whole word, case-insensitive, line numbers.

Why this answer

Option D is correct because it combines all required flags: `-r` for recursive search, `-w` for whole-word matching (using word boundaries), `-i` for case-insensitive search, and `-n` for displaying line numbers. The `-w` flag ensures that only the exact word 'error' is matched, not substrings like 'error404' or 'error-prone', which eliminates false positives.

Exam trap

The trap here is that candidates often forget the `-w` flag is needed for whole-word matching, assuming `-i` alone is sufficient, or they confuse the order of flags and omit one of the required options.

How to eliminate wrong answers

Option A is wrong because it lacks the `-n` flag, so line numbers are not displayed. Option B is wrong because it uses `-i` and `-n` but omits `-w`, so it will match substrings (e.g., 'error404') and produce false positives. Option C is wrong because it uses `-w` and `-n` but omits `-i`, so it will not match uppercase variants like 'Error' or 'ERROR'.

66
MCQhard

An administrator runs 'df -h' and notices that /dev/sda1 is 95% full. The administrator needs to identify the largest files in the filesystem. Which command sequence is most efficient?

A.find / -type f -size +100M
B.ls -lR / | sort -k5 -rn
C.find / -type f -exec du -sh {} \;
D.du -sh /* | sort -rh
AnswerD

Shows sizes of top-level directories sorted by size, efficient for identifying large directories.

Why this answer

Option D is correct because it efficiently identifies the largest directories and files at the top level of the filesystem using `du -sh /*` to summarize disk usage per top-level item, then pipes to `sort -rh` to sort by human-readable sizes in descending order. This avoids scanning every single file recursively, making it the fastest approach for a full filesystem.

Exam trap

Linux Foundation often tests the misconception that listing all files with `ls -lR` or scanning every file with `find` is efficient for disk usage analysis, when in reality summarizing with `du` on directories is far faster and more practical.

How to eliminate wrong answers

Option A is wrong because `find / -type f -size +100M` only finds files larger than 100 MB, missing smaller files that could collectively consume significant space, and it does not sort or summarize results. Option B is wrong because `ls -lR / | sort -k5 -rn` is extremely slow on a full filesystem, produces a massive unsorted list, and does not aggregate sizes per directory, making it impractical for identifying the largest space consumers. Option C is wrong because `find / -type f -exec du -sh {} \;` runs `du` on every single file individually, which is extremely slow and inefficient compared to using `du` on directories to get aggregated sizes.

67
Multi-Selectmedium

A system administrator needs to change the group ownership of a file to 'developers' and set the setgid bit on a directory. Which two commands accomplish these tasks? (Choose two.)

Select 2 answers
A.chmod g+s dir
B.chmod u+s dir
C.chown developers: file
D.chown :developers file
E.chmod g+s file
AnswersA, D

Sets the setgid bit on the directory.

Why this answer

Option A is correct because `chmod g+s dir` sets the setgid bit on a directory, causing new files created within it to inherit the directory's group ownership rather than the creator's primary group. This is a standard Linux permission mechanism for collaborative directories.

Exam trap

Linux Foundation often tests the distinction between setting the setgid bit on a directory versus a file, and the correct syntax for changing group ownership with `chown :group` versus `chown group:`.

68
MCQmedium

Refer to the exhibit. The file script.sh has permissions -rwxr-x--- and is owned by root with group 'developers'. A user named 'alice' is a member of the 'developers' group. Which command allows alice to execute the script without changing the file's group ownership?

A.usermod -aG developers alice
B.chmod o+x script.sh
C.chmod u+x script.sh
D.chown alice script.sh
AnswerA

Adding alice to the developers group gives her the group execute permission.

Why this answer

Option A is correct because the script's permissions (-rwxr-x---) grant execute permission to the owner (root) and the group (developers), but not to others. Alice is already a member of the developers group, so the command 'usermod -aG developers alice' would not change her group membership (it would simply re-add her). However, the question asks which command allows Alice to execute the script without changing the file's group ownership.

Since Alice is already in the developers group, she already has execute permission via the group. The command in A is redundant but does not change group ownership, and it is the only option that does not alter the file's group or permissions in a way that violates the constraint. The core reasoning is that Alice already has group execute permission, so no command is actually needed, but among the options, A is the only one that does not change the file's group ownership.

Exam trap

The trap here is that candidates assume Alice does not have group execute permission and choose options that change file permissions or ownership, missing that the question's constraint ('without changing the file's group ownership') is a red herring — the real issue is that Alice already has access, so the only 'correct' command among the options is the one that does nothing harmful, but Linux Foundation often tests whether you recognize that group membership already grants access and that modifying the file is unnecessary.

How to eliminate wrong answers

Option B is wrong because 'chmod o+x script.sh' adds execute permission for 'others', which changes the file's permissions (not group ownership) but violates the implicit requirement that the file's permissions remain unchanged (the question asks for a command that allows execution without changing group ownership, but B changes permissions, which is not prohibited, but it is unnecessary since Alice already has group execute). However, the more precise reason: B grants execute to all users not in the file's group, which is a security risk and does not leverage the existing group permission. Option C is wrong because 'chmod u+x script.sh' adds execute permission for the owner (root), which does not affect Alice's ability to execute the script (she is not the owner) and does not change group ownership, but it is irrelevant and does not grant Alice execute permission.

Option D is wrong because 'chown alice script.sh' changes the file's owner to Alice, which directly changes the file's ownership (not group ownership, but the question says 'without changing the file's group ownership' — this changes owner, not group, but it is still a change to ownership, and it would give Alice owner execute permission, but the question explicitly says 'without changing the file's group ownership', implying no ownership changes at all; also, changing owner requires root privileges and is not the intended solution).

69
Multi-Selecthard

Which TWO commands can be used to display the current working directory? (Choose exactly two.)

Select 2 answers
A.ls
B.echo $PWD
C.pwd
D.dirname
E.cd
AnswersB, C

Correct: prints the PWD variable.

Why this answer

Option B is correct because the shell stores the current working directory path in the environment variable `$PWD`, and `echo $PWD` prints its value. This is a reliable way to display the current directory, as the shell updates `PWD` automatically on every `cd` command.

Exam trap

The trap here is that candidates may confuse `ls` (which lists files) with displaying the current directory path, or think `dirname` or `cd` can show the current directory without additional arguments.

70
MCQhard

A security audit reveals that a sensitive file '/etc/shadow' has been modified. The file's permissions are set to 600 and owned by root. However, the audit logs show that a service account 'webapp' was able to read the file. The 'webapp' user is not in the root group. Which of the following is the most likely method the 'webapp' user used to read the file?

A.The file is a hard link to another file that is readable by 'webapp'.
B.The 'webapp' user exploited a SUID binary that reads the file.
C.The file has an Access Control List (ACL) granting read permission to 'webapp'.
D.The 'webapp' user used 'sudo' to read the file as root.
AnswerC

ACLs override base permissions and can grant access to specific users.

Why this answer

Option C is correct because an Access Control List (ACL) can grant specific permissions to a user or group beyond the traditional Unix permission model. Even though the file's mode is 600 (owner read/write only) and owned by root, a setfacl command could have added an ACL entry (e.g., 'u:webapp:r') that explicitly allows the 'webapp' user to read /etc/shadow. This is a common method to give a service account access to a sensitive file without changing its ownership or group membership.

Exam trap

The trap here is that candidates assume traditional Unix permissions (owner/group/other) are the only way to control access, overlooking that ACLs can grant specific users read permission even when the file's mode appears restrictive (e.g., 600).

How to eliminate wrong answers

Option A is wrong because a hard link shares the same inode and permissions as the original file; if /etc/shadow is mode 600 and owned by root, any hard link to it would also be mode 600 and owned by root, so 'webapp' could not read it via a hard link unless an ACL or other mechanism grants access. Option B is wrong because a SUID binary runs with the effective UID of the binary's owner (typically root), but the audit logs show 'webapp' read the file, not a SUID binary; the question asks how 'webapp' read the file, not how a binary accessed it on behalf of 'webapp'. Option D is wrong because using 'sudo' to read a file as root would require the 'webapp' user to have sudo privileges (e.g., an entry in /etc/sudoers), which is a separate configuration; the question does not indicate any sudo access, and the most likely method given the scenario is an ACL, not sudo.

71
MCQhard

A system administrator needs to replace all occurrences of 'oldhost' with 'newhost' in /etc/hosts, but only on lines that contain the string 'domain'. Which sed command accomplishes this?

A.sed -i '/domain/s/oldhost/newhost/g' /etc/hosts
B.sed 's/oldhost/newhost/g' /etc/hosts | grep domain
C.sed -i '/domain/s/oldhost/newhost/' /etc/hosts
D.sed -i '/domain/s/oldhost/newhost/g' /etc/hosts
E.sed -ne '/domain/s/oldhost/newhost/gp' /etc/hosts
AnswerA

This correctly restricts substitution to lines matching 'domain' and replaces all occurrences.

Why this answer

Option A is correct because it uses the `-i` flag for in-place editing, an address range `/domain/` to restrict the substitution to lines containing 'domain', and the `g` flag to replace all occurrences of 'oldhost' with 'newhost' on each matching line. This precisely meets the requirement to modify only the targeted lines in the file.

Exam trap

The trap here is that candidates often forget the `g` flag for global replacement, assuming `s` replaces all occurrences by default, or they omit the `-i` flag and think output redirection is sufficient for in-place editing.

How to eliminate wrong answers

Option B is wrong because it pipes the output to `grep domain`, which only displays matching lines but does not modify the file; the `-i` flag is missing, so changes are not saved. Option C is wrong because it lacks the `g` flag, so only the first occurrence of 'oldhost' on each matching line is replaced, not all occurrences. Option D is a duplicate of the correct answer (A) and is not wrong, but the question expects only one correct answer; however, since the options list A and D as identical, D is technically correct as well, but the exam likely expects A as the first correct choice.

Option E is wrong because the `-n` flag suppresses default output and `p` prints only the changed lines, but without `-i`, the file is not modified in-place.

72
MCQmedium

A developer wants to change the ownership of a directory and all its contents recursively to user 'appuser' and group 'appgroup'. Which command accomplishes this?

A.chown -R appuser:appgroup /app
B.chown -R appuser /app && chgrp appgroup /app
C.chgrp -R appgroup /app && chown appuser /app
D.chown -R appuser: /app && chgrp -R appgroup /app
AnswerA

Correct: recursive owner:group change.

Why this answer

Option A is correct because the `chown -R appuser:appgroup /app` command recursively changes both the user and group ownership of the `/app` directory and all its contents. The `-R` flag ensures recursion, and the colon-separated `user:group` syntax sets both ownership attributes in a single command.

Exam trap

The trap here is that candidates often forget the `-R` flag on the second command in compound solutions, or they mistakenly believe `chown user:` sets a specific group rather than the user's default group, leading them to choose options that only partially apply the ownership change.

How to eliminate wrong answers

Option B is wrong because `chown -R appuser /app` changes only the user ownership recursively, but `chgrp appgroup /app` without `-R` changes only the group ownership of the `/app` directory itself, not its contents. Option C is wrong because `chgrp -R appgroup /app` changes group ownership recursively, but `chown appuser /app` without `-R` changes only the user ownership of the top-level directory, leaving all contents with the original user. Option D is wrong because `chown -R appuser: /app` sets the group to the user's default group (not `appgroup`), and the subsequent `chgrp -R appgroup /app` would override that group, but the first command already incorrectly sets the group.

73
Multi-Selecteasy

A user wants to view the contents of a compressed file file.txt.gz without decompressing it permanently. Which two commands can be used? (Choose two.)

Select 2 answers
A.gunzip -c file.txt.gz
B.zcat file.txt.gz
C.gzip -l file.txt.gz
D.gzip -d file.txt.gz
E.gzip -k file.txt.gz
AnswersA, B

Outputs decompressed content to stdout, leaving the .gz file untouched.

Why this answer

Option A is correct because `gunzip -c` decompresses the file to standard output, allowing the user to view the contents without modifying the original compressed file. Option B is correct because `zcat` is equivalent to `gunzip -c` and reads the compressed file directly, outputting the decompressed data to the terminal without permanent decompression.

Exam trap

The trap here is that candidates confuse `gzip -d` (which permanently decompresses) with `gunzip -c` (which outputs to stdout), or mistakenly think `gzip -l` shows file contents instead of metadata.

74
MCQeasy

A user needs to see the contents of a gzip-compressed file 'data.txt.gz' without decompressing it. Which command is appropriate?

A.gunzip data.txt.gz
B.zcat data.txt.gz
C../data.txt.gz
D.gzcat data.txt.gz
AnswerB

Displays compressed file contents without decompressing.

Why this answer

The `zcat` command reads a gzip-compressed file and outputs its decompressed content to stdout without modifying the original file. This allows the user to view the contents of 'data.txt.gz' without permanently decompressing it.

Exam trap

The trap here is that candidates may confuse `zcat` with `gunzip` or assume `gzcat` is the correct command, but the LFCS exam expects knowledge of the standard `zcat` utility for viewing compressed files without decompression.

How to eliminate wrong answers

Option A is wrong because `gunzip` decompresses the file and replaces the .gz file with the uncompressed version, which does not meet the requirement to view contents without decompressing. Option C is wrong because attempting to execute a compressed file with `./data.txt.gz` will fail as it is not an executable binary and the shell cannot interpret the compressed data. Option D is wrong because `gzcat` is not a standard Linux command; while some systems may have it as an alias, the standard command on Linux is `zcat`.

75
MCQhard

An administrator needs to replace all occurrences of the string 'foo' with 'bar' in all files under /etc/config, but only in files ending with .conf. The replacement must be done in-place, and backup copies should be created with a .bak extension. Which command accomplishes this?

A.find /etc/config -name '*.conf' -exec sed -i .bak 's/foo/bar/g' {} +
B.find /etc/config -name '*.conf' -exec sed 's/foo/bar/g' {} \;
C.find /etc/config -name '*.conf' -exec sed -i.bak 's/foo/bar/g' {} +
D.find /etc/config -name '*.conf' -exec sed -i 's/foo/bar/g' {} +
AnswerC

-i.bak creates backup with .bak extension.

Why this answer

Option C is correct because it uses `sed -i.bak` which creates a backup file with the .bak extension before performing the in-place substitution, and the `find -exec ... +` variant efficiently processes multiple files at once. The `-i` option with an argument (no space) specifies the backup suffix directly, satisfying the requirement for backup copies.

Exam trap

The trap here is that candidates confuse the syntax `-i .bak` (with a space, which is incorrect) with `-i.bak` (no space, which is correct), or they forget that `-i` without a suffix does not create backups, leading them to choose options that either fail or omit the required backup step.

How to eliminate wrong answers

Option A is wrong because `-i .bak` (with a space) is interpreted as `-i` with an empty backup suffix and `.bak` as a separate argument, causing sed to fail or behave unexpectedly. Option B is wrong because it lacks the `-i` flag entirely, so changes are written to stdout instead of being saved in-place, and no backups are created. Option D is wrong because `-i` without a suffix does not create backup files, violating the requirement for .bak backups.

Page 1 of 2 · 99 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Essential Commands questions.