CCNA Running Systems Operations Questions

75 of 77 questions · Page 1/2 · Running Systems Operations topic · Answers revealed

1
MCQmedium

An administrator wants to ensure that a service starts automatically after a system crash. Which systemd command should be used?

A.systemctl daemon-reload
B.systemctl enable service
C.systemctl mask service
D.systemctl start service
AnswerB

Enables the service to start automatically at boot.

Why this answer

The `systemctl enable service` command creates the necessary symlinks in the systemd unit configuration directories (e.g., `/etc/systemd/system/multi-user.target.wants/`) so that the service is automatically started at boot. This includes recovery after a system crash, because the crash triggers a reboot, and the enabled service will be started as part of the normal boot process.

Exam trap

The trap here is that candidates confuse `systemctl start` (immediate, one-time start) with `systemctl enable` (persistent boot-time start), leading them to choose option D, which does not survive a reboot or crash.

How to eliminate wrong answers

Option A is wrong because `systemctl daemon-reload` only reloads the systemd manager configuration and unit files, but does not change the enablement state of any service; it cannot ensure a service starts after a crash. Option C is wrong because `systemctl mask service` creates a strong symlink to `/dev/null`, which prevents the service from being started manually or automatically, even by dependencies or boot; this is the opposite of what is needed. Option D is wrong because `systemctl start service` only starts the service immediately in the current session; it does not create any boot-time or crash-recovery enablement, so the service will not start automatically after a reboot or crash.

2
Multi-Selecteasy

Which TWO commands can be used to view logs for a specific systemd unit (e.g., sshd.service)?

Select 2 answers
A.tail -f /var/log/secure
B.systemctl status sshd.service
C.cat /var/log/messages | grep sshd
D.journalctl -u sshd.service
E.journalctl _SYSTEMD_UNIT=sshd.service
AnswersD, E

Standard way to view unit logs.

Why this answer

Both `journalctl -u sshd.service` and `journalctl _SYSTEMD_UNIT=sshd.service` are correct because `journalctl` is the native tool for querying the systemd journal, which stores logs for all systemd units. The `-u` flag filters by unit name, while `_SYSTEMD_UNIT=` is a journal field that directly matches the unit identifier, both providing the same filtered output for sshd.service.

Exam trap

The trap here is that candidates may think `systemctl status` is a log viewing command, but it only shows a brief snippet of recent logs and is not designed for comprehensive log retrieval, while `journalctl` is the correct tool for accessing the full journal.

3
MCQeasy

A developer reports that a custom daemon fails to start after a reboot. The daemon's unit file is located in /etc/systemd/system/custom.service. Which of the following is the most likely cause?

A.The service was not started manually after installation.
B.The service is not enabled.
C.The SELinux policy blocks the service.
D.A firewall rule is blocking inbound connections.
AnswerB

A service must be enabled with systemctl enable to start at boot.

Why this answer

Option A is correct because if the service is not enabled, it will not start automatically at boot. Option B is incorrect because starting the service manually after boot works. Option C is incorrect as SELinux would cause a different error.

Option D is incorrect because firewall rules do not prevent systemd from starting a service.

4
Multi-Selectmedium

Which THREE of the following are valid options for the `lsblk` command to display more detailed information about block devices? (Select THREE.)

Select 3 answers
A.-c
B.-o
C.-f
D.-g
E.-m
AnswersB, C, E

Allows specifying output columns.

Why this answer

Option B (-o) is correct because it allows users to specify custom output columns, such as NAME, SIZE, TYPE, MOUNTPOINT, etc., enabling detailed and tailored information about block devices. Option C (-f) is correct as it displays filesystem information, including FSTYPE, LABEL, UUID, and MOUNTPOINT, which is essential for identifying filesystem details. Option E (-m) is correct because it shows ownership and permissions (owner, group, mode) for each block device, providing security-related details beyond the default output.

Exam trap

The trap here is that candidates often confuse lsblk options with those from similar commands like 'ls' or 'df', leading them to select -c (thinking of column output) or -g (thinking of gigabytes), when in fact lsblk uses different flags for those purposes.

5
Multi-Selecthard

Which TWO of the following are correct statements about systemd journald configuration?

Select 2 answers
A.The 'MaxRetentionSec' directive sets the maximum time to retain journal entries.
B.The 'RuntimeMaxUse' directive applies to the journal stored in /var/log/journal.
C.The 'SystemMaxUse' directive in journald.conf limits the maximum disk space used by the journal.
D.The 'Compress' directive is set to 'no' by default.
E.The 'ForwardToSyslog' directive is set to 'yes' by default.
AnswersA, C

MaxRetentionSec specifies the maximum time (in seconds) that journal entries are kept. Older entries are deleted.

Why this answer

Option A is correct because the 'MaxRetentionSec' directive in journald.conf specifies the maximum time (in seconds) that journal entries are retained before they are deleted. This is a time-based retention policy, distinct from size-based limits, and is used to automatically prune old log entries to manage disk usage.

Exam trap

The trap here is that candidates often confuse 'RuntimeMaxUse' with persistent storage limits, or assume 'ForwardToSyslog' is enabled by default because of legacy syslog integration, but systemd journald isolates logs by default.

6
Multi-Selectmedium

Which THREE commands can display the current CPU utilization statistics on a Linux system?

Select 3 answers
A.free
B.top
C.sar -u
D.mpstat -P ALL
E.uptime
AnswersB, C, D

Displays CPU usage dynamically.

Why this answer

The `top` command (option B) provides a real-time, dynamic view of system processes, including CPU utilization statistics such as user, system, idle, and I/O wait percentages. It is a standard tool for monitoring current CPU performance on Linux systems.

Exam trap

The trap here is that candidates may confuse `free` or `uptime` with CPU monitoring tools, but `free` is strictly memory-focused and `uptime` only shows load averages, not actual CPU utilization percentages.

7
MCQhard

An e-commerce company runs a critical application on a Linux server that occasionally becomes unresponsive. The server has 64GB RAM and runs a Java application. The operations team notices that during peak hours, the system becomes very slow and eventually the application crashes with 'OutOfMemoryError'. After restart, it works fine for a while. They suspect a memory leak but also want to ensure the system does not go down during peak hours. The system uses systemd to manage the Java service. The administrator needs to implement a solution that: (1) automatically restarts the service if it becomes unresponsive, (2) limits the memory usage of the service to prevent OOM kills on the system, and (3) provides early warning of high memory usage. Which of the following approaches best meets these requirements?

A.Set up a cron job to run every minute that checks memory usage with free and if > 90%, restart the service with systemctl restart. Also configure MemoryMax=32G in the systemd unit.
B.Configure sysctl vm.overcommit_memory=2 to prevent overcommit, and allocate huge pages for Java. Also set Restart=always in the systemd unit.
C.Use ulimit -v 33554432 in the service script to limit virtual memory, and set Restart=always. Also configure a cron job to send alerts when dmesg shows OOM.
D.Configure systemd service with WatchdogSec=30, Restart=on-failure, MemoryMax=32G. Also set up a log watcher that alerts when memory usage exceeds 28G via journalctl and a custom script.
AnswerD

Watchdog ensures restart if unresponsive, MemoryMax limits memory, log watcher provides early warning.

Why this answer

Option D is correct because it uses systemd's WatchdogSec to detect unresponsiveness and Restart=on-failure to automatically restart the service, while MemoryMax=32G enforces a hard memory limit via cgroups to prevent OOM kills. The custom log watcher provides early warning by alerting when memory usage exceeds 28G, satisfying all three requirements.

Exam trap

The trap here is that candidates often confuse ulimit or sysctl settings with cgroup-based memory limits, or assume cron-based polling is sufficient for unresponsiveness detection, overlooking systemd's built-in WatchdogSec mechanism.

How to eliminate wrong answers

Option A is wrong because using a cron job to check memory usage every minute is inefficient and may miss transient spikes, and MemoryMax=32G alone does not provide early warning. Option B is wrong because sysctl vm.overcommit_memory=2 and huge pages do not limit memory usage or provide automatic restart on unresponsiveness; Restart=always only restarts on exit, not on hang. Option C is wrong because ulimit -v limits virtual memory but does not prevent the Java process from exhausting physical memory and causing system-wide OOM; it also lacks early warning and WatchdogSec for unresponsiveness detection.

8
MCQeasy

A service is using a port that conflicts with another application. Which command can be used to identify which process is listening on a specific TCP port?

A.ss -tulpn | grep :port
B.All of the above
C.lsof -i :port
D.netstat -tulpn | grep :port
AnswerB

All listed commands can show listening processes.

Why this answer

Option B is correct because all three commands—ss, lsof, and netstat—can be used to identify which process is listening on a specific TCP port. The ss command is the modern replacement for netstat and uses kernel netlink to display socket information, while lsof lists open files including network sockets, and netstat reads /proc/net files. Each command with the appropriate flags (ss -tulpn, lsof -i :port, netstat -tulpn) will show the PID and process name associated with a listening port, making 'All of the above' the accurate answer.

Exam trap

The trap here is that candidates often assume only one command (like netstat or ss) is correct, but the LFCS exam expects you to recognize that multiple tools can achieve the same result, and 'All of the above' is the comprehensive answer when all options are technically valid.

How to eliminate wrong answers

Option A is wrong because it is presented as a single correct answer, but it is not the only command that can identify the process; ss is valid, but the question asks for 'which command' and the correct answer is that all listed options work. Option C is wrong because lsof -i :port is a valid command for this task, so claiming it is incorrect would be a mistake; the trap is that candidates might think lsof is not suitable, but it is. Option D is wrong because netstat -tulpn | grep :port is also a valid command, though deprecated in some distributions; excluding it would be incorrect as it still functions on most systems.

9
MCQhard

Based on the journalctl output, what is the most likely cause of the service failure?

A.Another process is already using port 8080.
B.The service configuration file has a syntax error.
C.The system is out of memory.
D.The service is trying to write to a read-only filesystem.
AnswerA

The repeated 'Address already in use' errors clearly indicate a port conflict.

Why this answer

The journalctl output shows a bind error on port 8080 with 'Address already in use'. This indicates that another process is already listening on that port, preventing the service from starting. In systemd, such a failure is logged with the specific errno EADDRINUSE, which directly points to a port conflict.

Exam trap

The trap here is that candidates may confuse a bind error with a configuration syntax error, but the specific 'Address already in use' message uniquely identifies a port conflict, not a parsing issue.

How to eliminate wrong answers

Option B is wrong because a syntax error in the service configuration file would typically produce a parse error or 'Failed to parse' message in journalctl, not a bind error. Option C is wrong because an out-of-memory condition would manifest as an OOM killer event or memory allocation failure, not a specific port bind error. Option D is wrong because a read-only filesystem would produce a 'Read-only file system' error (EROFS) when attempting to write, not an 'Address already in use' error.

10
MCQmedium

During boot, the system drops into a shell with message 'ERROR: No suitable file system found'. Filesystem corruption is suspected. Which sequence of actions should the admin take to attempt recovery?

A.Run xfs_repair -n /dev/sda.
B.Determine the root device, then run 'fsck -y /dev/sda1'.
C.Run e2fsck /dev/sda1 from the emergency shell.
D.Mount the root filesystem manually, then run fsck.
AnswerB

Fsck is filesystem-agnostic and with -y repairs automatically.

Why this answer

When the system drops into an emergency shell with 'ERROR: No suitable file system found', the admin must first identify the root device (e.g., using `blkid` or `lsblk`) and then run `fsck -y /dev/sda1` to attempt automatic repair of the corrupted filesystem. The `-y` flag answers 'yes' to all prompts, which is appropriate in a recovery scenario where the goal is to get the system bootable. This approach is filesystem-agnostic and works for common Linux filesystems like ext4, XFS, or btrfs, though specific tools (e.g., `xfs_repair` for XFS) may be needed if `fsck` is not suitable.

Exam trap

The trap here is that candidates assume the filesystem is ext4 and jump to `e2fsck` (option C), or they try to mount first (option D), not realizing that `fsck` is the generic, safe first step and that the emergency shell requires identifying the root device before any repair command.

How to eliminate wrong answers

Option A is wrong because `xfs_repair -n` only performs a dry-run (no actual repair) and is specific to XFS filesystems; the error message does not specify the filesystem type, so a generic `fsck` is safer. Option C is wrong because `e2fsck` is specific to ext2/ext3/ext4 filesystems and may fail or cause damage if the root device is not ext-family; also, the emergency shell may not have the `e2fsck` command available. Option D is wrong because attempting to mount a corrupted filesystem before running `fsck` can cause further damage or hang the system; `fsck` must be run on the unmounted device.

11
MCQhard

Based on the exhibit, what is the most likely cause of the blocked task?

A.CPU starvation
B.Memory leak
C.Disk I/O bottleneck or hung storage
D.Network congestion
AnswerC

The task is blocked on I/O, typical of a slow or failing disk.

Why this answer

The exhibit shows a process in 'D' state (uninterruptible sleep), which typically indicates the process is waiting for I/O completion from a block device. When a task is blocked in this state for an extended period, it is most likely due to a disk I/O bottleneck or hung storage, as the kernel cannot interrupt this wait. CPU starvation (run queue) and memory leaks (OOM or swapping) produce different process states, making disk I/O the primary suspect.

Exam trap

The trap here is that candidates confuse a process in 'D' state (uninterruptible sleep, I/O wait) with a process that is simply sleeping or waiting on CPU, leading them to incorrectly choose CPU starvation or memory issues instead of recognizing the classic symptom of a disk I/O bottleneck.

How to eliminate wrong answers

Option A is wrong because CPU starvation manifests as processes in 'R' state (runnable) or high load averages with low CPU idle, not as a task stuck in uninterruptible sleep ('D' state). Option B is wrong because a memory leak typically leads to high memory usage, swapping, or OOM killer activity, which would show processes in 'S' (interruptible sleep) or 'R' state, not a blocked 'D' state. Option D is wrong because network congestion causes socket waits and timeouts, reflected in 'S' state or network-related kernel threads, not a task blocked on block I/O in 'D' state.

12
MCQeasy

A junior admin runs 'systemctl restart httpd' but the httpd service fails to start. Which command should the admin use first to diagnose the problem?

A.journalctl -u httpd
B.systemctl show httpd
C.systemctl list-units --type=service
D.systemctl status httpd
AnswerD

Provides service status, recent logs, and error info directly.

Why this answer

Option D is correct because `systemctl status httpd` provides a concise summary of the service's current state, including whether it is active, the last log entries, and the exit code or failure reason. This is the first diagnostic step recommended by systemd documentation to quickly identify common issues like configuration errors, missing dependencies, or permission problems.

Exam trap

The trap here is that candidates often jump to `journalctl -u httpd` thinking they need the full log, but the LFCS exam expects `systemctl status` as the first diagnostic command because it provides a quick, human-readable summary of the failure reason.

How to eliminate wrong answers

Option A is wrong because `journalctl -u httpd` shows the full journal log for the httpd unit, which is useful for deeper investigation but is not the first command to run; it can be overwhelming and may require filtering. Option B is wrong because `systemctl show httpd` displays all unit properties (e.g., environment, resource limits) but does not directly indicate why the service failed to start. Option C is wrong because `systemctl list-units --type=service` lists all loaded service units and their states, but it does not provide specific failure details for httpd.

13
MCQmedium

A system administrator notices that a web server process (PID 1234) is consuming excessive CPU. They want to trace its system calls to identify the cause. Which command should be used?

A.ltrace -p 1234
B.perf record -p 1234
C.gdb -p 1234
D.strace -p 1234
AnswerD

Attaches and traces system calls, ideal for this scenario.

Why this answer

The correct command is `strace -p 1234`, which attaches to the running process (PID 1234) and intercepts all system calls (e.g., read, write, open) made by that process. This allows the administrator to see exactly what the web server is doing at the kernel level, such as excessive file I/O or network operations, which can pinpoint the cause of high CPU usage. Other tools like ltrace, perf, or gdb serve different purposes (library calls, profiling, debugging) and do not directly trace system calls.

Exam trap

The trap here is that candidates confuse `strace` (system calls) with `ltrace` (library calls), as both trace function calls but at different layers of the software stack, leading them to pick the wrong tool for kernel-level analysis.

How to eliminate wrong answers

Option A is wrong because `ltrace -p 1234` traces library calls (e.g., functions from libc), not system calls; it would show calls like `malloc` or `printf` but miss kernel-level operations like `read` or `write`. Option B is wrong because `perf record -p 1234` is a performance profiling tool that samples hardware events (e.g., CPU cycles, cache misses) and does not trace individual system calls; it provides statistical analysis, not a per-call log. Option C is wrong because `gdb -p 1234` is a debugger that allows interactive inspection of the process's memory and execution, but it is not designed for tracing system calls and would require manual breakpoints and significant overhead.

14
Drag & Dropmedium

Order the steps to recover a forgotten root password on a Linux system using single-user mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Single-user mode gives root shell; remounting rw allows password change.

15
MCQmedium

Refer to the exhibit. How many days of logs are retained before deletion?

A.7
B.365
C.30
D.14
AnswerD

Correct: rotate 14 with daily cycle = 14 days.

Why this answer

The correct answer is D (14 days) because the exhibit shows a log rotation configuration using `logrotate` with a `rotate 14` directive, which retains 14 rotated log files before deletion. The `daily` or `weekly` frequency determines how often rotation occurs, but the `rotate` count directly specifies the number of archived logs kept, not the total time span.

Exam trap

The trap here is that candidates may misinterpret the `rotate` value as the number of days of retention, but it actually specifies the number of rotated archives to keep, and the actual time span depends on the rotation frequency (e.g., daily, weekly).

How to eliminate wrong answers

Option A is wrong because 7 days would correspond to a `rotate 7` directive, which is not present in the exhibit. Option B is wrong because 365 days is an arbitrary large number that does not match any standard logrotate retention setting; it might be confused with yearly rotation but is not indicated. Option C is wrong because 30 days is a common retention period for some logs, but the exhibit explicitly shows `rotate 14`, which means 14 rotated files are kept, not 30.

16
MCQhard

You are a systems administrator for a company that runs a high-traffic web application on a Linux server with 32 GB of RAM and 8 CPU cores. The application uses Apache with mod_php and MySQL. Recently, the server has been experiencing intermittent slowdowns, especially during peak hours. Monitoring tools show that the CPU usage spikes to 100% for several minutes and then returns to normal. The 'top' command shows that the 'mysqld' process is often the top CPU consumer during these spikes. You notice that the MySQL slow query log contains many entries with long execution times. The database is heavily used by the web application for read-heavy workloads. After analyzing the situation, you suspect that the issue is related to MySQL configuration. Which of the following actions is most likely to resolve the performance issue?

A.Increase the maximum number of connections (max_connections) to 500.
B.Enable the MySQL slow query log and analyze the queries.
C.Increase the MySQL query cache size (query_cache_size) to 256 MB.
D.Increase the InnoDB buffer pool size to 20 GB.
AnswerC

The query cache stores results of SELECT queries, so repeated queries can be served from cache, reducing CPU usage and avoiding execution of the same queries.

Why this answer

Option C is correct because increasing the query cache size can significantly improve performance for read-heavy workloads with repeated identical queries, as it caches the result set of SELECT queries. The symptoms—CPU spikes from mysqld, many slow queries, and a read-heavy workload—indicate that the query cache is likely too small or disabled, causing MySQL to repeatedly execute expensive queries instead of serving cached results. A larger query cache reduces disk I/O and CPU usage for repeated queries, directly addressing the intermittent slowdowns.

Exam trap

The trap here is that candidates often assume increasing the InnoDB buffer pool size (option D) is always the best fix for MySQL performance, but the question's specific context of read-heavy workloads with repeated queries and CPU spikes makes query cache tuning more directly impactful, while a too-large buffer pool can cause memory pressure.

How to eliminate wrong answers

Option A is wrong because increasing max_connections to 500 would allow more concurrent connections, but the server has only 32 GB RAM and 8 CPU cores; too many connections can lead to context switching overhead and memory exhaustion, worsening the CPU spikes. Option B is wrong because the slow query log is already enabled and contains many entries; analyzing it further would only confirm the problem without providing a direct fix. Option D is wrong because increasing the InnoDB buffer pool size to 20 GB (over half of 32 GB RAM) could starve the OS and Apache of memory, causing swapping and further slowdowns; while a larger buffer pool helps with data caching, the read-heavy workload with repeated queries benefits more from query caching.

17
Matchingmedium

Match each file system type to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

General-purpose Linux file system

High-performance for large files

Copy-on-write with snapshots

Virtual memory paging

Temporary file system in RAM

Why these pairings

Common file systems used in Linux environments.

18
MCQeasy

To display the current runlevel on a system using SysV init, which command should be used?

A.who -r
B.runlevel
C.systemctl get-default
D.init 3
AnswerB

'runlevel' is the correct command for SysV init.

Why this answer

The `runlevel` command is the standard tool for displaying the current runlevel on a system using SysV init. It outputs the previous and current runlevels, with 'N' indicating no previous runlevel. This command directly queries the SysV init process (PID 1) to retrieve the runlevel state.

Exam trap

The trap here is that candidates may confuse `who -r` (which also shows runlevel) with the more direct `runlevel` command, or mistakenly think `systemctl get-default` applies to SysV init systems, when it is specific to systemd.

How to eliminate wrong answers

Option A is wrong because `who -r` displays the current runlevel and process history on systems using SysV init, but it is not the primary or most direct command; the question specifically asks for the command that should be used, and `runlevel` is the canonical choice. Option C is wrong because `systemctl get-default` is used on systems with systemd to show the default target (e.g., multi-user.target), not the current runlevel, and it does not apply to SysV init. Option D is wrong because `init 3` changes the runlevel to 3, not displays the current runlevel; it is a command to switch runlevels, not query the current state.

19
MCQhard

A system with systemd experiences a service that fails to start due to a 'Failed to start' error with status 203/EXEC. What is the most likely cause?

A.The system has run out of memory
B.The service unit file has a missing or incorrect ExecStart command
C.The service is already running
D.The service requires a dependency that hasn't started
AnswerB

EXEC means the executable could not be found or executed.

Why this answer

Status 203/EXEC in systemd indicates that the service manager failed to execute the command specified in the service unit file. The most common cause is a missing or incorrect ExecStart directive, such as a typo in the binary path, a missing executable, or incorrect syntax. This error is specific to execution failures, not resource or dependency issues.

Exam trap

The trap here is that candidates confuse status 203/EXEC with a generic 'service failed to start' and incorrectly attribute it to dependencies or resource exhaustion, rather than recognizing it as a specific indicator of an exec() failure in the ExecStart directive.

How to eliminate wrong answers

Option A is wrong because out-of-memory conditions typically cause OOM kills (status 137/SIGKILL) or systemd service cgroup memory limit violations, not status 203/EXEC. Option C is wrong because if the service is already running, systemd would report a 'start-limit-hit' or 'already running' error, not an EXEC failure. Option D is wrong because dependency failures result in status 203/EXEC only if the dependency itself causes the ExecStart to fail; normally, unmet dependencies produce 'dependency failed' or 'timeout' errors, not an EXEC code.

20
MCQhard

An administrator notices that the system clock is drifting significantly. To synchronize time using NTP, which command should be used to immediately sync with a server?

A.ntpdate -u pool.ntp.org
B.chronyd -q
C.ntpd -g
D.timedatectl set-ntp true
AnswerB

Correct for immediate sync with chrony.

Why this answer

Option B is correct because `chronyd -q` sends a single NTP query to synchronize the system clock immediately and then exits, which is ideal for one-shot synchronization. This command is part of the `chrony` suite, the default NTP implementation on modern RHEL/CentOS 8+ and Ubuntu 18.04+ systems, and it respects the NTP protocol (RFC 5905) for accurate time adjustment.

Exam trap

The trap here is that candidates confuse `chronyd -q` (one-shot sync) with `chronyd` without options (which starts the daemon), or they mistakenly think `ntpdate` is still the standard command for immediate synchronization, ignoring its deprecation and the shift to `chrony` in modern distributions.

How to eliminate wrong answers

Option A is wrong because `ntpdate` is deprecated and often not installed by default on modern distributions; it uses the older NTPv3 protocol and lacks the security and accuracy features of `chrony`. Option C is wrong because `ntpd -g` starts the full NTP daemon in continuous synchronization mode, not a one-shot sync, and the `-g` flag only allows a large initial time jump, but the daemon continues running and does not exit after syncing. Option D is wrong because `timedatectl set-ntp true` enables the NTP service (usually `chronyd` or `ntpd`) to run continuously, but it does not trigger an immediate synchronization; it only activates the service for ongoing adjustments.

21
Multi-Selectmedium

A Linux administrator is troubleshooting a service that is running as the 'nobody' user but keeps failing because it cannot write to its log file. The log file is located at /var/log/app.log. Which TWO of the following methods will allow the service to write to the log file while maintaining security best practices?

Select 2 answers
A.Delete /var/log/app.log and restart the service.
B.Add an ACL entry for user nobody with write permission using setfacl.
C.Change the group of /var/log/app.log to nogroup and set group write permission.
D.Change the permissions of /var/log/app.log to 777.
E.Change the owner of /var/log/app.log to nobody using chown.
AnswersB, E

ACLs allow fine-grained permission assignment to a specific user without changing ownership.

Why this answer

Option B is correct because using setfacl to add an ACL entry for the 'nobody' user grants write permission without altering the file's ownership or group, preserving the principle of least privilege. ACLs provide fine-grained access control beyond traditional Unix permissions, allowing the service to write while other users and processes retain their existing access restrictions.

Exam trap

Linux Foundation often tests the distinction between ACL-based solutions and traditional permission changes, trapping candidates who overlook that 'nobody' is not a member of 'nogroup' or that 777 is insecure, while both B and E are correct but E is also valid because changing ownership directly grants the user write access without affecting other permissions.

22
MCQeasy

A system administrator wants to view the last 10 lines of the system log file '/var/log/syslog' and continue to watch for new lines as they are appended. Which command should be used?

A.tail -n 10 /var/log/syslog
B.less /var/log/syslog
C.tail -n 10 -f /var/log/syslog
D.head -n 10 /var/log/syslog
AnswerC

Shows last 10 lines and follows new entries.

Why this answer

Option C is correct because the `tail -n 10 -f /var/log/syslog` command first displays the last 10 lines of the file and then uses the `-f` (follow) flag to continuously monitor the file for new appended lines, outputting them in real time. This matches the requirement to both view the last 10 lines and watch for new entries.

Exam trap

The trap here is that candidates often confuse `tail -n 10` (static view) with `tail -f` (follow mode), or mistakenly think `less` with its Shift+F feature is the default answer, but the question explicitly requires a single command that both shows the last 10 lines and continuously watches for new lines.

How to eliminate wrong answers

Option A is wrong because `tail -n 10 /var/log/syslog` only shows the last 10 lines and then exits, without continuing to watch for new lines. Option B is wrong because `less /var/log/syslog` opens the file for interactive paging but does not automatically show only the last 10 lines or follow new appends without manual intervention (e.g., pressing Shift+F). Option D is wrong because `head -n 10 /var/log/syslog` shows the first 10 lines of the file, not the last 10, and does not follow new lines.

23
MCQhard

A production web server is experiencing intermittent high load. The administrator suspects that a specific Apache module is causing memory leaks. Which approach is most effective for isolating the issue without restarting the server?

A.Check the Apache error log for memory-related errors.
B.Disable all modules in httpd.conf and reload the configuration.
C.Use top to monitor the memory usage of httpd processes over time.
D.Use strace -p <PID> on the Apache process and analyze system calls for memory allocation patterns.
AnswerD

Strace can trace memory allocation syscalls like malloc, mmap.

Why this answer

D is correct because strace attaches to a running Apache process and traces its system calls, including memory-related calls like mmap, brk, and malloc. By analyzing these calls over time, the administrator can identify abnormal memory allocation patterns indicative of a leak in a specific module, all without restarting the server.

Exam trap

The trap here is that candidates assume top or error logs can diagnose memory leaks, but they lack the per-process system call visibility needed to isolate a module-level issue without restarting.

How to eliminate wrong answers

Option A is wrong because Apache error logs typically record runtime errors (e.g., segfaults, configuration issues) but do not capture granular memory allocation patterns or module-level memory leaks. Option B is wrong because disabling all modules and reloading the configuration would restart the server's child processes, disrupting service and preventing observation of the leak under real load. Option C is wrong because top shows aggregate memory usage of httpd processes but cannot attribute memory growth to a specific module or distinguish between normal allocation and a leak.

24
MCQmedium

A process is stuck in an uninterruptible sleep (D state) and cannot be killed. What is the most likely cause?

A.The process has been stopped by a signal
B.The process is waiting for a network response
C.The process is waiting for I/O from a failing disk
D.The process is waiting for CPU
AnswerC

D state is uninterruptible sleep, usually due to I/O.

Why this answer

Option C is correct because a process in uninterruptible sleep (D state) is typically waiting for I/O from a block device, such as a disk. When a disk is failing or unresponsive, the kernel cannot complete the I/O request, and the process cannot be killed because doing so would risk data corruption or filesystem inconsistency. This state is a kernel-level wait that ignores signals, including SIGKILL.

Exam trap

Linux Foundation often tests the misconception that any 'stuck' process is due to network issues, but the D state specifically indicates block I/O, not network I/O, which uses interruptible sleep (S state).

How to eliminate wrong answers

Option A is wrong because a process stopped by a signal enters a T state (stopped), not D state; such processes can be resumed or killed. Option B is wrong because waiting for a network response typically results in interruptible sleep (S state), as network I/O can be interrupted by signals; D state is reserved for block I/O operations. Option D is wrong because waiting for CPU is represented by the R state (runnable) or S state (sleeping while waiting for CPU), not D state.

25
MCQhard

A system has a process stuck in uninterruptible sleep (D state). The administrator wants to identify which kernel function it is waiting on. Which tool should be used?

A.cat /proc/PID/stack
B.gdb -p PID
C.perf top -p PID
D.strace -p PID
AnswerA

Shows kernel stack trace of the blocked process.

Why this answer

Option A is correct because reading /proc/PID/stack directly shows the kernel stack trace of the process, revealing the exact kernel function or wait queue the process is blocked on while in uninterruptible sleep (D state). This is the only tool listed that can inspect the kernel-side call stack without attaching a debugger or altering process state.

Exam trap

The trap here is that candidates often confuse strace (user-space syscall tracing) with kernel stack inspection, assuming strace can show kernel internals, but strace only traces syscall entry/exit and cannot reveal the internal kernel function where the process is blocked.

How to eliminate wrong answers

Option B (gdb -p PID) is wrong because gdb attaches to a user-space process and inspects user-space memory and registers; it cannot access the kernel stack or show which kernel function caused the D state. Option C (perf top -p PID) is wrong because perf top samples performance counters and shows hot functions in user and kernel space, but it does not display the current blocked stack trace for a process in D state. Option D (strace -p PID) is wrong because strace traces system calls, but a process in uninterruptible sleep is already inside a kernel function and not making new system calls; strace will hang or show no output.

26
Multi-Selectmedium

A system administrator needs to monitor real-time network traffic on a specific interface (eth0). Which TWO tools can be used for packet-level analysis?

Select 2 answers
A.tshark -i eth0
B.tcpdump -i eth0
C.iftop
D.wireshark
E.netstat -i
AnswersA, B

CLI version of Wireshark for packet capture.

Why this answer

A is correct because tshark is the command-line version of Wireshark, capable of capturing and analyzing packets in real time on a specific interface using the -i flag. It provides detailed packet-level inspection, including protocol dissection, which is essential for network traffic analysis.

Exam trap

The trap here is that candidates may confuse tools that show network statistics (like iftop or netstat) with those that perform actual packet-level capture and analysis, or assume that Wireshark is suitable for command-line-only environments without considering its GUI dependency.

27
Drag & Dropmedium

Order the steps to set up a LVM logical volume from a new disk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

LVM requires creating PV, then VG, then LV, then formatting and mounting.

28
Multi-Selecthard

Which THREE methods can be used to rescue a Linux system that fails to boot past GRUB? (Choose three.)

Select 4 answers
A.Append 'systemd.unit=emergency.target' to kernel command line.
B.Boot into single-user mode by adding 'single' to kernel command line.
C.At GRUB prompt, press 'e' to edit and add 'init=/bin/bash' to boot.
D.From GRUB menu, run 'linux /vmlinuz-... root=/dev/sda1 init=/bin/bash'.
E.Use the system rescue image by selecting 'Rescue' from boot media.
AnswersA, B, C, E

Emergency target provides a minimal shell.

Why this answer

Option A is correct because appending 'systemd.unit=emergency.target' to the kernel command line instructs systemd to boot directly into the emergency target, which provides a minimal rescue shell with only the root filesystem mounted read-only. This is a standard systemd mechanism for recovering from boot failures.

Exam trap

The trap here is that candidates may think option D is a valid GRUB command, but GRUB does not accept a raw 'linux' command with an 'init=' parameter at the prompt; the correct way is to edit the boot entry with 'e' and modify the kernel line, not to type a full command.

29
MCQmedium

A server runs out of inodes. The administrator needs to find which filesystem is exhausted and which directory has the most files. Which command sequence best accomplishes this?

A.df -i; find / -type f | wc -l
B.df -i; find / -xdev -type f -printf '%h\0' | sort -z | uniq -c -z | sort -rn | head
C.df -i; du --inodes /
D.df -h; du -sh /
AnswerB

Shows filesystem inode usage and then identifies top directories by file count.

Why this answer

Option B is correct because `df -i` first checks inode usage across all mounted filesystems to identify which one is exhausted. Then the `find / -xdev -type f -printf '%h\0' | sort -z | uniq -c -z | sort -rn | head` command counts files per directory on the root filesystem only (due to `-xdev`), using null-delimited output to handle special characters in filenames, and sorts to show the directory with the most files. This directly addresses both parts of the problem: identifying the exhausted filesystem and the directory with the most files.

Exam trap

The trap here is that candidates often confuse inode exhaustion with disk space exhaustion and choose `df -h` and `du -sh` (Option D), or they use a recursive file count without restricting to a single filesystem (Option A), failing to isolate the problematic filesystem and directory.

How to eliminate wrong answers

Option A is wrong because `find / -type f | wc -l` counts all files across all mounted filesystems (including network and virtual filesystems), which can be misleading and does not restrict to the exhausted filesystem; it also does not group files by directory, so it cannot identify which directory has the most files. Option C is wrong because `du --inodes /` is not a valid option in standard `du`; the `--inodes` flag is not supported by GNU `du` (it is a `df` option), and even if it were, it would not provide per-directory file counts. Option D is wrong because `df -h` shows disk space usage, not inode usage, and `du -sh /` shows total disk space used by the root filesystem, which is irrelevant to an inode exhaustion problem.

30
Multi-Selecthard

Which THREE steps are necessary to permanently disable a systemd service from starting at boot?

Select 3 answers
A.systemctl stop myapp.service
B.systemctl mask myapp.service
C.systemctl reset-failed myapp.service
D.systemctl disable myapp.service
E.systemctl daemon-reload
AnswersA, B, D

Stops the currently running service.

Why this answer

Option A is correct because `systemctl stop` immediately terminates the service process, which is necessary to ensure the service is not currently running before disabling it from future boots. While stopping alone does not prevent the service from starting at boot, it is a required step in the process of permanently disabling a service, as you must stop the current instance before disabling it to avoid an inconsistent state.

Exam trap

The trap here is that candidates often think `systemctl disable` alone is sufficient to prevent a service from starting at boot, but they forget that the service may still be running currently, and without stopping it first, the disable command only affects future boots, not the current session.

31
Multi-Selecteasy

Which THREE commands can show the current system time and date?

Select 3 answers
A.time
B.timedatectl
C.date
D.ntpdate
E.hwclock
AnswersB, C, E

Shows system time, date, and timezone.

Why this answer

B is correct because `timedatectl` is the primary command in systemd-based Linux distributions (e.g., RHEL 7+, Ubuntu 16.04+) for querying and configuring system time, date, time zone, and NTP synchronization. It displays the current local time, UTC time, RTC time, and time zone status in a structured output.

Exam trap

The trap here is that candidates confuse `time` (a performance measurement tool) with `date` (a time display tool), or mistakenly think `ntpdate` is a display command when it actually modifies the system clock.

32
MCQeasy

A Linux server experiences a kernel panic during boot. The administrator needs to capture the kernel panic message for debugging. Which of the following methods would allow capturing the panic message?

A.Add 'quiet' to the kernel boot parameters.
B.Add 'panic=0' to the kernel boot parameters.
C.Configure netconsole to send kernel messages to a remote syslog server.
D.Set the kernel parameter 'console=ttyS0' to redirect output to a serial console.
AnswerB

Setting panic=0 tells the kernel to wait indefinitely on a panic, allowing the administrator to read the message on the console.

Why this answer

Option B is correct because setting 'panic=0' in the kernel boot parameters instructs the kernel to wait indefinitely (never reboot) after a kernel panic, allowing the administrator to capture the panic message from the console output. This is essential for debugging as it prevents automatic reboot and preserves the panic screen.

Exam trap

The trap here is that candidates may confuse 'panic=0' with disabling panic behavior, when in fact it disables automatic reboot, or they may think 'console=ttyS0' alone captures the message, whereas it only redirects output without preserving it during a crash.

How to eliminate wrong answers

Option A is wrong because adding 'quiet' suppresses most kernel messages, including panic details, making it harder to capture the panic message. Option C is wrong because netconsole sends kernel messages over the network to a remote syslog server, but it requires network configuration and may not function reliably during a kernel panic, especially if the network stack is compromised. Option D is wrong because 'console=ttyS0' redirects kernel output to a serial console, which is useful for remote access but does not inherently capture or preserve the panic message; it only changes the output destination.

33
MCQmedium

A system administrator notices that logrotate did not rotate the /var/log/messages file on a CentOS 7 server despite having a configuration at /etc/logrotate.d/syslog. The admin runs 'logrotate -d /etc/logrotate.conf' and sees that the syslog file is excluded due to 'olddir' option, but the olddir does not exist. Additionally, the logrotate status file (/var/lib/logrotate/logrotate.status) shows that /var/log/messages was last rotated 30 days ago. The logrotate cron job is scheduled daily. What is the most likely reason the rotation fails?

A.The log file size has not exceeded the configured maxsize threshold.
B.The olddir specified in the config does not exist, causing logrotate to error out before rotation.
C.The logrotate script does not have read permission on /var/log/messages.
D.The 'compress' option is missing, so logrotate skips the file.
AnswerB

Missing olddir directory causes failure.

Why this answer

The `logrotate -d` (debug) output explicitly states the file is excluded due to the 'olddir' option, and the admin confirmed the olddir does not exist. When logrotate is configured with an 'olddir' directive, it attempts to move the rotated log file to that directory before performing the rotation. If the directory does not exist, logrotate fails with an error and aborts the rotation for that log file, leaving it unrotated.

This is a common misconfiguration that prevents rotation even when all other conditions (e.g., age, size) are met.

Exam trap

The trap here is that candidates may assume the failure is due to a missing 'size' or 'compress' option, but the debug output's explicit 'excluded due to olddir' message directly points to the missing directory as the root cause.

How to eliminate wrong answers

Option A is wrong because the logrotate status shows the file was last rotated 30 days ago, and the cron job runs daily; the 'daily' frequency or 'maxage' directive would trigger rotation based on time, not just size, so the failure is not due to a size threshold. Option C is wrong because if logrotate lacked read permission on /var/log/messages, the debug output would show a permission denied error, not an exclusion due to 'olddir'. Option D is wrong because the 'compress' option is optional and does not cause logrotate to skip a file; missing compression simply means the rotated file is not compressed, but rotation still occurs.

34
MCQmedium

To permanently mount an ext4 filesystem at /data with noatime option, which entry should be added to /etc/fstab?

A./dev/sdb1 /data ext4 defaults,noatime 0 0
B./dev/sdb1 /data ext4 noatime 0 0
C./dev/sdb1 /data ext4 defaults,noatime 1 0
D./dev/sdb1 /data ext4 defaults,noatime 0 1
AnswerA

Correct entry with proper options and flags.

Why this answer

Option A is correct because the /etc/fstab entry for a permanent mount requires the filesystem device, mount point, type, options, dump frequency, and fsck pass order. The 'defaults,noatime' option string includes 'defaults' (which implies rw, suid, dev, exec, auto, nouser, async) and then overrides the access time update behavior with 'noatime'. The dump field (5th column) is 0 to disable backups, and the fsck pass order (6th column) is 0 to skip filesystem checks at boot, which is appropriate for a non-root data partition.

Exam trap

The trap here is that candidates often confuse the dump and fsck fields, incorrectly assuming that a non-root data partition should have a non-zero fsck pass order, or they omit 'defaults' thinking 'noatime' alone is sufficient, but the LFCS exam expects the standard 'defaults,noatime' format with dump=0 and fsck=0 for a data mount.

How to eliminate wrong answers

Option B is wrong because it omits 'defaults' from the options field; while 'noatime' alone is a valid mount option, the fstab format expects a comma-separated list and omitting 'defaults' can cause unexpected behavior if other default options (like rw, exec) are not explicitly set, though technically it might work in some kernels, it is not the standard or recommended practice for a permanent mount. Option C is wrong because the dump field (5th column) is set to 1, which would enable the dump utility to back up this filesystem; for a non-root data partition, this should be 0 unless specifically required. Option D is wrong because the fsck pass order (6th column) is set to 1, which would cause the system to check this filesystem at boot with the same priority as the root filesystem; for a non-root data partition, this should be 0 to skip automatic fsck checks unless it is a critical filesystem.

35
MCQhard

Refer to the exhibit. What is the most likely security issue?

A.SSH service is not running.
B.The root account is disabled.
C.Someone is attempting to brute-force the root password.
D.The firewall is blocking SSH.
AnswerC

Repeated failed attempts from same IP indicate a brute-force attack.

Why this answer

The exhibit shows multiple failed SSH login attempts for the root user from the same IP address in quick succession, as seen in the auth.log or secure log entries. This pattern indicates a brute-force attack, where an attacker systematically tries different passwords to gain unauthorized root access. Option C is correct because the repeated 'Failed password for root' messages are the hallmark of a brute-force attempt.

Exam trap

The trap here is that candidates may see 'SSH' and 'root' and incorrectly assume the service is down or the account is disabled, rather than recognizing the pattern of repeated failed login attempts as a brute-force attack.

How to eliminate wrong answers

Option A is wrong because the SSH service is clearly running and accepting connections, as evidenced by the log entries showing SSH authentication attempts. Option B is wrong because the root account is not disabled; if it were disabled, the log would show 'User root not allowed because account is locked' or similar, not 'Failed password' attempts. Option D is wrong because the firewall is not blocking SSH; if it were, the connection attempts would not reach the SSH daemon to generate authentication failure logs.

36
MCQmedium

A cron job runs a script that outputs to stdout. The administrator wants to capture both stdout and stderr to a file named job.log, while also seeing output on the terminal. Which command achieves this?

A.script 2>&1 | tee job.log
B../script | tee job.log 2>&1
C../script > job.log 2>&1
D../script 2>&1 | tee job.log
AnswerD

Redirects stderr to stdout and pipes to tee for file and terminal output.

Why this answer

Option D is correct because it uses `2>&1` to redirect stderr to stdout, then pipes the combined stream to `tee job.log`, which writes to the file and also displays output on the terminal. This ensures both stdout and stderr are captured in `job.log` and visible on the screen.

Exam trap

The trap here is that candidates often place `2>&1` after the pipe (as in option B), mistakenly thinking it redirects the script's stderr, when in fact it only affects the command receiving the pipe (e.g., `tee`), leaving the script's stderr uncaptured.

How to eliminate wrong answers

Option A is wrong because `script` is a command that records terminal sessions, not the script to be executed; it would try to run `script` with `2>&1` and pipe its output to `tee`, which does not execute the intended script. Option B is wrong because the `2>&1` appears after the pipe, so it redirects stderr of `tee` (not the script) to stdout, failing to capture the script's stderr in the file or terminal. Option C is wrong because `./script > job.log 2>&1` redirects both stdout and stderr to the file but does not display output on the terminal, violating the requirement to see output on the terminal.

37
MCQeasy

An administrator wants to schedule a one-time task to run at 2:30 PM next Friday. Which command should be used?

A.at 14:30 next Friday
B.crontab -e and add entry
C.systemd-run --on-calendar='Fri 14:30' /bin/bash -c 'command'
D.at 2:30 PM Fri
AnswerA

Correct syntax for scheduling a one-time task with at.

Why this answer

Option A is correct because the `at` command is specifically designed for scheduling one-time tasks at a specified time and date. The syntax `at 14:30 next Friday` correctly uses 24-hour time and the `next Friday` keyword, which the `atd` daemon interprets to run the job exactly once at that moment.

Exam trap

The trap here is that candidates often confuse `at` for one-time jobs with `cron` for recurring jobs, or they assume `systemd-run` can handle one-time scheduling via calendar expressions, but systemd timers require explicit `OnCalendar=` with monotonic or calendar events and do not support 'next Friday' natural language parsing.

How to eliminate wrong answers

Option B is wrong because `crontab -e` edits the cron table for recurring jobs; it cannot schedule a one-time task without manual deletion after execution, and it lacks natural language date parsing like 'next Friday'. Option C is wrong because `systemd-run` with `--on-calendar` uses systemd timer syntax, which is designed for recurring events (e.g., `weekly` or `daily`), not one-time scheduling; the calendar expression `'Fri 14:30'` would repeat every Friday at 14:30, not just next Friday. Option D is wrong because `at 2:30 PM Fri` uses ambiguous 12-hour time without AM/PM specification (though 'PM' is present, the lack of a leading zero and the use of 'Fri' without 'next' may cause the `at` parser to misinterpret the date or time; the correct syntax requires either 24-hour format or explicit 'AM'/'PM' with proper ordering, and 'Fri' alone refers to the next occurrence of Friday from today, which may not be 'next Friday' if today is already Friday).

38
MCQmedium

Refer to the exhibit. Based on the exhibit, which service is configured to accept connections only from the local machine?

AnswerC

SMTP (port 25) is bound to 127.0.0.1 only.

Why this answer

The exhibit shows that the SMTP service is bound to the loopback address 127.0.0.1 on port 25, which means it will only accept connections originating from the local machine. This is a common security practice to prevent external hosts from directly submitting mail to the local MTA.

Exam trap

The trap here is that candidates may assume any service can be restricted to localhost, but the exhibit specifically shows the SMTP service bound to 127.0.0.1, while other services like HTTP or SSH are not shown with that binding, making SMTP the only correct answer.

How to eliminate wrong answers

Option A is wrong because NTP typically listens on UDP port 123 and is not shown in the exhibit as bound to 127.0.0.1. Option B is wrong because HTTP usually listens on TCP port 80 and is not depicted as restricted to localhost in the exhibit. Option D is wrong because HTTPS listens on TCP port 443 and is not shown with a loopback binding.

Option E is wrong because SSH listens on TCP port 22 and, while it can be configured to bind to localhost, the exhibit does not show it restricted to 127.0.0.1.

39
Multi-Selectmedium

Which TWO commands can be used to display real-time process resource usage on a Linux system? (Choose two.)

Select 2 answers
A.vmstat 1
B.htop
C.ps -aux
D.free -h
E.top
AnswersB, E

Interactive real-time process viewer.

Why this answer

Option B (htop) is correct because it is an interactive process viewer that displays real-time resource usage, including CPU, memory, and process details, with a user-friendly interface. Option E (top) is correct because it is the standard Linux command for real-time monitoring of system processes and resource consumption, updating dynamically by default.

Exam trap

The trap here is that candidates often confuse static commands like ps and free with real-time monitoring tools, mistakenly thinking that any command showing resource data qualifies as real-time, when only those with continuous updates (like top and htop) meet the requirement.

40
MCQeasy

An engineer wants to list all processes currently running under user 'appuser'. Which command is appropriate?

A.pgrep -u appuser
B.ps -u appuser
C.top -u appuser
D.ps aux | grep appuser
AnswerB

Lists all processes for appuser.

Why this answer

Option B is correct because the `ps -u appuser` command lists all processes owned by the user 'appuser' by filtering the process table based on the user's UID. The `-u` option selects processes whose effective user ID or name matches the given argument, making it the most straightforward and standard way to display processes for a specific user.

Exam trap

The trap here is that candidates often choose `ps aux | grep appuser` because it seems intuitive, but they overlook that `grep` matches any field, not just the user column, and can produce misleading results or miss processes if the username is part of a command string.

How to eliminate wrong answers

Option A is wrong because `pgrep -u appuser` only lists the PIDs of processes matching the user, not the full process details (e.g., command, CPU, memory) that the engineer likely needs to 'list all processes'. Option C is wrong because `top -u appuser` runs an interactive, real-time process monitor filtered to that user, which is not a one-shot listing command and requires manual termination or scripting to capture output. Option D is wrong because `ps aux | grep appuser` is a fragile pattern-matching approach that can match 'appuser' in any field (e.g., a command name or argument) and may produce false positives or miss processes if the username appears in unexpected places; it also does not reliably filter by the user column.

41
MCQeasy

A user reports that a background process (PID 3456) is consuming 95% of CPU and causing system slowness. The process name is 'crypto-miner'. The administrator needs to immediately stop this process and ensure it does not restart. Which set of commands should the administrator execute?

A.kill -9 3456, then locate the cron job or systemd service that starts it, and disable/remove it.
B.renice -n 19 -p 3456 and let it run with lower priority.
C.kill -9 3456 and then notify the user.
D.kill -15 3456 and hope it terminates.
AnswerA

Stops the process and prevents future launches.

Why this answer

Option A is correct because it addresses both immediate termination and persistence removal. The SIGKILL signal (kill -9) immediately terminates the process, and disabling the cron job or systemd service prevents automatic restart, which is critical for a malicious or unwanted process like 'crypto-miner'.

Exam trap

The trap here is that candidates focus only on stopping the process immediately (kill -9) and overlook the requirement to ensure it does not restart, leading them to choose an option that fails to address persistence.

How to eliminate wrong answers

Option B is wrong because renice only lowers CPU priority; it does not stop the process, and a CPU-intensive process can still consume 95% CPU if no other processes compete, so system slowness persists. Option C is wrong because killing the process without disabling its restart mechanism (e.g., cron or systemd) allows it to respawn immediately, failing to ensure it does not restart. Option D is wrong because SIGTERM (kill -15) requests graceful termination, which the process may ignore or trap, especially if it is malicious or designed to evade termination, leaving it running.

42
Multi-Selecthard

Which TWO of the following commands can be used to display the current kernel ring buffer messages? (Select TWO.)

Select 2 answers
A.journalctl -k
B.syslog -k
C.dmesg
D.cat /proc/kmsg
E.tail /var/log/messages
AnswersA, C

Shows kernel messages from journal.

Why this answer

A is correct because `journalctl -k` queries the systemd journal for kernel messages only, displaying the current kernel ring buffer content. This is the modern way to access kernel logs on systems using systemd, equivalent to `dmesg` but with structured journal output.

Exam trap

The trap here is that candidates may confuse `cat /proc/kmsg` with `dmesg`, not realizing that `/proc/kmsg` is a one-time destructive read requiring root, while `dmesg` is the safe, standard command for non-destructive access to the kernel ring buffer.

43
MCQhard

An administrator is troubleshooting a server that runs a critical application. The server has 16 GB of RAM and 8 CPU cores. The administrator notices that the server becomes very slow during peak hours. Analysis of 'iostat -x 1' shows that the average wait time (await) for the main disk (sda) is consistently above 1000 ms, while the average service time (svctm) is around 5 ms. What is the most likely cause?

A.The CPU is overloaded, causing processes to wait for CPU time.
B.The system is using swap space heavily, causing disk I/O.
C.The disk is experiencing hardware errors.
D.There is a large queue of I/O requests waiting to be serviced.
AnswerD

A high await with low svctm indicates that the disk is fast but there are many requests queued, so each request spends a long time waiting before being serviced.

Why this answer

The 'await' value in iostat represents the average time (in milliseconds) for I/O requests to be serviced, including time spent waiting in the queue. With 'await' at 1000+ ms and 'svctm' at only 5 ms, the vast majority of the time is spent waiting, not being serviced. This indicates a large queue of pending I/O requests, which is the direct cause of the slowdown.

Exam trap

The trap here is that candidates confuse 'await' with 'svctm' or assume high 'await' always means slow disk hardware, when in fact the low 'svctm' proves the disk is fast but overwhelmed by queue depth.

How to eliminate wrong answers

Option A is wrong because CPU overload would show high CPU utilization or run queue length in 'top' or 'vmstat', not a high 'await' with low 'svctm'. Option B is wrong because heavy swap usage would increase I/O but would also typically show high 'svctm' due to random access patterns, and the 'await' vs 'svctm' disparity here points to queue depth, not swap. Option C is wrong because hardware errors would manifest as I/O errors in system logs or increased 'svctm' due to retries, not a consistent 5 ms service time with a 1000+ ms wait.

44
Multi-Selecteasy

Which TWO of the following are valid methods to check the status of a systemd service named 'httpd'? (Select TWO.)

Select 2 answers
A.initctl status httpd
B.systemd-analyze status httpd
C./etc/init.d/httpd status
D.systemctl status httpd
E.service httpd status
AnswersD, E

Native systemd command.

Why this answer

Option D is correct because `systemctl status httpd` is the standard command to query the status of a systemd service. It displays the service's current state, recent log entries, and process information, directly interfacing with systemd's unit management.

Exam trap

The trap here is that candidates may confuse legacy SysV init commands (like `/etc/init.d/httpd status` or `service httpd status`) with native systemd commands, but `service httpd status` is actually correct because it is a wrapper that calls `systemctl status httpd` on systemd systems, making it a valid method.

45
MCQeasy

To view the system's default runlevel (target) at boot, which command is used on a systemd-based system?

A.systemd-analyze
B.systemctl get-default
C.runlevel
D.cat /etc/inittab
AnswerB

Shows the default target for systemd.

Why this answer

On systemd-based systems, the default target (analogous to runlevel) is managed by systemctl. The command `systemctl get-default` queries the symlink at `/etc/systemd/system/default.target` to display which target is set to boot by default, making it the correct way to view the system's default boot target.

Exam trap

The trap here is that candidates familiar with SysVinit may instinctively choose `runlevel` or `cat /etc/inittab`, not realizing that systemd replaces these with `systemctl` commands and uses target units instead of runlevels.

How to eliminate wrong answers

Option A is wrong because `systemd-analyze` is used to analyze system boot performance and show timing details, not to display the default target. Option C is wrong because `runlevel` is a legacy SysVinit command that reads `/var/run/utmp` to show the current and previous runlevels; it does not work on systemd systems to show the default boot target. Option D is wrong because `/etc/inittab` is the configuration file for SysVinit that defines runlevels; systemd-based systems do not use this file, and it is typically absent or ignored.

46
MCQhard

After a kernel update, a service fails to start with 'cannot allocate memory'. The system has 16GB RAM and 8GB swap. Which command should the administrator run first to diagnose potential memory limits?

A.free -m
B.ulimit -a
C.cat /proc/meminfo
D.sysctl vm.overcommit_memory
AnswerB

Shows process resource limits, which may be too low.

Why this answer

Option B is correct because `ulimit -a` displays all current user-level resource limits, including `max memory size`, `max processes`, and `max locked memory`. After a kernel update, the service may be hitting a newly enforced or reduced `ulimit` (e.g., `RLIMIT_AS` or `RLIMIT_DATA`), which can cause 'cannot allocate memory' even when system memory is abundant. This command is the fastest way to check if a per-process limit is the culprit.

Exam trap

The trap here is that candidates see 'cannot allocate memory' and immediately think of system memory exhaustion, leading them to choose `free -m` or `/proc/meminfo`, but the LFCS exam tests the distinction between system-wide memory and per-process resource limits enforced by `ulimit`.

How to eliminate wrong answers

Option A is wrong because `free -m` shows overall system memory and swap usage, but the error 'cannot allocate memory' can occur even with plenty of free RAM if a per-process limit is imposed; `free` does not reveal user limits. Option C is wrong because `cat /proc/meminfo` provides detailed kernel memory statistics (e.g., MemTotal, MemFree, Committed_AS) but does not show per-process resource limits enforced by the shell or PAM; it cannot diagnose a `ulimit` restriction. Option D is wrong because `sysctl vm.overcommit_memory` controls the kernel's memory overcommit policy (0=heuristic, 1=always, 2=never overcommit), but the error 'cannot allocate memory' from a service is typically a per-process limit issue, not a system-wide overcommit setting; changing this sysctl is a more advanced step after confirming limits.

47
MCQeasy

A server is running out of disk space. Which command will show the disk usage of the root filesystem in a human-readable format?

A.ls -lh /
B.df -h /
C.fdisk -l /
D.du -sh /
AnswerB

Shows filesystem usage in human-readable format.

Why this answer

The `df -h /` command displays disk usage for the root filesystem (`/`) in a human-readable format (e.g., GB, MB) by using the `-h` flag. This is the standard tool for checking filesystem-level disk space, not directory-level usage.

Exam trap

The trap here is that candidates confuse `du` (directory usage) with `df` (filesystem usage), often picking `du -sh /` because it shows a large number, but they fail to realize it does not report filesystem capacity or available space, which is what the question explicitly asks for.

How to eliminate wrong answers

Option A is wrong because `ls -lh /` lists the contents of the root directory with sizes in human-readable format, but it does not show disk usage of the filesystem itself—it only shows file and directory sizes, which is not the same as filesystem capacity or usage. Option C is wrong because `fdisk -l /` is used to manipulate or display the partition table of a disk device (e.g., `/dev/sda`), not to show filesystem disk usage; passing `/` as an argument is invalid and will produce an error. Option D is wrong because `du -sh /` calculates the total disk usage of all files and directories under `/` (i.e., the entire filesystem tree), but it does not show the filesystem's total capacity or available space; it also takes significantly longer to run and is not the intended command for checking filesystem-level disk usage.

48
MCQeasy

Which command shows the default target for systemd?

A.systemctl show default
B.systemctl list-default
C.systemctl get-default
D.systemctl default
AnswerC

Correct command to show default target.

Why this answer

The correct command to display the default target (the systemd unit that the system boots into by default) is `systemctl get-default`. This command reads the symlink at `/etc/systemd/system/default.target` and outputs its target, such as `multi-user.target` or `graphical.target`. Option C is correct because it directly queries systemd for the current default boot target.

Exam trap

The trap here is that candidates confuse `systemctl get-default` with `systemctl default` (which activates the default target) or with non-existent commands like `systemctl list-default`, leading them to pick a plausible-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because `systemctl show default` is not a valid systemctl subcommand; `systemctl show` is used to display properties of a unit (e.g., `systemctl show sshd.service`), not to retrieve the default target. Option B is wrong because `systemctl list-default` does not exist; the correct subcommand for listing targets is `systemctl list-units --type=target`, which shows all loaded target units, not the default one. Option D is wrong because `systemctl default` is a valid command but it changes the current target to the default target (i.e., it activates the default boot target), not displays it.

49
MCQmedium

A user reports that they cannot log in via SSH, but other users can. The administrator checks /var/log/auth.log and sees 'Failed password for invalid user'. What is the most likely cause?

A.The user's SSH key is not authorized
B.The user account is locked
C.The user does not exist on the system
D.The user's password has expired
AnswerC

Logs indicate 'invalid user', meaning the username is not found.

Why this answer

The log message 'Failed password for invalid user' specifically indicates that the username presented during the SSH authentication attempt does not correspond to any account in the system's user database (e.g., /etc/passwd). This is distinct from a valid user failing authentication; the SSH server (sshd) rejects the session at the authentication stage because the user does not exist. Therefore, the most likely cause is that the user account does not exist on the system.

Exam trap

The trap here is that candidates confuse 'invalid user' (non-existent account) with 'valid user, wrong credentials' (e.g., locked account, expired password, or bad key), but the log message explicitly distinguishes between these two cases.

How to eliminate wrong answers

Option A is wrong because an SSH key not being authorized would generate a 'Failed publickey for <valid_user>' message, not 'invalid user'. Option B is wrong because a locked account (e.g., via `passwd -l` or expired password) would produce a 'Failed password for <valid_user>' or 'Authentication failure' log entry, not 'invalid user'. Option D is wrong because an expired password triggers a password change prompt or a 'Password expired' message during authentication, and the log would still reference a valid username, not 'invalid user'.

50
MCQhard

A system has a RAID 5 array that is degraded. One of the three disks failed and was replaced. The administrator runs 'cat /proc/mdstat' and sees that the array is still degraded. Which command should be used to add the new disk (/dev/sdc1) to the array?

A.mdadm /dev/md0 --add /dev/sdc1
B.mdadm --add /dev/md0 /dev/sdc1
C.mdadm --manage /dev/md0 --add /dev/sdc1
D.mdadm --re-add /dev/md0 /dev/sdc1
AnswerB

Correct syntax.

Why this answer

Option B is correct because the `mdadm --add /dev/md0 /dev/sdc1` command explicitly adds a new disk to a RAID array. After a failed disk is replaced, the array remains degraded until the new disk is added and the rebuild process begins. The `--add` option is the standard way to incorporate a spare or replacement device into an active MD array.

Exam trap

The trap here is that candidates confuse `--add` with `--re-add`, assuming the latter is always used for replacement disks, but `--re-add` only works for disks that were previously part of the same array and have not been fully removed or failed.

How to eliminate wrong answers

Option A is wrong because the syntax `mdadm /dev/md0 --add /dev/sdc1` omits the required `--manage` or device mode flag; `mdadm` expects either a mode (like `--manage`) or a direct command option before the device name, and this ordering can cause a parsing error or unintended behavior. Option C is wrong because `mdadm --manage /dev/md0 --add /dev/sdc1` is technically valid but redundant — the `--manage` mode is implied when using `--add`, and the LFCS exam expects the simpler, standard form `mdadm --add /dev/md0 /dev/sdc1` as the correct answer. Option D is wrong because `mdadm --re-add` is used to re-add a disk that was previously part of the array and has been removed but not failed (e.g., after a temporary disconnection); it does not apply to a new replacement disk that was never part of the array.

51
MCQhard

A system running RHEL 8 experiences intermittent crashes. After reboot, 'journalctl -p err -b -1' outputs: 'PID 1234 (myapp) ended due to signal: KILL'. Which diagnostic step should the administrator perform next?

A.Review logrotate configuration for myapp logs.
B.Run strace to capture system calls of myapp before restarting.
C.Enable core dumps and reproduce issue.
D.Check journalctl for 'oom-kill' entries or use 'dmesg | grep -i oom'.
AnswerD

Identifies if out-of-memory killer caused the kill.

Why this answer

The 'PID ended due to signal: KILL' message indicates the process was terminated by a SIGKILL (signal 9), which is commonly sent by the Out-Of-Memory (OOM) killer when the system runs low on memory. Checking journalctl for 'oom-kill' entries or using 'dmesg | grep -i oom' directly confirms whether the OOM killer was responsible, making D the correct next diagnostic step.

Exam trap

The trap here is that candidates may confuse 'signal: KILL' with a manual kill command or a segmentation fault, leading them to choose core dumps (C) or strace (B), when the specific signal name 'KILL' (SIGKILL) points directly to the OOM killer or an explicit kill -9, and the OOM killer is the most common cause in intermittent crash scenarios.

How to eliminate wrong answers

Option A is wrong because logrotate configuration affects log rotation and compression, not process termination causes; it would not help diagnose why myapp was killed. Option B is wrong because strace captures system calls of a running process, but myapp has already crashed and cannot be traced without reproducing the issue first; this is a premature step before confirming the root cause. Option C is wrong because enabling core dumps and reproducing the issue is useful for debugging segmentation faults or other signals (e.g., SIGSEGV), but SIGKILL cannot be caught or handled by the process, so no core dump is generated; this step would be ineffective here.

52
Matchingmedium

Match each Linux networking command to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Show/manipulate routing, devices, tunnels

Investigate sockets

Capture and analyze network traffic

Manage NetworkManager

Print network connections (legacy)

Why these pairings

These commands are used for network troubleshooting and configuration.

53
MCQmedium

A process (PID 1234) is hung and cannot be killed with SIGTERM. To force termination, which signal should be sent?

A.kill -9 1234 (SIGKILL)
B.kill -15 1234 (SIGTERM)
C.kill -2 1234 (SIGINT)
D.kill -1 1234 (SIGHUP)
AnswerA

SIGKILL cannot be caught and kills immediately.

Why this answer

SIGKILL (signal 9) is the correct choice because it cannot be caught, blocked, or ignored by the process. Unlike SIGTERM, which allows the process to perform cleanup, SIGKILL immediately terminates the process at the kernel level, making it the only reliable way to force-kill a hung process that ignores other signals.

Exam trap

The trap here is that candidates often confuse SIGTERM (15) as a 'force kill' signal, not realizing that a hung process can ignore it, while SIGKILL (9) is the only signal that guarantees termination.

How to eliminate wrong answers

Option B (SIGTERM, signal 15) is wrong because it is the default polite termination signal that the process can catch and ignore, which is exactly why it failed to kill the hung process. Option C (SIGINT, signal 2) is wrong because it is typically generated by Ctrl+C and can be caught or ignored by the process, making it ineffective for a hung process. Option D (SIGHUP, signal 1) is wrong because it is primarily used to notify a process of terminal disconnection or to reload configuration, and it can also be caught or ignored, so it will not force termination.

54
MCQmedium

A system administrator needs to find all files that are larger than 100MB in the /var directory. Which command accomplishes this?

A.find /var -size +100M
B.find /var -size +100MB
C.ls -lh /var | grep '100M'
D.find /var -size +100M -type f
AnswerD

Correct syntax, restricts to files only.

Why this answer

Option D is correct because the `find` command with `-size +100M` locates files larger than 100 megabytes, and `-type f` restricts results to regular files, avoiding directories or special files. The `+` prefix means 'greater than', and `M` denotes megabytes (1048576-byte blocks). This is the standard syntax for size-based file searches on Linux.

Exam trap

The trap here is that candidates often forget the `-type f` filter and pick Option A, assuming `find` only returns files, or they incorrectly use `MB` (Option B) due to familiarity with human-readable size formats, not realizing `find` requires single-letter suffixes.

How to eliminate wrong answers

Option A is wrong because `find /var -size +100M` omits `-type f`, so it will also match directories and other non-regular files that happen to have a size attribute, potentially cluttering results or causing unintended matches. Option B is wrong because `-size +100MB` uses an invalid suffix; `find` accepts `c` (bytes), `k` (kilobytes), `M` (megabytes), `G` (gigabytes), but not `MB` — this will cause a syntax error or be ignored. Option C is wrong because `ls -lh /var | grep '100M'` only matches lines containing the literal string '100M', missing files like '200M' or '1.5G', and it does not recursively search subdirectories; it also fails to handle files with sizes formatted differently (e.g., '101M' would not match).

55
MCQmedium

A systems administrator receives reports that a web server running Nginx is intermittently unresponsive. The server has 8 GB of RAM and 4 CPU cores. The administrator runs 'free -m' and sees that available memory is low, and 'top' shows that several nginx worker processes are using a high percentage of CPU. Which of the following is the most likely cause of the issue?

A.The nginx worker_connections setting is too high.
B.The vm.swappiness value is set to 100.
C.The net.core.somaxconn setting is too low.
D.The kernel parameter kernel.pid_max is set too low.
AnswerA

High worker_connections can cause each worker to allocate large amounts of memory for connection pools, leading to memory exhaustion and high CPU usage as workers compete for resources.

Why this answer

The correct answer is A. When `worker_connections` is set too high, each Nginx worker process attempts to handle more concurrent connections than the system can support, leading to CPU saturation and memory exhaustion. This matches the symptoms of high CPU usage by worker processes and low available memory, causing intermittent unresponsiveness.

Exam trap

The trap here is that candidates may confuse `worker_connections` with `net.core.somaxconn`, assuming a backlog limit causes CPU issues, but `worker_connections` directly impacts per-worker resource consumption under load.

How to eliminate wrong answers

Option B is wrong because `vm.swappiness` controls the kernel's tendency to swap anonymous memory to disk; a value of 100 makes the system swap aggressively, which would cause disk I/O and latency, not high CPU usage by Nginx workers directly. Option C is wrong because `net.core.somaxconn` limits the backlog of pending TCP connections; a low value would cause connection refused errors under load, not high CPU usage or memory exhaustion. Option D is wrong because `kernel.pid_max` sets the maximum PID number; a low value would prevent new processes from starting, not cause existing Nginx workers to consume high CPU or memory.

56
Multi-Selectmedium

Which TWO commands can be used to display the current block devices and their partitions?

Select 2 answers
A.df -h
B.lsblk
C.parted -l
D.fdisk -l
E.blkid
AnswersB, D

Lists block devices with partition info.

Why this answer

B is correct because `lsblk` lists all block devices (e.g., /dev/sda, /dev/nvme0n1) and their partition tables in a tree-like format, reading directly from sysfs. D is correct because `fdisk -l` displays partition tables for all block devices by reading the partition table from the disk (MBR or GPT). Both commands show current block devices and their partitions.

Exam trap

The trap here is that candidates confuse `df -h` (which shows mounted filesystems) with commands that display block devices and partitions, leading them to select option A, or they overlook `fdisk -l` because they think it only edits partitions, not lists them.

57
MCQeasy

Based on the exhibit, what happens if the service 'myapp' crashes?

A.The service is disabled and will not start at boot
B.systemd will automatically restart it after 5 seconds
C.The service remains stopped until manually started
D.An alert is sent to the system administrator
AnswerB

Restart=always and RestartSec=5 cause automatic restart.

Why this answer

Option B is correct because the systemd service unit for 'myapp' includes the directive `Restart=on-failure` combined with `RestartSec=5`. When the service process crashes or exits with a non-zero status, systemd detects the failure and automatically schedules a restart after the specified 5-second delay. This behavior is defined in the service unit file and is a core feature of systemd's service management.

Exam trap

The trap here is that candidates assume a crashed service must be manually restarted or that systemd only handles boot-time behavior, overlooking the `Restart=` and `RestartSec=` directives that define automatic restart policies for runtime failures.

How to eliminate wrong answers

Option A is wrong because a crash does not disable the service; disabling is a separate administrative action using `systemctl disable`, which only affects boot-time behavior, not runtime restart policy. Option C is wrong because systemd's `Restart=on-failure` directive explicitly instructs the init system to restart the service automatically upon crash, so it does not remain stopped. Option D is wrong because systemd does not send alerts by default; while it can log the event via journald, alerting requires additional configuration (e.g., custom scripts, monitoring tools, or `OnFailure=` unit dependencies).

58
MCQeasy

An administrator wants to view the current memory usage in a human-readable format, showing totals for used and free memory. Which command should be used?

A.vmstat
B.free -h
C.top
D.cat /proc/meminfo
AnswerB

Shows human-readable memory summary.

Why this answer

The `free -h` command displays memory usage in a human-readable format (e.g., MiB, GiB) and shows totals for used and free memory, including buffers/cache and swap. This directly matches the requirement for a quick, readable summary of memory usage.

Exam trap

The trap here is that candidates may choose `cat /proc/meminfo` because it contains all memory details, but they overlook the requirement for a human-readable format and totals, which `free -h` provides directly.

How to eliminate wrong answers

Option A is wrong because `vmstat` reports virtual memory statistics, process, CPU, and I/O activity, but it does not present totals for used and free memory in a human-readable format by default; its output is in raw numbers and requires interpretation. Option C is wrong because `top` provides a real-time, dynamic view of system processes and memory usage, but it is interactive and not designed for a single, static human-readable summary of total used and free memory. Option D is wrong because `cat /proc/meminfo` outputs raw kernel memory statistics in kilobytes, which is not human-readable and requires manual calculation to derive totals for used and free memory.

59
MCQmedium

You are a systems administrator for a company that runs a web application on a Linux server with 16 GB of RAM and 4 CPU cores. The application uses Apache with mod_php and PostgreSQL. Recently, the server has been experiencing high load average (above 10) and the website is responding slowly. The 'top' command shows that many 'httpd' processes are in 'D' (uninterruptible sleep) state. The 'iostat -x 1' output shows high disk utilization (over 90%) and high average wait times (await > 200 ms) on the disk where PostgreSQL data is stored. The database is write-heavy, and you suspect that disk I/O is the bottleneck. Which of the following actions is most likely to improve the performance?

A.Enable the PostgreSQL query cache by setting 'query_cache_type' to 'on'.
B.Increase the PostgreSQL shared_buffers setting to 4 GB.
C.Increase the PostgreSQL max_connections setting to 200.
D.Decrease the Apache MaxClients setting to 50.
AnswerB

Increasing shared_buffers allows PostgreSQL to cache more data in memory, reducing the amount of disk I/O needed. This directly addresses the high disk utilization.

Why this answer

The high disk utilization (over 90%) and high await times (>200 ms) on the PostgreSQL data disk indicate that the database is I/O-bound. Increasing PostgreSQL's shared_buffers to 4 GB (25% of 16 GB RAM) allows more data to be cached in memory, reducing the frequency of disk writes and reads for write-heavy workloads. This directly alleviates the disk I/O bottleneck, lowering the load average and the number of httpd processes in 'D' state.

Exam trap

The trap here is that candidates may confuse PostgreSQL's shared_buffers with MySQL's query cache or think that reducing Apache connections will fix an I/O bottleneck, when the real solution is to increase database memory caching to reduce disk pressure.

How to eliminate wrong answers

Option A is wrong because PostgreSQL does not have a 'query_cache_type' setting; that is a MySQL/MariaDB feature, and enabling it would not address disk I/O. Option C is wrong because increasing max_connections to 200 would allow more concurrent database sessions, which would increase contention for the already saturated disk, worsening performance. Option D is wrong because decreasing Apache MaxClients to 50 would reduce the number of concurrent web requests, but the bottleneck is disk I/O on the PostgreSQL data disk, not Apache process limits; this action might reduce load slightly but does not address the root cause.

60
MCQhard

A system administrator needs to ensure that a specific service, 'myapp', starts automatically after a system crash and also restarts if it fails. Which systemd unit directive should be used to achieve this behavior?

A.RemainAfterExit=yes
B.Restart=always
C.Restart=on-failure and WantedBy=multi-user.target
D.ExecStopPost=/bin/systemctl restart myapp.service
AnswerC

Restart=on-failure restarts the service only if it fails (non-zero exit), and WantedBy=multi-user.target ensures it starts at boot.

Why this answer

Option C is correct because the combination of `Restart=on-failure` ensures the service restarts automatically if it exits with a non-zero exit code or is terminated by a signal, and `WantedBy=multi-user.target` creates a dependency that starts the service at boot, including after a system crash. This satisfies both requirements: automatic start after crash (via systemd's dependency-based boot) and restart on failure (via the Restart directive).

Exam trap

The trap here is that candidates often confuse `Restart=always` with `Restart=on-failure`, not realizing that `always` restarts even on manual stops, which violates the typical requirement to only restart on failure, and they may overlook that `WantedBy=multi-user.target` is necessary for automatic start after a crash.

How to eliminate wrong answers

Option A is wrong because `RemainAfterExit=yes` only keeps the service unit in an 'active' state after its main process exits, but it does not cause the service to start after a crash or restart on failure. Option B is wrong because `Restart=always` would restart the service even if it is manually stopped by an administrator, which is not the desired behavior and can lead to unintended restarts; the requirement is to restart only on failure, not on manual stop. Option D is wrong because `ExecStopPost` runs a command after the service stops, but it does not inherently restart the service; using it to call `systemctl restart` is a workaround that bypasses systemd's built-in restart logic and can cause race conditions or infinite restart loops.

61
MCQeasy

A system administrator needs to check the current CPU load and memory usage on a Linux server. Which command should be used to display a dynamic, real-time view of running processes and system resource utilization?

A.uptime
B.top
C.ps aux
D.free -h
AnswerB

'top' displays a dynamic, real-time view of processes and resource usage.

Why this answer

Option B (top) is correct because it provides a dynamic, real-time view of running processes and system resource utilization, including CPU load, memory usage, and process details. It updates continuously by default, making it ideal for monitoring live system performance.

Exam trap

The trap here is that candidates may confuse static commands like ps aux or free -h with the dynamic, real-time requirement, or assume uptime provides process-level detail, when only top (or similar tools like htop) continuously updates process and resource data.

How to eliminate wrong answers

Option A (uptime) is wrong because it only displays how long the system has been running, the number of users, and load averages for 1, 5, and 15 minutes; it does not show a dynamic, real-time view of processes or memory usage. Option C (ps aux) is wrong because it provides a static snapshot of all running processes at the moment of execution, not a continuously updating real-time display. Option D (free -h) is wrong because it shows memory and swap usage in a human-readable format, but it is a static report and does not display running processes or CPU load in real time.

62
MCQeasy

A system administrator notices that a process is consuming 100% CPU and is unresponsive. Which command should be used to immediately stop the process if the PID is 2345?

A.kill -9 2345
B.pkill -9 processname
C.systemctl stop processname
D.kill -15 2345
AnswerA

SIGKILL immediately terminates the process and cannot be caught.

Why this answer

Option A is correct because `kill -9 2345` sends the SIGKILL signal (signal 9) to process ID 2345, which immediately terminates the process without allowing it to clean up or ignore the signal. This is the appropriate action for an unresponsive process consuming 100% CPU, as SIGKILL cannot be caught or blocked by the process.

Exam trap

The trap here is that candidates may choose `kill -15` (SIGTERM) thinking it is safer, but the question explicitly requires immediate stoppage of an unresponsive process, where only SIGKILL guarantees termination.

How to eliminate wrong answers

Option B is wrong because `pkill -9 processname` would require the process name, not the PID, and the question specifies that the PID is known (2345); using `pkill` with a name could accidentally terminate other processes with similar names. Option C is wrong because `systemctl stop processname` is used to manage systemd services, not arbitrary user processes, and it sends SIGTERM (signal 15) which the unresponsive process may ignore. Option D is wrong because `kill -15 2345` sends SIGTERM, which requests graceful termination but can be ignored or blocked by a process that is stuck or unresponsive, making it ineffective for immediate stoppage.

63
MCQmedium

A systems administrator is troubleshooting a server that runs a database application. The server has 64 GB of RAM and 16 CPU cores. The administrator notices that the system is using a significant amount of swap space even though there is plenty of free memory. The 'free -m' command shows: total memory = 65536, used = 50000, free = 15536, buffers/cache = 10000, swap total = 8192, swap used = 6000. Which of the following is the most likely cause?

A.The vm.dirty_ratio and vm.dirty_background_ratio are set too high.
B.The vm.swappiness value is set too high.
C.The database is configured to use huge pages, which are not swappable.
D.The vm.vfs_cache_pressure is set too low.
AnswerB

A high swappiness value (e.g., 100) makes the kernel more likely to swap pages out to disk even when there is free memory available.

Why this answer

Option B is correct because a high vm.swappiness value (default 60) causes the kernel to aggressively swap out anonymous pages even when ample free memory exists. With 15 GB free and 10 GB in buffers/cache, the system should not be using 6 GB of swap unless swappiness is set too high, forcing premature swapping.

Exam trap

Linux Foundation often tests the misconception that swap usage only occurs when memory is full, but the trap here is that vm.swappiness can cause swapping even with abundant free memory, leading candidates to overlook the kernel's proactive swapping behavior.

How to eliminate wrong answers

Option A is wrong because vm.dirty_ratio and vm.dirty_background_ratio control when dirty pages are written to disk, not swap usage; they affect I/O performance, not memory pressure. Option C is wrong because huge pages are locked in memory and not swappable, so they would reduce swap usage, not increase it. Option D is wrong because vm.vfs_cache_pressure controls the tendency to reclaim dentry/inode caches, not anonymous page swapping; a low value would preserve cache, not cause swap usage.

64
MCQhard

A server with multiple network interfaces has intermittent connectivity issues. The administrator suspects routing table misconfiguration. Which command would show the current routing table?

A.All of the above
B.ip route show
C.netstat -r
D.route -n
AnswerA

All three commands display the routing table.

Why this answer

Option A is correct because all three commands—`ip route show`, `netstat -r`, and `route -n`—display the kernel's IPv4 routing table on a Linux system. `ip route show` is the modern iproute2 tool, `netstat -r` reads from /proc/net/route, and `route -n` shows the table in numeric format. Since each command provides the same core routing information, any of them would allow the administrator to diagnose the routing table misconfiguration.

Exam trap

The trap here is that candidates often think only one command is correct (e.g., `ip route show` because it's modern), but the LFCS exam expects you to recognize that multiple legacy and modern tools can achieve the same task, making 'All of the above' the correct answer when all listed options are valid.

How to eliminate wrong answers

Option B is wrong because it is not incorrect—`ip route show` is a valid command that displays the routing table, but it is only one of the correct options, not the sole answer. Option C is wrong because `netstat -r` is a valid command that shows the routing table, but it is not the only correct choice. Option D is wrong because `route -n` is a valid command that displays the routing table without resolving hostnames, but it is also not the only correct choice.

The question asks for 'which command would show the current routing table,' and all three are equally valid, making 'All of the above' the comprehensive answer.

65
MCQmedium

Based on the exhibit, which process is using the most physical memory (RES)?

A.mysqld (PID 9101)
B.Not determinable from exhibit
C.nginx (PID 5678)
D.systemd (PID 1234)
AnswerA

RES is 102456, the highest among listed processes.

Why this answer

The exhibit shows the output of the `top` command, where the RES column indicates the resident memory (physical RAM) used by each process. mysqld (PID 9101) has a RES value of 2.5g, which is significantly higher than nginx (PID 5678) with 128m and systemd (PID 1234) with 48m, making it the process using the most physical memory.

Exam trap

The trap here is that candidates may confuse the VIRT (virtual memory) column with RES, or assume that a process with a higher PID or name familiarity uses more memory, rather than reading the RES values directly from the exhibit.

How to eliminate wrong answers

Option B is wrong because the exhibit clearly displays the RES column for each process, allowing direct comparison of physical memory usage. Option C is wrong because nginx (PID 5678) shows only 128m in the RES column, which is far less than mysqld's 2.5g. Option D is wrong because systemd (PID 1234) has only 48m in the RES column, the smallest value among the listed processes.

66
MCQhard

A Linux server experiences intermittent high load averages but low CPU utilization. The administrator suspects an I/O bottleneck. Which command best identifies the specific device causing the bottleneck?

A.sar -d 1
B.vmstat 1
C.top -d 1
D.iostat -x 1
AnswerD

Shows extended I/O stats per device, identifying bottlenecks.

Why this answer

Option D is correct because `iostat -x 1` provides extended device statistics, including `%util`, `await`, and `svctm`, which directly indicate the specific block device causing an I/O bottleneck. The `-x` flag reports per-device metrics like average I/O queue size and service time, making it the precise tool to identify a slow or overloaded disk under high load with low CPU usage.

Exam trap

The trap here is that candidates see high `wa` in `vmstat` or `top` and assume those tools are sufficient to identify the I/O bottleneck, but they lack per-device granularity, which `iostat -x` uniquely provides.

How to eliminate wrong answers

Option A is wrong because `sar -d 1` reports historical disk activity but requires the `sysstat` package and typically shows aggregate data without the per-device granularity and extended metrics (like `%util`) needed to pinpoint the specific bottleneck device in real time. Option B is wrong because `vmstat 1` shows system-wide I/O statistics (bi/bo) and CPU wait time (`wa`), but it does not break down I/O by individual device, so it cannot identify which specific disk is causing the bottleneck. Option C is wrong because `top -d 1` displays process-level CPU and memory usage, not per-device I/O statistics; while it can show high `wa` CPU, it cannot isolate the specific block device responsible.

67
Multi-Selectmedium

Which TWO commands can be used to check and repair an ext4 file system that is mounted as /data? (Choose two.)

Select 2 answers
A.tune2fs /dev/sdb1
B.e2fsck -fy /dev/sdb1
C.xfs_repair /dev/sdb1
D.fsck -f /dev/sdb1
E.resize2fs /dev/sdb1
AnswersB, D

e2fsck is the ext2/3/4 filesystem checker; -fy forces check and auto-repairs.

Why this answer

Options B and D are correct. fsck with -f forces a check even if clean; e2fsck is specific to ext2/3/4. Option A is incorrect because tune2fs does not check/repair. Option C is wrong because xfs_repair is for XFS.

Option E is wrong because resize2fs resizes, not repairs.

68
MCQmedium

A developer reports that a web application is running out of file descriptors. Which sysctl parameter should be reviewed and potentially increased?

A.fs.nr_open
B.fs.file-max
C.kernel.max_files
D.net.ipv4.tcp_max_syn_backlog
AnswerB

This is the system-wide maximum number of open file descriptors.

Why this answer

The `fs.file-max` sysctl parameter defines the system-wide limit on the number of open file descriptors that the kernel can allocate. When a web application runs out of file descriptors, it is typically because this global limit has been reached, and increasing it allows more concurrent open files, sockets, and other descriptors. This directly resolves the reported exhaustion.

Exam trap

The trap here is that candidates confuse the system-wide limit (`fs.file-max`) with the per-process limit (`fs.nr_open` or `ulimit -n`), leading them to choose `fs.nr_open` when the question explicitly asks about a system-wide exhaustion reported by the developer.

How to eliminate wrong answers

Option A is wrong because `fs.nr_open` sets the per-process hard limit on file descriptors (default 1048576), not the system-wide total, and is rarely the bottleneck for a web application. Option C is wrong because `kernel.max_files` is not a valid sysctl parameter; the correct kernel parameter for file descriptor limits is `fs.file-max`. Option D is wrong because `net.ipv4.tcp_max_syn_backlog` controls the maximum number of half-open TCP connections (SYN backlog) and does not affect file descriptor limits.

69
MCQmedium

A Linux system reports 'Out of memory' errors frequently. The administrator checks memory usage with 'free -m' and notices that most memory is used by file cache. Which command can the administrator run to immediately free up the cache without affecting running processes?

A.sysctl vm.drop_caches=1
B.swapoff -a
C.echo 1 > /proc/sys/vm/drop_caches
D.kill -9 $(pidof some_process)
AnswerC

Writing 1 to drop_caches frees pagecache.

Why this answer

Option C is correct because writing 1 to /proc/sys/vm/drop_caches instructs the kernel to free pagecache (file cache) without terminating any processes. This is a safe, non-destructive operation that reclaims memory used for caching disk I/O, which is exactly what the administrator needs when 'free -m' shows most memory consumed by cache.

Exam trap

The trap here is that candidates confuse 'sysctl' with direct procfs writes, or think 'swapoff -a' frees memory, when in fact it only disables swap and does not reclaim file cache.

How to eliminate wrong answers

Option A is wrong because 'sysctl vm.drop_caches=1' is not a valid sysctl command; sysctl uses a 'key=value' syntax but the correct parameter path is 'vm.drop_caches', and the value must be written to the procfs file, not set via sysctl directly (though 'sysctl -w vm.drop_caches=1' would work, the given syntax is incorrect). Option B is wrong because 'swapoff -a' disables all swap devices, which does not free file cache; it may even cause memory pressure if the system relies on swap, and it does not reclaim cached pages. Option D is wrong because 'kill -9' terminates a process, which is unnecessary and disruptive; the goal is to free cache without affecting running processes, and killing a process is the opposite of that requirement.

70
MCQmedium

An administrator needs to schedule a cron job that runs a script every day at 3:00 AM, but the system is in a different time zone (UTC) than the administrator's local time (EST). The administrator wants the job to run at 3:00 AM local time regardless of system time zone changes. What is the best approach?

A.Change the system time zone to EST and set the cron job to run at 3:00 AM
B.Use the CRON_TZ variable in the crontab file to specify EST and schedule at 3:00 AM
C.Set the TZ environment variable in the crontab file before the job definition
D.Calculate the UTC equivalent (8:00 AM UTC) and schedule the job at that time
AnswerB

CRON_TZ sets the time zone for subsequent cron jobs in the file.

Why this answer

Option B is correct because the CRON_TZ variable, when set in a crontab file, allows you to specify a time zone for the cron daemon to interpret the schedule entries. This ensures the job runs at 3:00 AM EST regardless of the system's default time zone (UTC), and it persists even if the system time zone changes, as cron uses the variable for scheduling.

Exam trap

The trap here is that candidates often confuse the TZ environment variable (which affects the job's runtime environment) with the CRON_TZ variable (which affects cron's scheduling logic), leading them to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because changing the system time zone to EST would affect all system processes and logs, not just the cron job, and it would not be resilient to future time zone changes. Option C is wrong because setting the TZ environment variable in the crontab file before the job definition does not affect how cron interprets the schedule times; cron uses its own time zone logic, and TZ only affects the environment of the executed job, not the scheduling. Option D is wrong because calculating the UTC equivalent (8:00 AM UTC) would make the job run at 3:00 AM EST only as long as the system time zone remains UTC; if the system time zone changes, the job would no longer run at the desired local time.

71
MCQmedium

A system administrator is troubleshooting a production web server running CentOS 7 that became unresponsive. The server is still pingable, but SSH connections timeout. The admin performs an out-of-band console login. The server appears frozen; typing commands shows no output. The admin is able to trigger a Magic SysRq key sequence (Alt+SysRq+f) to kill the hung processes. After that, the server resumes normal operation. However, the admin wants to understand the root cause. Upon checking 'dmesg', they see repeated messages: 'NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s!' followed by stack traces from a kernel thread. Which action should the admin take to prevent recurrence while maintaining system stability?

A.Replace the power supply unit to ensure stable power.
B.Increase the soft lockup threshold via sysctl to reduce false positives.
C.Add 'nosoftlockup' to the kernel boot parameters.
D.Update the server's BIOS/firmware and check for kernel updates.
AnswerD

Soft lockups often indicate hardware/firmware issues; updates may resolve.

Why this answer

Option D is correct because soft lockup errors on CentOS 7 often indicate kernel bugs or hardware/firmware issues that cause CPUs to stall for extended periods. Updating the BIOS/firmware can resolve underlying hardware timing problems, while kernel updates may include patches for known soft lockup bugs. This approach addresses the root cause without disabling or weakening the watchdog mechanism, preserving system stability.

Exam trap

The trap here is that candidates may think soft lockup errors are false positives or can be safely ignored by increasing thresholds or disabling the watchdog, when in fact they indicate a genuine kernel or hardware issue that requires a proper fix.

How to eliminate wrong answers

Option A is wrong because a failing power supply typically causes random crashes or power-offs, not soft lockup errors in a single CPU core with a stuck kernel thread. Option B is wrong because increasing the soft lockup threshold merely masks the symptom by allowing longer stalls before detection, which can lead to worse system degradation and does not fix the underlying cause. Option C is wrong because adding 'nosoftlockup' disables the NMI watchdog entirely, removing the ability to detect and recover from soft lockups, which compromises system stability and is not a proper fix.

72
Multi-Selecthard

Which THREE factors can cause a system to fail to boot after changing kernel boot parameters in GRUB?

Select 3 answers
A.An incorrect network configuration.
B.A corrupted GRUB configuration file.
C.A missing initrd file path.
D.A misspelled parameter for the kernel.
E.An invalid root filesystem UUID.
AnswersC, D, E

Initrd is required for loading modules.

Why this answer

Option C is correct because the initrd (initial RAM disk) contains essential drivers and modules needed to mount the root filesystem. If the initrd file path in GRUB is missing or incorrect, the kernel cannot load the necessary drivers to access the root partition, causing a boot failure.

Exam trap

The trap here is that candidates often confuse boot-time failures with post-boot configuration issues, mistakenly thinking that network or GRUB config errors can cause a boot failure after kernel parameters are changed, when in fact only kernel-level parameters (initrd, kernel arguments, root device) directly affect the boot process.

73
MCQhard

Refer to the exhibit. What is the most likely issue with the Apache web server?

A.The service is not enabled.
B.The main PID is incorrect.
C.The DocumentRoot directory does not exist.
D.The service is not running.
AnswerC

The log shows a warning that the DocumentRoot does not exist.

Why this answer

The most likely issue is that the DocumentRoot directory does not exist. When Apache starts, it checks for the existence of the directory specified by the DocumentRoot directive (e.g., /var/www/html). If this directory is missing, Apache will fail to serve content and may log an error like 'Primary script unknown' or 'Directory index forbidden', even though the service itself is running and enabled.

This is a common misconfiguration after moving or deleting the web root.

Exam trap

Linux Foundation often tests the distinction between a service being 'running' versus being 'functional'—candidates see 'active (running)' and assume everything is fine, missing that a missing DocumentRoot or misconfigured directory can render the web server non-functional despite the process being alive.

How to eliminate wrong answers

Option A is wrong because 'service not enabled' would prevent Apache from starting automatically on boot, but the exhibit shows the service is active (running), so it is already started. Option B is wrong because the main PID being incorrect is not a typical Apache issue; the PID shown in systemctl status is automatically assigned by the system and does not cause a failure to serve content. Option D is wrong because the service is clearly running (active (running) status), so it is not a case of the service not running.

74
MCQeasy

Refer to the exhibit. Which filesystem is close to full capacity?

A.Both are at 75% or less
B./dev/sda1
C.Neither
D./dev/sdb1
AnswerD

90% used, very close to capacity.

Why this answer

The output of `df -h` shows that /dev/sdb1 has 80% usage (80% capacity), while /dev/sda1 is at 75%. The question asks which filesystem is 'close to full capacity,' and 80% is closer to full than 75%, making D correct. In the LFCS context, 'close to full' typically implies a higher percentage, and 80% exceeds the 75% threshold of the other option.

Exam trap

The trap here is that candidates may misinterpret 'close to full capacity' as any value above 50% or assume both are equally close, but the question specifically tests the ability to compare percentages and identify the higher usage.

How to eliminate wrong answers

Option A is wrong because it states both are at 75% or less, but /dev/sdb1 is at 80%, which is above 75%. Option B is wrong because /dev/sda1 is at 75%, which is not as close to full capacity as /dev/sdb1 at 80%. Option C is wrong because /dev/sdb1 is indeed close to full capacity at 80%, so 'Neither' is incorrect.

75
Multi-Selectmedium

Which TWO commands can be used to display the current runlevel or target of a systemd-based system?

Select 2 answers
A.systemctl get-default
B.telinit
C.init 3
D.systemctl list-units --type=target
E.runlevel
AnswersA, E

Displays the default target.

Why this answer

Option A is correct because `systemctl get-default` directly queries the systemd default target, which is the equivalent of the traditional runlevel in a systemd-based system. This command outputs the target that will be activated at boot, such as `multi-user.target` or `graphical.target`.

Exam trap

The trap here is that candidates may confuse commands that change the runlevel (like `init 3` or `telinit`) with commands that display it, or assume `systemctl list-units --type=target` shows the current target when it actually lists all targets regardless of state.

Page 1 of 2 · 77 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Running Systems Operations questions.