CCNA Admin Tasks Questions

71 questions · Admin Tasks topic · All types, answers revealed

1
MCQmedium

A system administrator wants to configure log rotation to compress log files daily and keep 30 days of logs. Which of the following configurations achieves this goal?

A.Set the 'maxlogsize' parameter in /etc/rsyslog.conf
B.Add a configuration file in /etc/logrotate.d/ with the contents: '/var/log/mylog { daily rotate 30 compress }'
C.Create a cron job that runs 'gzip /var/log/mylog.*' daily
D.Edit /etc/logrotate.conf to set 'rotate 30 weekly'
AnswerB

This is the correct logrotate syntax for daily rotation, 30 rotations, and compression.

Why this answer

Option B is correct because logrotate is the standard Linux utility for log rotation, compression, and retention. The configuration directive 'daily rotate 30 compress' in a file under /etc/logrotate.d/ instructs logrotate to rotate logs daily, keep 30 rotated copies, and compress old logs with gzip. This directly meets the requirement of daily compression and 30-day retention.

Exam trap

The trap here is that candidates may confuse logrotate's 'rotate' count with a time-based retention period, or assume that rsyslog or a simple cron+gzip approach can handle rotation and retention, when in fact logrotate is the dedicated tool that manages both rotation and compression with precise control over file naming and retention limits.

How to eliminate wrong answers

Option A is wrong because /etc/rsyslog.conf is the configuration file for rsyslog, the system logging daemon, and it does not have a 'maxlogsize' parameter for log rotation; log rotation is handled by logrotate, not rsyslog. Option C is wrong because a cron job running 'gzip /var/log/mylog.*' would compress all matching files daily but would not perform rotation (renaming the active log) or enforce a retention limit of 30 days, leading to uncontrolled accumulation of compressed files. Option D is wrong because editing /etc/logrotate.conf to set 'rotate 30 weekly' would keep 30 weeks of logs, not 30 days, and the 'weekly' directive contradicts the requirement for daily rotation.

2
Multi-Selectmedium

Which TWO commands can be used to display the current runlevel of a system?

Select 2 answers
A.telinit q
B.systemctl get-default
C.init 3
D.runlevel
E.who -r
AnswersD, E

Displays previous and current runlevel.

Why this answer

The `runlevel` command displays the previous and current runlevel of a SysV init system. The `who -r` command also shows the current runlevel along with the process ID of the init daemon. Both are standard tools for querying runlevel information on systems using SysV init.

Exam trap

The trap here is that candidates may confuse commands that change the runlevel (like `init 3`) with commands that display it, or assume `systemctl get-default` shows the current runlevel when it actually shows the default target for the next boot.

3
MCQmedium

Refer to the exhibit. The root partition is at 80% usage. Which action would reduce usage the most?

A.Increase the size of /dev/sda1
B.Delete unused files in /tmp
C.Run 'du -sh /home' to find large files
D.Move some files from /home to /
AnswerB

If /tmp is on root, this directly frees space.

Why this answer

Option B is correct because the /tmp directory typically contains temporary files that can be safely deleted without affecting system operation. Since the root partition is at 80% usage, clearing out /tmp can reclaim significant space, especially on systems where applications or users have left large temporary files. The 'rm -rf /tmp/*' command or using tmpwatch/systemd-tmpfiles can free up space immediately.

Exam trap

The trap here is that candidates often choose option C (running 'du -sh /home') because they think identifying large files is the same as freeing space, but the question asks for an action that reduces usage, not just reports it.

How to eliminate wrong answers

Option A is wrong because increasing the size of /dev/sda1 (the root partition) does not reduce usage; it only expands the available capacity, leaving the same amount of data on the partition. Option C is wrong because running 'du -sh /home' only identifies large files in /home, which is typically a separate partition or mount point and does not directly reduce usage on the root partition. Option D is wrong because moving files from /home to / would increase usage on the root partition, making the problem worse.

4
MCQeasy

An administrator adds the line 'DenyUsers john' to /etc/ssh/sshd_config and restarts the SSH service. What is the effect?

A.User john cannot log in via SSH.
B.User john can still log in but his commands are logged.
C.User john is denied all shell access, including local and console logins.
D.All users except john cannot log in via SSH.
AnswerA

This is the intended behavior of the DenyUsers directive.

Why this answer

The 'DenyUsers' directive in /etc/ssh/sshd_config explicitly blocks the specified user(s) from authenticating via SSH. When the SSH service is restarted, the configuration is reloaded, and user 'john' will be denied SSH login attempts at the authentication layer, before any shell or command execution occurs.

Exam trap

The trap here is that candidates often confuse 'DenyUsers' with broader access restrictions like PAM-based account denial or shell-level bans, but 'DenyUsers' is SSH-specific and only affects SSH logins, not console or other remote access methods.

How to eliminate wrong answers

Option B is wrong because 'DenyUsers' does not enable logging of commands; logging of SSH sessions is controlled by directives like 'LogLevel' or 'ForceCommand' with logging wrappers, not by 'DenyUsers'. Option C is wrong because 'DenyUsers' only affects SSH access, not local console logins or other non-SSH shell access; local authentication is handled by PAM or /etc/nologin, not by sshd_config. Option D is wrong because 'DenyUsers' denies only the specified user(s), not all users except that user; the inverse behavior would require 'AllowUsers' with all other users listed.

5
Multi-Selecteasy

Which two commands can be used to display the amount of free and used memory in the system?

Select 2 answers
A.free
B.uptime
C.ps
D.top
E.vmstat
AnswersA, D

Displays amount of free and used memory in the system.

Why this answer

The `free` command displays the total amount of free and used physical memory and swap space in the system, along with buffers and cache. The `top` command provides a real-time, dynamic view of running processes and includes a summary of memory usage (both physical and swap) at the top of its output. Both commands are standard Linux utilities for monitoring memory consumption.

Exam trap

LPI often tests the distinction between commands that show system-wide memory summary (`free`, `top`) versus those that show per-process memory usage (`ps`) or system load/uptime (`uptime`), leading candidates to mistakenly select `ps` because it shows a %MEM column.

6
MCQmedium

A Linux administrator is responsible for a server that runs a critical database application. The server uses SysV init and the current runlevel is 3. The administrator needs to schedule a maintenance window for next Sunday at 2:00 AM to apply security patches that require a reboot. The administrator wants to ensure that after the reboot, the system returns to runlevel 3 and the database service (db_service) starts automatically. The administrator also wants to log the maintenance actions to /var/log/maintenance.log. Which of the following is the BEST approach to accomplish these tasks?

A.Edit /etc/rc.d/rc.local to start db_service and set runlevel via 'init 3' in the script. Then use 'at 02:00 shutdown -r now' to schedule reboot and redirect output to /var/log/maintenance.log.
B.Edit /etc/inittab to change the initdefault line to 'id:3:initdefault:' and create an init script for db_service with appropriate symlinks in /etc/rc.d/rc3.d/. Schedule the reboot using 'shutdown -r 02:00' and configure syslog to capture messages to /var/log/maintenance.log.
C.Use 'systemctl set-default runlevel3.target' and 'systemctl enable db_service' then schedule reboot with 'shutdown -r 02:00' and log with 'logger' to /var/log/maintenance.log.
D.Use 'telinit 3' and 'service db_service start' then run 'reboot' at 2:00 AM. Log actions by appending to /var/log/maintenance.log manually.
AnswerB

This correctly sets default runlevel, ensures service starts, schedules reboot, and logs actions via syslog.

Why this answer

Option B is correct because it properly configures SysV init by setting the default runlevel to 3 in /etc/inittab and ensures the database service starts automatically via init scripts with symlinks in /etc/rc.d/rc3.d/. Scheduling the reboot with 'shutdown -r 02:00' (which uses 24-hour format) and configuring syslog to capture messages to /var/log/maintenance.log provides reliable logging without manual intervention.

Exam trap

The trap here is that candidates may confuse SysV init commands with systemd commands (like systemctl) or assume that manually running init scripts or using rc.local is sufficient for persistent service management, when in fact proper init script symlinks and inittab configuration are required for SysV.

How to eliminate wrong answers

Option A is wrong because editing /etc/rc.d/rc.local to start db_service and run 'init 3' is not the standard SysV method for persistent runlevel or service management; rc.local runs after init scripts and may not execute on all reboots, and redirecting output with '>' in an 'at' job does not capture all boot messages. Option C is wrong because it uses systemctl commands (systemctl set-default, systemctl enable) which are for systemd systems, not SysV init; the server uses SysV init, so these commands are invalid. Option D is wrong because 'telinit 3' and 'service db_service start' only affect the current session and do not persist after reboot; manually appending to the log is error-prone and does not capture system boot messages.

7
MCQhard

A server has a backup script that runs daily at midnight. The system administrator notices that the script sometimes fails because the filesystem is mounted read-only. Which approach is the best practice to ensure the script runs only when the filesystem is writable?

A.Add a cron job that runs before the backup to remount the filesystem read-write
B.Use anacron to run the job after boot
C.Wrap the backup command in a script that checks if the filesystem is writable before proceeding
D.Change the cron job to run every hour until it succeeds
AnswerC

Best practice: check condition inside script and exit gracefully if not met.

Why this answer

Option C is correct because it implements a proactive check within the script itself, using a command like `touch /mountpoint/testfile 2>/dev/null` or checking `/proc/mounts` to verify write access before executing the backup. This avoids unnecessary remounts and ensures the script only proceeds when the filesystem is writable, which is a robust and self-contained solution.

Exam trap

The trap here is that candidates may assume remounting (Option A) is a safe fix, but LPIC-1 emphasizes that a read-only filesystem often indicates a deeper problem, and the best practice is to check state rather than force a change.

How to eliminate wrong answers

Option A is wrong because blindly remounting the filesystem read-write could override a forced read-only state caused by filesystem errors (e.g., from `fsck`), potentially leading to data corruption or system instability. Option B is wrong because anacron is designed to run jobs that were missed due to the system being off, not to handle a filesystem being read-only; it does not check filesystem state before execution. Option D is wrong because running the backup every hour until it succeeds wastes system resources, may cause overlapping backups, and does not address the root cause of the read-only filesystem.

8
MCQmedium

Which configuration file is the primary configuration file for logrotate?

A./var/log/messages
B./etc/logrotate.d/
C./etc/logrotate.conf
D./etc/rsyslog.conf
AnswerC

The main configuration file for logrotate.

Why this answer

The primary configuration file for logrotate is /etc/logrotate.conf. This file sets global options such as rotation frequency, compression, and the number of rotated logs to keep. It also includes configuration snippets from /etc/logrotate.d/ via an include directive, but the main control file is /etc/logrotate.conf.

Exam trap

The trap here is that candidates confuse the directory /etc/logrotate.d/ (which holds supplementary configs) with the primary configuration file /etc/logrotate.conf, or mistake /etc/rsyslog.conf (a logging daemon config) for logrotate's config.

How to eliminate wrong answers

Option A is wrong because /var/log/messages is a system log file managed by rsyslog or syslog-ng, not a configuration file for logrotate. Option B is wrong because /etc/logrotate.d/ is a directory containing per-service configuration snippets that are included by /etc/logrotate.conf, not the primary configuration file itself. Option D is wrong because /etc/rsyslog.conf is the configuration file for the rsyslog daemon, which handles system logging, not log rotation.

9
MCQmedium

Based on the exhibit, which of the following is true about the cleanup.sh job?

A.It runs at 4:30 AM every day
B.It runs at 4:30 AM on Monday through Friday
C.It runs at 4:00 AM on weekdays
D.It runs at 4:30 AM on weekends
AnswerB

Correct interpretation of the cron schedule.

Why this answer

The cron expression `30 4 * * 1-5` specifies that the job runs at minute 30, hour 4 (4:30 AM), every day of month (*), every month (*), but only on days of the week 1 through 5 (Monday=1, Tuesday=2, Wednesday=3, Thursday=4, Friday=5). Therefore, the job runs at 4:30 AM on Monday through Friday.

Exam trap

The trap here is that candidates often misread the minute field (30) as the hour or confuse the day-of-week range `1-5` with 'every day', leading them to select 'every day' or 'weekends' instead of the correct weekday-only schedule.

How to eliminate wrong answers

Option A is wrong because it states 'every day', but the day-of-week field `1-5` restricts execution to weekdays only, not all seven days. Option C is wrong because it specifies 4:00 AM, but the minute field is `30`, not `0`, so the job runs at 4:30 AM, not 4:00 AM. Option D is wrong because it says 'on weekends', but the day-of-week range `1-5` explicitly excludes Saturday (6) and Sunday (0 or 7), so the job does not run on weekends.

10
MCQmedium

Which command displays all error messages from the systemd journal since the last boot?

A.journalctl -b -p warning
B.journalctl -b -p err
C.journalctl -b -p crit
D.journalctl -b -p info
AnswerB

Correct: shows error messages for current boot.

Why this answer

Option B is correct because `journalctl -b -p err` filters the systemd journal to show only messages with a priority level of 'err' (error) or higher since the last boot. The `-b` flag restricts output to the current boot, and `-p err` selects messages at the 'err' level and above (including 'crit', 'alert', and 'emerg'), which are all error-related. This matches the requirement to display 'all error messages' from the systemd journal since the last boot.

Exam trap

The trap here is that candidates may confuse the 'level-or-above' behavior of `-p` and think `-p err` only shows exact 'err' messages, or they may incorrectly assume `-p warning` includes errors, when in fact 'warning' is a lower priority and does not cover all error levels.

How to eliminate wrong answers

Option A is wrong because `-p warning` filters for 'warning' priority messages and above, which includes 'warning' itself but also 'err', 'crit', 'alert', and 'emerg'; however, 'warning' is not an error message—it indicates a potential issue, not an actual error, so it does not display 'all error messages' exclusively. Option C is wrong because `-p crit` filters for 'crit' (critical) priority and above, which is a subset of error messages but excludes 'err' (error) level messages, so it does not display 'all error messages'—it only shows the most severe ones. Option D is wrong because `-p info` filters for 'info' priority and above, which includes informational messages, notices, warnings, and errors; this is too broad and includes non-error messages, failing to display only error messages.

11
MCQeasy

An administrator wants to run a shell script every day at 2:00 AM. Which command should be used to edit the user's personal crontab?

A.crontab -l
B.crontab -e
C.at 2:00 AM
D.vi /var/spool/cron/crontabs/username
AnswerB

Opens the personal crontab in the default editor for modifications.

Why this answer

The correct command to edit a user's personal crontab is `crontab -e`. This invokes the default text editor (as defined by the EDITOR or VISUAL environment variable) on the user's crontab file, ensuring proper syntax validation and locking to prevent concurrent edits. It is the standard and recommended way to modify cron jobs for the current user.

Exam trap

The trap here is that candidates may think they can directly edit the crontab file in `/var/spool/cron/` with `vi`, but the LPIC-1 exam expects you to know that only the `crontab` command should be used to safely modify user crontabs to avoid syntax errors and file corruption.

How to eliminate wrong answers

Option A is wrong because `crontab -l` lists the current user's crontab entries to standard output, it does not open an editor for modifications. Option C is wrong because `at 2:00 AM` is used for scheduling a one-time job at a specific time, not for recurring daily execution at 2:00 AM; `at` does not edit crontab files. Option D is wrong because directly editing the file `/var/spool/cron/crontabs/username` (or `/var/spool/cron/username` on some systems) bypasses the `crontab` command's syntax checking and locking mechanisms, which can lead to corruption or invalid entries; the `crontab` command should always be used to safely modify these files.

12
MCQhard

To prevent the 'nouveau' kernel module from loading at boot, which configuration file should be edited?

A./etc/modprobe.d/nouveau.conf with 'blacklist nouveau'
B./etc/modules-load.d/nouveau.conf
C.Both A and B are valid
D./etc/modprobe.d/blacklist.conf with 'blacklist nouveau'
AnswerC

Correct: any .conf file in /etc/modprobe.d/ works.

Why this answer

The 'nouveau' kernel module can be prevented from loading at boot by either adding a blacklist entry in a file under /etc/modprobe.d/ (e.g., 'blacklist nouveau' in /etc/modprobe.d/nouveau.conf) or by placing the module name in a file under /etc/modules-load.d/ (which is actually used to load modules, not blacklist them, but the question's context treats both as valid methods for preventing loading, though the latter is unconventional). Option C is correct because both A and B represent valid approaches: A uses the standard blacklist mechanism, and B, while typically for loading modules, can be misused to prevent loading by not including the module, but the exam considers both as valid configuration files for this purpose.

Exam trap

The trap here is that candidates often assume only the blacklist directive in /etc/modprobe.d/ is valid, but the exam considers both /etc/modprobe.d/ and /etc/modules-load.d/ as valid configuration files for preventing module loading, even though the latter is technically for loading modules, testing whether you know the broader set of files that can affect module behavior.

How to eliminate wrong answers

Option A is wrong because it is actually a correct method, not a wrong one; the question's answer key marks C as correct, meaning A alone is insufficient as an answer. Option B is wrong because /etc/modules-load.d/ is designed to specify modules to load at boot, not to blacklist them; using it to prevent loading is a misuse and not the standard practice. Option D is wrong because while /etc/modprobe.d/blacklist.conf is a common file name, the directive 'blacklist nouveau' is correct, but the option is incomplete as it does not include the alternative method in B, and the exam expects both A and B to be valid.

13
MCQmedium

An administrator wants to allow user 'john' to run all commands as root without a password. Which sudoers entry accomplishes this?

A.john ALL=(ALL) NOPASSWD: ALL
B.john ALL=NOPASSWD: /bin/su
C.john ALL=(ALL) ALL
D.john ALL=(ALL) PASSWD: ALL
AnswerA

Correct: allows all commands without password.

Why this answer

Option A is correct because the sudoers entry 'john ALL=(ALL) NOPASSWD: ALL' grants user 'john' permission to run any command as any user (including root) from any host, and the NOPASSWD tag overrides the default password requirement, allowing passwordless execution. This matches the requirement precisely.

Exam trap

The trap here is that candidates often confuse the absence of a TAG (which defaults to requiring a password) with passwordless access, or they mistakenly think that specifying 'ALL' without the NOPASSWD tag implies no password is needed.

How to eliminate wrong answers

Option B is wrong because it restricts john to only running '/bin/su' without a password, not all commands as root. Option C is wrong because it omits the NOPASSWD tag, so john would still be prompted for a password before executing commands as root. Option D is wrong because it explicitly specifies PASSWD: ALL, which forces password authentication, the opposite of the requirement.

14
MCQmedium

An administrator notices the system clock is drifting. Which command can be used to enable automatic time synchronization using NTP on a system with systemd?

A.ntpdate pool.ntp.org
B.timedatectl set-ntp yes
C.systemctl start ntpd
D.date --set
AnswerB

This enables automatic time synchronization using NTP.

Why this answer

Option B is correct because `timedatectl set-ntp yes` enables automatic time synchronization via NTP on systems using systemd. This command configures the `systemd-timesyncd` service, which is the default NTP client for systemd-based distributions, to synchronize the system clock with remote NTP servers. It is the standard, modern method for managing NTP settings in such environments.

Exam trap

The trap here is that candidates often confuse one-time synchronization commands (like `ntpdate` or `date --set`) with the persistent enabling of automatic NTP synchronization, or they assume starting the `ntpd` service alone is sufficient without using `timedatectl` to manage systemd's time synchronization framework.

How to eliminate wrong answers

Option A is wrong because `ntpdate pool.ntp.org` performs a one-time manual synchronization of the system clock, not enabling automatic time synchronization; it is also deprecated in favor of `timedatectl` and `ntpd` or `chronyd`. Option C is wrong because `systemctl start ntpd` starts the traditional NTP daemon, but this command alone does not enable automatic synchronization at boot or integrate with systemd's timedatectl mechanism; it also requires the `ntpd` service to be installed and configured separately. Option D is wrong because `date --set` manually sets the system clock to a specified value, which does not enable automatic synchronization and is a temporary, non-persistent change.

15
Multi-Selecthard

Which THREE files are used by CUPS to manage printer queues? (Choose THREE.)

Select 3 answers
A./etc/cups/lpoptions
B./etc/cups/ppd/
C./etc/cups/classes.conf
D./etc/cups/cupsd.conf
E./etc/cups/printers.conf
AnswersC, D, E

This file defines printer classes.

Why this answer

CUPS uses /etc/cups/printers.conf to define printer queues and their associated options, /etc/cups/classes.conf to manage printer classes (groups of queues), and /etc/cups/cupsd.conf as the main daemon configuration file that controls access, logging, and other server settings. These three files are directly read by the CUPS daemon to manage and serve printer queues.

Exam trap

The trap here is that candidates confuse the PPD directory (/etc/cups/ppd/) or the lpoptions file with the actual queue configuration files, because they are all located under /etc/cups/ and are involved in printing, but only printers.conf, classes.conf, and cupsd.conf directly manage queue definitions and server behavior.

16
MCQmedium

A system is not logging messages to /var/log/syslog. Which command should an administrator use first to diagnose the issue?

A.tail -f /var/log/syslog
B.logger test
C.ps aux | grep syslog
D.systemctl status rsyslog
AnswerD

Checks the status of the rsyslog service to see if it is active and running.

Why this answer

Option D is correct because the first step in diagnosing why messages are not appearing in /var/log/syslog is to verify that the rsyslog service is running and active. The 'systemctl status rsyslog' command shows the current service state, recent logs, and any errors that might prevent logging. Without confirming the service status, other diagnostic steps may be misleading.

Exam trap

The trap here is that candidates often jump to testing the logging pipeline (with 'logger') or checking for a process by name, instead of first verifying the service status with systemctl, which is the systematic and most efficient diagnostic step.

How to eliminate wrong answers

Option A is wrong because 'tail -f /var/log/syslog' only monitors the log file for new entries; if no messages are being written, it will simply hang and provide no diagnostic information about why logging has stopped. Option B is wrong because 'logger test' sends a test message to the syslog system, but if the service is not running or misconfigured, the message will not be logged and the command gives no feedback about the underlying issue. Option C is wrong because 'ps aux | grep syslog' only checks for a process named 'syslog' in the process list, but modern systems use rsyslog or syslog-ng, and this command may miss the actual daemon or show unrelated processes, failing to reveal service status or configuration errors.

17
Multi-Selectmedium

Which THREE commands are used to manage systemd services? (Choose THREE.)

Select 3 answers
A.systemctl status
B.systemctl start
C.systemctl enable
D.chkconfig --add
E.service start
AnswersA, B, C

Correct: shows the status of a systemd service.

Why this answer

The `systemctl` command is the primary tool for managing systemd services on Linux systems. `systemctl status` displays the current state of a service, including whether it is active, enabled, and recent log entries. `systemctl start` immediately activates a service by sending it a start signal via systemd's D-Bus interface. `systemctl enable` creates symbolic links in the filesystem (e.g., in `/etc/systemd/system/multi-user.target.wants/`) to ensure the service starts automatically at boot.

Exam trap

The trap here is that candidates confuse legacy SysV init commands like `chkconfig` and `service` with systemd's `systemctl`, expecting them to be interchangeable, but LPIC-1 tests the modern systemd toolset explicitly.

18
Drag & Dropmedium

Arrange the steps to troubleshoot a service that fails to start.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with checking status and logs, then examining config files, fixing, and restarting.

19
MCQhard

An administrator ran 'dnf update' and a critical application broke. The administrator wants to undo the last transaction and return to previous state. Which command should be used?

A.dnf undo last
B.dnf rollback
C.yum rollback
D.dnf history undo last
AnswerD

Correct: undoes the last transaction.

Why this answer

The correct command is 'dnf history undo last' because DNF maintains a transaction history that can be reverted. The 'undo' subcommand reverses the specified transaction (in this case, the last one) by applying the inverse operations, restoring packages to their previous state. This is the standard way to roll back a DNF transaction without affecting unrelated changes.

Exam trap

The trap here is that candidates confuse 'undo' with 'rollback' or assume DNF uses the same syntax as YUM, leading them to pick 'dnf rollback' or 'yum rollback' instead of the correct 'dnf history undo last'.

How to eliminate wrong answers

Option A is wrong because 'dnf undo last' is not a valid DNF command; DNF requires the 'history' subcommand before 'undo'. Option B is wrong because 'dnf rollback' does not exist; DNF uses 'history undo' or 'history rollback' (the latter reverts to a specific transaction ID, not the last one). Option C is wrong because 'yum rollback' is a legacy YUM command that is not available in DNF; DNF replaced YUM and uses 'dnf history' for transaction management.

20
MCQeasy

An administrator needs to find all files in the /var/log directory that have been modified in the last 24 hours. Which command should be used?

A.find /var/log -ctime 0
B.find /var/log -mtime 0
C.find /var/log -atime 0
D.find /var/log -mmin 1440
AnswerB

mtime 0 matches files modified within the last 24 hours.

Why this answer

Option B is correct because the `find` command with `-mtime 0` searches for files whose data modification time is within the last 24 hours. The `-mtime` option uses a 24-hour period, and a value of 0 means modified less than 24 hours ago, which matches the requirement to find files modified in the last 24 hours in /var/log.

Exam trap

The trap here is that candidates confuse `-ctime` (inode change time) with `-mtime` (modification time), or mistakenly think `-atime` (access time) is relevant for modification, leading them to pick options that do not match the requirement for content modification.

How to eliminate wrong answers

Option A is wrong because `-ctime 0` checks the inode change time (ctime), which includes metadata changes like permission or ownership changes, not file content modification; this can return files that were not modified in terms of content. Option C is wrong because `-atime 0` checks the access time (atime), which is updated when a file is read, not when it is modified; this would include files that were simply accessed, not modified. Option D is wrong because `-mmin 1440` checks for files modified within the last 1440 minutes (exactly 24 hours), but the question asks for files modified in the last 24 hours, and `-mmin` uses a precise minute count, which is technically correct but less standard for this requirement; however, the primary issue is that the question expects `-mtime 0` as the standard approach, and `-mmin 1440` could miss files modified exactly 1440 minutes ago due to integer rounding behavior in `-mtime` vs `-mmin`.

21
Multi-Selecteasy

Which TWO commands can be used to display the current runlevel of a SysV init system?

Select 2 answers
A.init 3
B.who -r
C.telinit
D.runlevel
E.systemctl get-default
AnswersB, D

The 'who -r' command displays the current runlevel and process since last boot.

Why this answer

The `who -r` command displays the current runlevel and the time it was last changed, making it a valid way to check the runlevel in a SysV init system. The `runlevel` command directly outputs the previous and current runlevel, which is the standard tool for this purpose.

Exam trap

The trap here is that candidates confuse commands that change runlevels (like `init` or `telinit`) with those that display them, or mistakenly apply systemd commands like `systemctl get-default` to SysV init systems.

22
Multi-Selecteasy

Which TWO commands can be used to view all running processes on a Linux system? (Choose TWO.)

Select 2 answers
A.jobs
B.ls /proc
C.pstree
D.top
E.ps aux
AnswersD, E

Correct: interactive process viewer showing all running processes.

Why this answer

Option D, `top`, is correct because it provides a real-time, interactive view of all running processes, including their PID, CPU and memory usage, and other dynamic metrics. Option E, `ps aux`, is correct because it displays a static snapshot of all processes on the system using the BSD-style syntax, where `a` shows all users, `u` provides user-oriented output, and `x` includes processes without a controlling terminal.

Exam trap

The trap here is that candidates often confuse `jobs` (which only shows shell background jobs) with a system-wide process listing, or they think `ls /proc` alone is sufficient to view processes, when in fact it only lists directory names and requires additional commands to extract meaningful process data.

23
MCQeasy

A user reports that a cron job is not executing. The cron job is defined in /etc/crontab. The administrator checks the system logs and finds no errors. Which command should the administrator use to verify that the cron daemon is running?

A.pgrep cron
B.systemctl status cron
C.crontab -l
D.ps aux | grep cron
AnswerA

Returns PID if cron is running, gives no output if not.

Why this answer

Option A is correct because `pgrep cron` searches the process table for processes named 'cron' and returns the PID(s) if running. This is a quick, reliable way to verify the cron daemon is active without parsing full process lists or relying on systemd-specific commands.

Exam trap

The trap here is that candidates may choose `systemctl status cron` assuming all Linux systems use systemd, or `ps aux | grep cron` without realizing it can produce false matches, while `pgrep cron` is the most portable and precise command for checking if a process is running.

How to eliminate wrong answers

Option B is wrong because `systemctl status cron` is a systemd command; on many Linux distributions (e.g., older SysVinit systems or minimal containers), systemd may not be the init system, and the cron service might be managed differently, so this command could fail or return misleading results. Option C is wrong because `crontab -l` lists the current user's personal crontab entries, not the system crontab (/etc/crontab), and it does not check whether the cron daemon is running. Option D is wrong because `ps aux | grep cron` can show false positives (e.g., the grep process itself matching 'cron') and is less direct than `pgrep`, which matches exact process names.

24
MCQeasy

An administrator needs to check the system's load averages without displaying any process information. Which command should be used?

A.w
B.top
C.ps
D.uptime
AnswerD

Correctly displays load averages with minimal output.

Why this answer

The `uptime` command displays the current time, how long the system has been running, the number of logged-in users, and the system load averages for the past 1, 5, and 15 minutes. It does not show any process-level information, making it the correct choice for checking load averages alone.

Exam trap

The trap here is that candidates often confuse `uptime` with `w` or `top` because both also display load averages, but the question explicitly requires no process information, which `w` and `top` include.

How to eliminate wrong answers

Option A is wrong because `w` displays load averages but also shows detailed information about currently logged-in users and their processes. Option B is wrong because `top` provides a real-time, dynamic view of running processes along with load averages, which is more than what the question asks for. Option C is wrong because `ps` reports a snapshot of current processes and does not display system load averages at all.

25
MCQmedium

An administrator wants to prevent a specific user, 'john', from being able to schedule cron jobs. Which file should the administrator modify?

A./var/spool/cron/crontabs
B./etc/cron.allow
C./etc/crontab
D./etc/cron.deny
AnswerD

Add 'john' to this file to prevent him from using cron.

Why this answer

The /etc/cron.deny file lists users who are explicitly denied access to schedule cron jobs. If this file exists and the user 'john' is listed in it, he will be prevented from using crontab. This is the standard mechanism for restricting cron access when /etc/cron.allow does not exist.

Exam trap

The trap here is that candidates confuse /etc/cron.allow with /etc/cron.deny, thinking that modifying the allow file is the only way to control access, but the question specifically asks for a file to prevent a user, which is the deny file.

How to eliminate wrong answers

Option A is wrong because /var/spool/cron/crontabs is a directory containing individual user crontab files, not a configuration file for access control. Option B is wrong because /etc/cron.allow is used to explicitly allow users to schedule cron jobs; modifying it would not prevent 'john' unless he is removed from it, but the question asks for a file to prevent him, and /etc/cron.deny is the direct method. Option C is wrong because /etc/crontab is the system-wide cron table for scheduled tasks, not a user access control file.

26
MCQmedium

Refer to the exhibit. What can be concluded about the cron daemon based on this systemctl output?

A.It is stopped.
B.It is enabled but not currently running.
C.It has failed recently.
D.It is running and will start automatically at system boot.
AnswerD

The output shows 'active (running)' and 'enabled', meaning it is currently running and configured to start at boot.

Why this answer

The systemctl output shows 'Loaded: loaded' and 'Active: active (running)' for the cron daemon, which indicates it is currently running. Additionally, the 'enabled' status in the 'Loaded' line means the service is configured to start automatically at system boot. Therefore, option D is correct.

Exam trap

The trap here is that candidates may confuse 'enabled' (start at boot) with 'active' (currently running), leading them to select option B when the service is actually running, or they may misinterpret the absence of explicit 'failed' text as meaning the service is stopped.

How to eliminate wrong answers

Option A is wrong because 'Active: active (running)' explicitly shows the cron daemon is running, not stopped. Option B is wrong because while the service is enabled, it is also currently running, not just enabled but not running. Option C is wrong because there is no indication of a failure; the status shows 'active (running)' with no mention of 'failed' or recent crash logs in the output.

27
MCQmedium

A system administrator needs to ensure a custom script runs every time the system boots. Where should the script be placed for execution during the boot process on a standard Linux system?

A./etc/cron.d/
B./etc/init.d/
C./etc/cron.hourly/
D./etc/rc.local
AnswerD

This file is executed at the end of the boot process and is suitable for custom startup scripts.

Why this answer

Option D is correct because /etc/rc.local is a legacy system initialization script that is executed at the end of the boot process on many Linux distributions using SysV init or systemd (with a compatibility unit). Placing a custom script inside /etc/rc.local ensures it runs once per boot, after all other init scripts have completed, making it a straightforward method for executing custom commands or scripts at system startup.

Exam trap

The trap here is that candidates often confuse cron directories (like /etc/cron.d/ or /etc/cron.hourly/) with boot-time execution, because both involve running scripts, but cron is strictly time-based and unrelated to the boot sequence.

How to eliminate wrong answers

Option A is wrong because /etc/cron.d/ is used for cron job scheduling, not for boot-time execution; cron jobs run at specified times or intervals, not during system boot. Option B is wrong because /etc/init.d/ contains SysV init scripts that are managed by the init system (e.g., via update-rc.d or systemctl), and simply placing a script there does not automatically register it for execution at boot; it must be properly linked or enabled. Option C is wrong because /etc/cron.hourly/ is a directory for cron jobs that run every hour, not at boot time; it is part of the cron system, not the boot process.

28
MCQhard

A user can successfully ping a web server but cannot access the website via a browser. Which is the most likely cause?

A.Incorrect subnet mask
B.Web service (e.g., Apache) not running
C.Firewall blocking HTTP ports
D.DNS resolution failure
AnswerB

If the web service is down, ping will still work because the network layer is functional, but HTTP requests will fail.

Why this answer

B is correct because the user can successfully ping the web server, confirming that the server is reachable at the network layer (ICMP). However, the inability to access the website via a browser indicates that the application layer service handling HTTP/HTTPS requests is not running. If the web service (e.g., Apache, Nginx) is stopped or crashed, the server will not respond to TCP port 80 or 443, even though basic connectivity exists.

Exam trap

The trap here is that candidates often assume a successful ping implies full application-layer functionality, but LPIC-1 tests the understanding that ICMP and TCP are separate protocols, and a web service must be explicitly running to serve HTTP content.

How to eliminate wrong answers

Option A is wrong because an incorrect subnet mask would prevent the user from reaching the server at all, making ping fail; since ping succeeds, the subnet mask is correctly configured. Option C is wrong because a firewall blocking HTTP ports would typically block the browser request but not necessarily ICMP echo requests, but the question states ping succeeds, so a firewall blocking only HTTP could be possible; however, the most likely cause is the web service not running, as firewalls are often configured to allow ICMP and HTTP separately, and a stopped service is a more common issue. Option D is wrong because DNS resolution failure would prevent the browser from resolving the domain name to an IP address, but the user can ping the server, which implies they are using an IP address or DNS is working; if DNS were failing, ping would also fail unless using an IP directly.

29
Multi-Selectmedium

Which THREE directories are commonly used for mounting removable media in Linux?

Select 3 answers
A./mnt
B./mount
C./cdrom
D./dev
E./media
AnswersA, C, E

A common general-purpose mount point, often used for temporary mounts.

Why this answer

A is correct because /mnt is a standard directory defined by the Filesystem Hierarchy Standard (FHS) for temporarily mounting filesystems, including removable media like USB drives or external hard disks. It provides a generic mount point that system administrators can use for manual mounts, though it is less commonly used for automatic mounting compared to /media.

Exam trap

The trap here is that candidates may confuse /dev (the device directory) with a mount point, or assume /mount is a valid FHS directory, when in fact only /mnt and /media are correct for mounting removable media.

30
MCQhard

Refer to the exhibit. An administrator runs 'ntpq -p' and sees the output shown. What is the most likely cause of the '16' stratum and '0.000' delay/offset?

A.The NTP service is not running.
B.The firewall is blocking UDP port 123.
C.The NTP daemon has recently started and has not yet synchronized.
D.The restrict lines are blocking all NTP queries.
AnswerC

The 'iburst' option causes rapid initial polls, but it still takes a few minutes for synchronization. The 0 reach and stratum 16 indicate no synchronization yet.

Why this answer

The '16' stratum and '0.000' delay/offset values in the 'ntpq -p' output indicate that the NTP daemon has not yet synchronized with any time source. When ntpd starts, it initially sets the stratum to 16 (unsynchronized) and shows zero values for delay and offset until it completes the synchronization process. This is a normal transient state that resolves once the daemon successfully contacts and synchronizes with an NTP server.

Exam trap

The trap here is that candidates often assume a stratum of 16 and zero delay/offset indicate a firewall or service failure, but the correct interpretation is that the NTP daemon has just started and has not yet synchronized, which is a normal temporary state.

How to eliminate wrong answers

Option A is wrong because if the NTP service were not running, the 'ntpq -p' command would typically return an error or show no output, not display a stratum of 16 with zero delay/offset. Option B is wrong because a firewall blocking UDP port 123 would prevent any NTP communication, resulting in no reachable servers or persistent '16' stratum, but the zero delay/offset specifically indicates the daemon has not yet attempted or completed synchronization, not that packets are being dropped. Option D is wrong because restrict lines blocking all NTP queries would cause the daemon to fail to contact servers, leading to a persistent unsynchronized state, but the zero delay/offset is a characteristic of a freshly started daemon that has not yet attempted synchronization, not a permanent restriction issue.

31
MCQhard

After creating a new user with 'useradd john', the user 'john' cannot log in. What is the most likely cause?

A.The home directory does not exist
B.No password has been set for the user
C.The user's shell is not set
D.The user is not in the sudoers file
AnswerB

The 'useradd' command creates the account but does not assign a password; the account is locked initially.

Why this answer

The `useradd` command creates a new user account but does not set a password. Without a password, the system's authentication mechanism (typically PAM) will deny login attempts, as there is no valid password hash in `/etc/shadow`. The user must have a password assigned via `passwd john` before they can authenticate.

Exam trap

The trap here is that candidates assume `useradd` fully provisions an account, overlooking that password assignment is a separate mandatory step, and they may confuse login failure with missing home directory or shell issues.

How to eliminate wrong answers

Option A is wrong because `useradd` by default creates the home directory from `/etc/default/useradd` or `/etc/login.defs` unless explicitly overridden with `-M`; if it did not exist, the user would still be able to log in (though they might get a warning or land in `/`). Option C is wrong because `useradd` assigns a default shell (usually `/bin/sh` or `/bin/bash`) from `/etc/default/useradd`; if the shell is missing or invalid, login might fail, but the default is always set. Option D is wrong because membership in the sudoers file is irrelevant to basic login capability; sudo access is a privilege escalation mechanism, not a prerequisite for authentication.

32
MCQhard

A Linux system fails to boot with the error 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which of the following is the most likely cause?

A.The root filesystem has a corrupted superblock
B.The initrd file is missing or corrupted
C.The kernel lacks the necessary driver for the storage controller
D.The bootloader configuration points to the wrong partition
AnswerC

Kernel cannot access the root device due to missing storage driver.

Why this answer

The error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates that the kernel cannot find or access the root filesystem. This typically occurs when the kernel lacks the necessary driver (module) for the storage controller (e.g., SATA, SCSI, NVMe) that the root device is connected to. Without the driver, the kernel cannot communicate with the storage hardware, resulting in the unknown-block(0,0) identifier.

Exam trap

The trap here is that candidates often confuse the 'unknown-block(0,0)' error with a bootloader misconfiguration (Option D) or a corrupted filesystem (Option A), but the key is that the error specifically indicates the kernel cannot identify the block device at all, not that it found the wrong device or that the filesystem is unreadable.

How to eliminate wrong answers

Option A is wrong because a corrupted superblock would produce a different error, such as 'mount: /dev/sda1: can't read superblock' or a filesystem-specific error during mount, not the 'unknown-block(0,0)' kernel panic. Option B is wrong because a missing or corrupted initrd would typically cause a kernel panic with an error like 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)' only if the initrd contains the necessary storage driver; however, the initrd itself is not the root filesystem, and its absence usually leads to a 'No init found' or 'Failed to execute /init' panic, not the specific block device error. Option D is wrong because a bootloader configuration pointing to the wrong partition would result in a different error, such as 'rootfs not found' or a kernel panic with a specific device identifier (e.g., unknown-block(8,1)), not the generic unknown-block(0,0) which indicates the device node itself is unrecognized by the kernel.

33
MCQhard

A systemd service unit file must be configured to automatically restart the service if it exits unexpectedly. Which directive should be used?

A.Type=forking
B.Restart=always
C.RemainAfterExit=yes
D.ExecStop=/bin/true
AnswerB

This directs systemd to restart the service automatically after it stops, regardless of exit status.

Why this answer

The `Restart=always` directive in a systemd service unit file instructs systemd to automatically restart the service regardless of the exit status, including unexpected crashes or terminations. This ensures high availability by restarting the process whenever it exits, unless explicitly stopped by systemctl. Other directives like `Type=forking` or `RemainAfterExit=yes` do not control restart behavior.

Exam trap

The trap here is that candidates confuse `Restart=always` with `Type=forking` or `RemainAfterExit=yes`, mistakenly thinking these directives handle automatic restarts, when in fact they address process forking or service state after exit.

How to eliminate wrong answers

Option A is wrong because `Type=forking` defines the service's startup behavior (expecting the process to fork and the parent to exit), not its restart policy. Option C is wrong because `RemainAfterExit=yes` tells systemd to consider the service as active even after the main process exits, but it does not trigger automatic restarts. Option D is wrong because `ExecStop=/bin/true` specifies a command to run when stopping the service, not a condition for automatic restart.

34
Multi-Selecthard

Which THREE of the following statements are true about the /etc/shadow file?

Select 3 answers
A.It contains the encrypted passwords in the second field, replacing the 'x' in /etc/passwd
B.It can contain password expiration information
C.It is readable only by the root user
D.The second field contains the encrypted password
E.It is world-readable to allow any user to verify passwords
AnswersB, C, D

Fields like last change, min/max days, warning period are in shadow.

Why this answer

The /etc/shadow file stores password expiration information, such as the last password change date, minimum and maximum password age, warning period, and inactivity period. This data is used by the system to enforce password aging policies, making option B correct.

Exam trap

The trap here is that candidates often confuse the purpose of /etc/shadow with /etc/passwd, mistakenly thinking the second field of /etc/shadow contains a placeholder like 'x' instead of the actual encrypted password hash.

35
Multi-Selecthard

Which THREE signals are commonly used to terminate a process with the kill command?

Select 3 answers
A.SIGSTOP
B.SIGKILL
C.SIGINT
D.SIGHUP
E.SIGTERM
AnswersB, D, E

Forces immediate termination; cannot be caught or ignored.

Why this answer

SIGKILL (signal 9) is one of the three signals commonly used to terminate a process with the kill command because it forcefully kills the process without allowing it to clean up or ignore the signal. SIGTERM (signal 15) is the default signal sent by kill, requesting graceful termination. SIGHUP (signal 1) is traditionally used to hang up a terminal line but is also commonly used to reload configuration files or terminate processes in daemon management.

Exam trap

The trap here is that candidates often confuse SIGSTOP with SIGKILL or SIGTERM, or mistakenly include SIGINT as a common kill command signal, when in fact SIGINT is more associated with terminal interrupts rather than direct process termination via kill.

36
MCQeasy

A system administrator needs to schedule a recurring maintenance task that runs every Monday at 3 AM. Which crontab entry is correct?

A.3 0 * * 1 /script.sh
B.0 3 * * 0 /script.sh
C.0 3 * * 7 /script.sh
D.0 3 * * 1 /script.sh
AnswerD

Correct: runs at 3:00 AM on Monday.

Why this answer

Option D is correct because the crontab syntax is minute, hour, day of month, month, day of week. Setting minute=0, hour=3, day of week=1 runs the script at 3:00 AM every Monday (day 1 represents Monday in cron).

Exam trap

The trap here is confusing the day-of-week numbering (Monday=1 vs Sunday=0/7) and mixing minute and hour fields, leading candidates to select entries that run at the wrong time or on the wrong day.

How to eliminate wrong answers

Option A is wrong because it sets minute=3 and hour=0, which would run at 12:03 AM, not 3 AM. Option B is wrong because it sets day of week=0, which represents Sunday, not Monday. Option C is wrong because it sets day of week=7, which is not a valid day in standard cron (valid range is 0-6 or 1-7 depending on implementation, but 7 is ambiguous and not universally accepted; the correct Monday value is 1).

37
MCQmedium

A zombie process appears in the process list. The parent process has PID 1234. Which command will most likely remove the zombie?

A.kill -9 1234
B.kill -9 <zombie_pid>
C.wait <zombie_pid>
D.reboot
AnswerA

Killing the parent process (PID 1234) causes the zombie to be adopted by init and then reaped.

Why this answer

A zombie process is a child process that has terminated but whose exit status has not been read by its parent. The zombie cannot be killed directly because it is already dead; it only remains in the process table until the parent calls wait(). Sending SIGKILL (kill -9) to the parent process (PID 1234) causes the parent to terminate, and the zombie child is then adopted by init (PID 1), which automatically reaps it by calling wait().

Exam trap

The trap here is that candidates mistakenly think they can kill the zombie itself with kill -9, not realizing that a zombie is already dead and the only way to remove it is to force its parent to reap it or terminate the parent.

How to eliminate wrong answers

Option B is wrong because kill -9 on the zombie PID has no effect; the zombie is already dead and cannot be signaled. Option C is wrong because wait is a system call used by the parent, not a command that can be run from the shell to reap a zombie belonging to another process. Option D is wrong because rebooting is an extreme and unnecessary measure; it would remove the zombie but also disrupt all running processes and is not the standard or recommended solution.

38
MCQeasy

Refer to the exhibit. What is the file permission in numeric mode for /etc/crontab?

A.644
B.600
C.444
D.755
AnswerA

rw-r--r-- corresponds to 644.

Why this answer

The /etc/crontab file is a system-wide configuration file for cron jobs. It must be readable by all users to allow cron to read the scheduled tasks, but only writable by root to prevent unauthorized modifications. The standard permission is 644 (owner read/write, group read, others read).

Exam trap

The trap here is that candidates often confuse the permissions for /etc/crontab with those for user crontab files (which are stored in /var/spool/cron/ and typically have 600 permissions) or mistakenly think that execute permission is needed for configuration files.

How to eliminate wrong answers

Option B (600) is wrong because it would make the file readable only by root, preventing the cron daemon from reading the file when it runs as a non-root user. Option C (444) is wrong because it removes write permission for the owner (root), making it impossible to edit the crontab file without changing permissions first. Option D (755) is wrong because it grants execute permission to all users, which is unnecessary and a security risk for a text configuration file.

39
MCQhard

A system administrator wants to ensure that the syslog service starts automatically on boot and is running immediately without a reboot. Which command sequence should be used?

A.systemctl start syslog && systemctl enable syslog
B.systemctl start --enable syslog
C.systemctl enable syslog && systemctl start syslog
D.systemctl enable --now syslog
AnswerD

The --now flag enables and starts the service in one step.

Why this answer

Option D is correct because `systemctl enable --now syslog` combines enabling the service to start automatically on boot and starting it immediately in a single command. The `--now` flag triggers an immediate start after enabling, fulfilling both requirements without needing a reboot.

Exam trap

The trap here is that candidates may think they need to use two separate commands (enable and start) in a specific order, but the `--now` flag is a single-command shortcut that systemd provides, and LPI often tests this to see if you know the combined option exists.

How to eliminate wrong answers

Option A is wrong because it starts the service before enabling it; while this works, it is less efficient than using `--now`, and the order is not the issue—the command sequence is valid but not the best practice. Option B is wrong because `systemctl start --enable` is not a valid syntax; `--enable` is not a flag for `start`, and this command would fail. Option C is wrong because it enables the service first and then starts it, which is functionally correct but less efficient than using `--now`; however, the question asks for the command sequence that should be used, and `systemctl enable --now` is the idiomatic, single-command solution.

40
MCQhard

A system administrator needs to perform incremental backups of a large directory /data. The backup strategy requires a full backup every Sunday and incremental backups on weekdays. Which tar command satisfies this requirement using the --listed-incremental option?

A.Full: tar -czvf /backup/full.tar.gz /data; Incremental: tar -czvf /backup/incr.tar.gz --after-date '1 day ago' /data
B.Full: tar -cvf /backup/full.tar /data; Incremental: tar -cvf /backup/incr.tar -N 'last Sunday' /data
C.Full: tar -cvf /backup/full.tar --newer /data; Incremental: tar -cvf /backup/incr.tar --newer /backup/full.tar /data
D.Full: tar -cvf /backup/full.tar -g /var/backup/snapshot /data; Incremental: tar -cvf /backup/incr.tar -g /var/backup/snapshot /data
AnswerD

This uses the same snapshot file to track changes; the first run creates a full backup snapshot, subsequent runs create incremental backups.

Why this answer

Option D is correct because the `--listed-incremental` (or `-g`) option in tar creates and uses a snapshot file to track changes between backups. By specifying the same snapshot file for both the full and incremental backups, tar automatically records which files have changed since the last full backup, enabling proper incremental backups without relying on timestamps or file modification times.

Exam trap

The trap here is that candidates often confuse timestamp-based options like `--newer` or `-N` with the snapshot-based `--listed-incremental` mechanism, assuming any time-based filter can achieve incremental backups, but only `-g` provides the metadata tracking needed for proper incremental archives.

How to eliminate wrong answers

Option A is wrong because `--after-date` is not a valid tar option; the correct option for time-based filtering is `--newer` or `-N`, and using a relative time like '1 day ago' does not integrate with the `--listed-incremental` mechanism for reliable incremental backups. Option B is wrong because `-N 'last Sunday'` uses a timestamp-based filter that does not create a snapshot file, so subsequent incremental backups would not correctly track changes relative to the full backup; also, the full backup command lacks the `-g` option needed for incremental tracking. Option C is wrong because `--newer` compares file modification times against a file's timestamp, not against a snapshot; using `--newer /backup/full.tar` would include any file modified after the full archive was created, but it does not handle deletions or renames and is not the intended use of `--listed-incremental`.

41
MCQhard

Based on the exhibit, what will happen if the syslog service is stopped?

A.Apache2 will be stopped because it depends on syslog
B.The system will prompt to restart syslog before stopping
C.Apache2 will be automatically restarted because it requires syslog
D.Apache2 will continue running because the dependency is a soft dependency
AnswerD

By default, listed dependencies are 'Wants', not 'Requires'.

Why this answer

Option D is correct because in Linux, services managed by systemd can have dependencies declared as 'Requires' (hard) or 'Wants' (soft). A soft dependency means that the dependent service (Apache2) does not require the target service (syslog) to be running; it will continue to operate even if syslog is stopped. The exhibit likely shows a 'Wants' directive, which does not enforce a strict ordering or runtime requirement.

Exam trap

The trap here is that candidates confuse 'Wants' (soft dependency) with 'Requires' (hard dependency), assuming any dependency means the dependent service will be stopped or restarted when the target service changes.

How to eliminate wrong answers

Option A is wrong because Apache2 will not be stopped when syslog is stopped; a soft dependency (Wants) does not cause cascading stops. Option B is wrong because systemd does not prompt the user to restart a service before stopping another; it simply proceeds with the stop operation. Option C is wrong because Apache2 will not be automatically restarted when syslog is stopped; soft dependencies do not trigger restarts of dependent units.

42
MCQhard

Refer to the exhibit. The administrator restarts the sshd service. What is the new main PID after restart?

A.It remains the same.
B.1235
C.1234
D.It will be a new, different PID.
AnswerD

After restart, the service will have a new main PID.

Why this answer

When the sshd service is restarted, the old process is terminated and a new process is spawned, resulting in a new main PID. The PID is a unique identifier assigned by the kernel to each process at creation time, and it is never reused immediately after termination. Therefore, the new main PID will be different from the previous one.

Exam trap

The trap here is that candidates mistakenly think the PID remains the same after a restart, confusing 'restart' with 'reload' (which sends a SIGHUP and keeps the same PID), or they assume the new PID will be the next sequential number like 1235.

How to eliminate wrong answers

Option A is wrong because restarting a service terminates the existing process and starts a new one, so the PID cannot remain the same. Option B is wrong because 1235 is a specific number that would only be correct if the new PID happened to be that value, but there is no guarantee of any specific PID; the kernel assigns PIDs sequentially from available numbers. Option C is wrong because 1234 is the old PID that was terminated, and the new process will receive a different PID, not the same one.

43
Matchingmedium

Match each Linux signal to its default action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Terminate process immediately (cannot be caught)

Terminate process gracefully

Hangup; often reloads configuration

Interrupt from keyboard (Ctrl+C)

Stop process (cannot be caught or ignored)

Why these pairings

Common signals used in Linux process control.

44
MCQmedium

An administrator wants to change the owner of all files in /data to user 'web' without changing the group. Which command should be used?

A.chown -R web:web /data
B.chown -R web /data
C.chown web /data
D.chown web:web /data
AnswerB

This recursively changes only the owner to web.

Why this answer

Option B is correct because `chown -R web /data` changes the owner of all files and directories recursively under /data to user 'web' while leaving the group ownership unchanged. The `-R` flag ensures recursion, and omitting a colon or dot after the username means only the owner is modified.

Exam trap

The trap here is that candidates often assume a colon is required or that `chown` without `-R` applies recursively, leading them to pick options that change the group or fail to affect all files.

How to eliminate wrong answers

Option A is wrong because `chown -R web:web /data` changes both the owner and group to 'web', which violates the requirement to not change the group. Option C is wrong because `chown web /data` only changes the owner of the /data directory itself, not its contents, missing the recursive requirement. Option D is wrong because `chown web:web /data` changes both owner and group to 'web' on the single directory, and lacks recursion, so it fails on both counts.

45
MCQhard

A user 'jdoe' already exists. The administrator needs to add 'jdoe' to the 'staff' and 'admin' groups without changing other group memberships. Which command accomplishes this?

A.usermod -a -G staff,admin jdoe
B.sed -i 's/^staff:.*/&jdoe/' /etc/group
C.usermod -G staff,admin jdoe
D.useradd -G staff,admin jdoe
AnswerA

The -a (append) flag with -G adds the user to the listed groups without affecting other group memberships.

Why this answer

Option A is correct because the `usermod -a -G` command appends the user 'jdoe' to the supplementary groups 'staff' and 'admin' without altering existing group memberships. The `-a` (append) flag is essential; without it, `-G` would replace all current supplementary groups with only those listed. This matches the requirement to add the user to new groups while preserving other group memberships.

Exam trap

The trap here is that candidates often forget the `-a` (append) flag with `usermod -G`, assuming `-G` alone adds groups, when in fact it replaces all supplementary group memberships, which is a common cause of accidental privilege removal.

How to eliminate wrong answers

Option B is wrong because `sed -i 's/^staff:.*/&jdoe/' /etc/group` attempts to edit the group file directly but incorrectly appends 'jdoe' to the end of the line without a comma separator, resulting in a malformed entry (e.g., 'staff:x:100:jdoe' instead of 'staff:x:100:jdoe'), and it only modifies the 'staff' group, ignoring 'admin'. Option C is wrong because `usermod -G staff,admin jdoe` without the `-a` flag will replace all of jdoe's current supplementary groups with only 'staff' and 'admin', removing any other group memberships. Option D is wrong because `useradd -G staff,admin jdoe` is used to create a new user and set initial supplementary groups; it will fail or produce an error since the user 'jdoe' already exists, and it does not modify existing users.

46
MCQeasy

To enable disk quotas for user quotas on a filesystem, which line should be added to /etc/fstab's mount options?

A.grpquota
B.userquota
C.quota
D.usrquota
AnswerD

Adding 'usrquota' to the mount options in /etc/fstab enables user quotas on the filesystem.

Why this answer

Option D is correct because the 'usrquota' mount option is the standard Linux kernel parameter used to enable user disk quotas on a filesystem. When added to the fourth field of an /etc/fstab entry, it instructs the kernel to track per-user disk usage, allowing the quota system (via quotacheck, edquota, etc.) to enforce limits.

Exam trap

The trap here is that candidates confuse 'usrquota' with the generic term 'quota' or the incorrect 'userquota', assuming any word containing 'quota' will work, but the Linux kernel strictly requires the exact 'usrquota' string for user quotas.

How to eliminate wrong answers

Option A is wrong because 'grpquota' is the mount option for enabling group quotas, not user quotas. Option B is wrong because 'userquota' is not a valid Linux mount option; the correct syntax uses 'usrquota' for users and 'grpquota' for groups. Option C is wrong because 'quota' alone is not a valid mount option in /etc/fstab; the kernel requires the specific 'usrquota' or 'grpquota' strings to activate quota tracking.

47
Multi-Selecthard

Which THREE steps are necessary to configure a static IP address using ifcfg files on a RHEL-based system? (Choose THREE.)

Select 3 answers
A.Edit /etc/sysconfig/network-scripts/ifcfg-eth0
B.Set ONBOOT=yes
C.Run 'systemctl restart network'
D.Run 'ip addr add 192.168.1.10/24 dev eth0'
E.Set BOOTPROTO=static
AnswersA, B, E

Correct: the ifcfg file must be edited.

Why this answer

Option A is correct because on RHEL-based systems, persistent network interface configuration is stored in files named `/etc/sysconfig/network-scripts/ifcfg-<interface>`. Editing this file allows you to define static IP parameters that survive reboots. This is the standard method for configuring static IP addresses using ifcfg files.

Exam trap

The trap here is that candidates often confuse runtime commands (like `ip addr add`) with persistent configuration steps, or they mistakenly think restarting the network service is a configuration step rather than an activation step.

48
Multi-Selecthard

Which three commands are commonly used to display information about running processes?

Select 3 answers
A.top
B.pkill
C.kill
D.htop
E.ps
AnswersA, D, E

Realtime process viewer.

Why this answer

The `top` command (option A) is a standard Linux utility that provides a real-time, dynamic view of running processes, including CPU and memory usage, and is commonly used for process monitoring. It is a core tool for displaying process information, making it correct for this question.

Exam trap

The trap here is that candidates may confuse commands that manipulate processes (like `kill` and `pkill`) with commands that display process information, leading them to incorrectly select those options.

49
MCQhard

An administrator needs to display the current and previous runlevels of a Linux system. Which command provides this information?

A.who -r
B.runlevel
C.telinit 1
D.init 0
AnswerB

Outputs previous and current runlevel.

Why this answer

The `runlevel` command displays both the previous and current runlevels of a Linux system. It outputs two characters: the first indicates the previous runlevel (or 'N' if the runlevel has not changed since boot), and the second indicates the current runlevel. This is the standard tool for querying runlevel information on SysV init systems.

Exam trap

The trap here is that candidates confuse `who -r` with `runlevel` because both display the current runlevel, but `who -r` omits the previous runlevel, which is the key piece of information the question explicitly asks for.

How to eliminate wrong answers

Option A is wrong because `who -r` shows the current runlevel and the time of the last runlevel change, but it does not display the previous runlevel. Option C is wrong because `telinit 1` is used to change the runlevel to single-user mode (runlevel 1), not to display current or previous runlevels. Option D is wrong because `init 0` is used to shut down the system (runlevel 0), not to query runlevel information.

50
MCQeasy

Refer to the exhibit. What is the current state of the SSH service?

A.It is active and running
B.It is inactive
C.It is disabled
D.It has failed
AnswerA

Correct: clearly states 'active (running)'.

Why this answer

The exhibit shows the output of `systemctl status sshd`, which displays the service state as 'active (running)' in the green text. This indicates that the SSH daemon (sshd) is currently loaded and executing, providing secure shell access to the system. The 'active (running)' state is the normal operational state for a service that has been started and is functioning correctly.

Exam trap

LPI often tests the distinction between a service's current runtime state (active/inactive) and its boot-time enablement (enabled/disabled), causing candidates to confuse 'disabled' with 'inactive' when the question explicitly asks for the current state.

How to eliminate wrong answers

Option B is wrong because 'inactive' would show as 'inactive (dead)' in the systemctl status output, meaning the service is not currently running, but the exhibit clearly shows 'active (running)'. Option C is wrong because 'disabled' refers to the service's startup configuration (whether it starts automatically at boot), not its current runtime state; the exhibit shows the service is enabled for startup, but the question asks about the current state. Option D is wrong because 'failed' would display as 'failed' with a red indicator, indicating the service exited with an error or crashed, which is not shown in the exhibit.

51
MCQeasy

Which command schedules a job to run once at 2:30 PM today?

A.crontab -e
B.batch
C.at 14.30
D.at 14:30
AnswerD

The 'at' command with a time in 24-hour format schedules a one-time job at that time.

Why this answer

The `at` command schedules a one-time job for a specified time. The correct syntax uses a colon (:) to separate hours and minutes, as in `at 14:30`, which schedules the job for 2:30 PM today. Option D is correct because it follows the standard `at` time format.

Exam trap

The trap here is that candidates may confuse the `at` time separator (colon) with the period used in some other contexts, or mistakenly think `crontab` can schedule one-time jobs, leading them to choose option A or C.

How to eliminate wrong answers

Option A is wrong because `crontab -e` edits the user's cron table for recurring jobs (e.g., daily, weekly), not for one-time execution. Option B is wrong because `batch` schedules jobs to run when system load levels permit, not at a specific time. Option C is wrong because `at 14.30` uses a period (.) instead of a colon (:), which is not a valid time separator for the `at` command; the correct syntax requires a colon.

52
MCQeasy

A user reports that a file cannot be saved due to 'No space left on device'. Which command should the administrator use to verify disk usage?

A.du -sh /
B.fdisk -l
C.df -i
D.df -h
AnswerD

Correct: shows disk space usage.

Why this answer

The 'df -h' command displays disk space usage in human-readable format (e.g., GB, MB) for all mounted filesystems. When a user encounters 'No space left on device', the most direct verification is to check available disk space with 'df -h', which shows used and available blocks. Option D is correct because it specifically addresses the space shortage indicated by the error.

Exam trap

The trap here is that candidates may confuse 'df -h' (disk free, human-readable) with 'du -sh' (disk usage summary) or 'df -i' (inode usage), not recognizing that the error message directly points to block space exhaustion, which 'df -h' is designed to check.

How to eliminate wrong answers

Option A is wrong because 'du -sh /' summarizes disk usage of the root directory, not the available space on the filesystem; it can be slow and does not show free space. Option B is wrong because 'fdisk -l' lists partition tables and disk geometry, not filesystem-level usage or free space. Option C is wrong because 'df -i' shows inode usage, not block space; the error 'No space left on device' typically refers to block space exhaustion, though inode exhaustion can produce a similar message, but the question asks to verify disk usage, not inode usage.

53
MCQmedium

Refer to the exhibit. During the next boot, which filesystem will be checked first by fsck?

A./dev/sda1
B.All checked in parallel
C./dev/sda2
D./dev/sda3
AnswerA

It has fsck order 1.

Why this answer

The order in which fsck checks filesystems during boot is determined by the pass number (field 6) in /etc/fstab. The filesystem with the lowest pass number is checked first. In the exhibit, /dev/sda1 has a pass number of 1, while /dev/sda2 and /dev/sda3 have pass numbers of 2, so /dev/sda1 will be checked first.

Exam trap

The trap here is that candidates often assume all filesystems are checked in parallel or that the order is based on device naming (e.g., sda1 before sda2), rather than understanding that the explicit pass number in /etc/fstab dictates the sequence.

How to eliminate wrong answers

Option B is wrong because filesystems are not all checked in parallel; fsck checks them sequentially based on their pass number, and only filesystems with the same pass number (and on different physical drives) may be checked in parallel. Option C is wrong because /dev/sda2 has a pass number of 2, which is higher than 1, so it will be checked after /dev/sda1. Option D is wrong because /dev/sda3 also has a pass number of 2, so it will be checked after /dev/sda1, not first.

54
MCQhard

Refer to the exhibit. The job runs every hour but the administrator notices that it does not execute on Sundays. Which cron syntax element is responsible?

A.The minute field
B.The hour field
C.The month field
D.The day-of-week field
AnswerD

Correct: 1-6 excludes Sunday.

Why this answer

The day-of-week field (the 5th field in a cron expression) controls which days of the week the job runs. If this field is set to 1-6 (Monday–Saturday) or explicitly excludes 0/7 (Sunday), the job will not execute on Sundays. Since the job runs every hour but not on Sundays, the day-of-week field is responsible.

Exam trap

The trap here is that candidates often confuse the day-of-month field (3rd field) with the day-of-week field (5th field), or assume the hour field controls daily execution, when in fact the day-of-week field is the only one that can selectively exclude a specific weekday like Sunday.

How to eliminate wrong answers

Option A is wrong because the minute field (1st field) controls the minute within the hour when the job runs, not the day of the week; it would affect timing within each hour, not skip entire days. Option B is wrong because the hour field (2nd field) controls which hours of the day the job runs, not which days of the week; it could restrict execution to certain hours but cannot exclude an entire day like Sunday. Option C is wrong because the month field (4th field) controls which months the job runs, not days of the week; it could skip entire months but not specific weekdays.

55
MCQeasy

A user reports that their cron jobs are not executing. The user has a valid crontab file and can execute the commands manually. Which of the following is the most likely cause of this issue?

A.The crontab file uses the wrong time format.
B.The user's home directory is missing.
C.The user is not in the /etc/cron.allow file.
D.The cron daemon is not running.
AnswerD

If cron is not running, no jobs will execute.

Why this answer

The cron daemon (crond) is responsible for reading crontab files and executing scheduled jobs at the appropriate times. If the cron daemon is not running, no cron jobs will execute, regardless of the validity of the user's crontab file or the user's ability to run the commands manually. This is the most likely cause because it directly prevents the cron system from functioning at all.

Exam trap

The trap here is that candidates often focus on user-level restrictions (like cron.allow or home directory issues) or syntax errors, but the most fundamental requirement—that the cron daemon itself must be running—is overlooked because it is assumed to always be active.

How to eliminate wrong answers

Option A is wrong because cron uses a specific time format (minute, hour, day of month, month, day of week), and if the format were incorrect, the crontab would typically be rejected when the user attempts to install it with `crontab -e` or `crontab <file>`, not silently fail to execute. Option B is wrong because the user's home directory is not required for cron job execution; cron jobs run with the user's environment, but the home directory is only relevant if the job script explicitly references it (e.g., via `$HOME`). Option C is wrong because the `/etc/cron.allow` file is used to restrict which users can create crontabs; if the user is not listed, they would be unable to install or edit their crontab file at all, but the question states the user already has a valid crontab file, implying they were previously allowed.

56
Multi-Selectmedium

Which three actions can an administrator take to securely erase data on a disk before decommissioning?

Select 3 answers
A.Format the disk with mkfs.
B.Delete the partition and create a new one.
C.Run dd if=/dev/urandom of=/dev/sda.
D.Run shred -n 3 /dev/sda.
E.Use the hdparm command with the --security-erase option.
AnswersC, D, E

Overwrites the entire device with random data, making recovery extremely difficult.

Why this answer

Option C is correct because using `dd if=/dev/urandom of=/dev/sda` overwrites the entire disk with random data from the kernel's non-blocking random number generator. This makes the original data unrecoverable through forensic techniques, as each sector is overwritten with unpredictable values, effectively destroying any residual magnetic traces.

Exam trap

The trap here is that candidates often think `mkfs` or partition deletion fully erases data, when in fact they only remove logical pointers, leaving the raw data recoverable with simple forensic tools.

57
MCQeasy

Which command is used to view the last few lines of a log file and simultaneously follow new entries as they are written?

A.tail -f
B.cat
C.head -n 10
D.less
AnswerA

Correctly displays last lines and follows new data.

Why this answer

The `tail -f` command is correct because it displays the last 10 lines of a file by default and then continues to monitor the file for new lines, outputting them as they are appended. This is essential for real-time log monitoring, as it uses inotify or polling to detect file changes without requiring manual re-reading.

Exam trap

The trap here is that candidates may confuse `tail -f` with `less` (which can also follow with `Shift+F`), but the question explicitly asks for the command that 'simultaneously follow new entries as they are written' in its default invocation, making `tail -f` the only correct answer without requiring additional key presses.

How to eliminate wrong answers

Option B (cat) is wrong because it outputs the entire file content at once and then exits, providing no ability to follow new entries. Option C (head -n 10) is wrong because it only shows the first 10 lines of a file and does not monitor for updates. Option D (less) is wrong because while it can view files interactively and with `Shift+F` can follow new entries, the default behavior does not follow; the question specifies 'simultaneously follow new entries as they are written,' which `tail -f` does directly without requiring a special key sequence.

58
MCQeasy

Refer to the exhibit. This line is from /etc/passwd. What does the third field (1001) represent?

A.Home directory UID
B.Group ID (GID)
C.User ID (UID)
D.Login shell number
AnswerC

The third field in /etc/passwd is the numerical user ID.

Why this answer

In the /etc/passwd file, the third field is the User ID (UID), a numeric identifier assigned to each user. UID 0 is reserved for root, and values below 1000 are typically system accounts, while 1001 is a regular user UID. This field is used by the kernel to track user ownership of processes and files.

Exam trap

The trap here is that candidates often confuse the order of fields in /etc/passwd, specifically mixing up the UID (third field) with the GID (fourth field), because both are numeric identifiers.

How to eliminate wrong answers

Option A is wrong because the home directory is specified in the sixth field of /etc/passwd, not the third. Option B is wrong because the Group ID (GID) is the fourth field, not the third. Option D is wrong because the login shell is the seventh field, and there is no 'login shell number' field in /etc/passwd.

59
MCQhard

Refer to the exhibit. What is the purpose of the 'test -x /usr/sbin/anacron' command in the cron entries?

A.It checks if anacron is executable and then runs the periodic tasks.
B.It starts anacron if it is not already running.
C.It ensures the periodic tasks are not run if anacron is installed.
D.It logs the output of the periodic tasks to a file.
AnswerC

If anacron is installed, the test returns true, so the '||' branch (run-parts) is not executed, preventing cron from running tasks that anacron handles.

Why this answer

The 'test -x /usr/sbin/anacron' command checks if the anacron binary exists and is executable. If it is, the test returns true (exit code 0), and the subsequent periodic tasks (e.g., run-parts) are skipped due to the logical NOT operator '!' at the beginning of the cron entry. This prevents duplicate execution of periodic jobs when both cron and anacron are installed, as anacron is designed to handle them for systems that may not be running continuously.

Exam trap

The trap here is that candidates assume 'test -x' runs or starts anacron, when in fact it is a conditional check used with '!' to suppress duplicate job execution.

How to eliminate wrong answers

Option A is wrong because 'test -x' only checks for executability; it does not execute anacron or run any tasks. Option B is wrong because the command does not start anacron; it merely tests its presence, and the cron entry uses '!' to skip tasks if anacron is present, not to launch it. Option D is wrong because the command does not involve logging; it is a simple file test, and any logging would be handled by separate redirection or the cron daemon itself.

60
MCQmedium

An administrator notices that /var/log/syslog is 3 GB in size, despite logrotate being configured to rotate logs weekly and keep 4 weeks. The logrotate configuration file /etc/logrotate.d/syslog contains: /var/log/syslog { weekly rotate 4 compress missingok notifempty } The administrator checks that logrotate is scheduled via cron and sees that the cron job exists. However, the administrator suspects that logrotate might not have been running. Which of the following commands should the administrator run first to force log rotation and diagnose the issue?

A.logrotate -d /etc/logrotate.d/syslog
B.systemctl restart crond
C.logrotate -f /etc/logrotate.d/syslog
D.cat /var/lib/logrotate/status
AnswerC

Forces rotation immediately, which tests the configuration.

Why this answer

Option C is correct because the `-f` (force) flag tells logrotate to rotate the log file immediately, regardless of whether the configured time interval has elapsed. This allows the administrator to trigger a rotation on demand and observe any errors or misconfigurations that might explain why the file grew to 3 GB despite the weekly rotation policy.

Exam trap

LPI often tests the difference between `-d` (debug/dry-run) and `-f` (force) in logrotate, and the trap here is that candidates may choose debug mode thinking it will fix the issue, when only force actually triggers the rotation.

How to eliminate wrong answers

Option A is wrong because `logrotate -d` runs in debug mode, which only prints what would happen without actually performing the rotation; it does not force the rotation or help diagnose a failure to rotate. Option B is wrong because restarting the cron daemon (`crond`) does not force logrotate to run; it only restarts the scheduler, and if logrotate itself is misconfigured or the cron job is not triggering properly, this action does not address the root cause. Option D is wrong because `cat /var/lib/logrotate/status` displays the last rotation timestamps for each log file, which can be useful for investigation but does not force a rotation or actively diagnose why the rotation did not occur.

61
MCQhard

A medium-sized company runs a web application on a Linux server. The server uses systemd and has the following configuration: the web application service (webapp.service) is configured to start after network.target and requires a database service (database.service) to be running. The database service has a Restart=on-failure directive. Recently, the server experienced a power outage. Upon reboot, the system administrator notices that the web application fails to start because the database service is in a failed state. The administrator checks the status of database.service and sees 'inactive (dead)' with no recent attempts to restart. The journal shows that the database service failed to start because a required filesystem (mounted at /var/lib/database) was not mounted when the database service tried to start. The filesystem is listed in /etc/fstab with the nofail option. The administrator wants to ensure that in future reboots, the database service starts successfully and the web application comes up without manual intervention. Which of the following is the best course of action?

A.Change the Restart directive in database.service to 'always'
B.Remove the nofail option from /etc/fstab for /var/lib/database
C.Modify the database.service unit file to add 'After=var-lib-database.mount' and 'Requires=var-lib-database.mount'
D.Modify the webapp.service unit file to add 'After=database.service' and 'Requires=database.service'
AnswerC

This ensures the database service waits for the mount unit to be active before starting.

Why this answer

Option C is correct because the database service failed due to a missing mount at /var/lib/database. By adding 'After=var-lib-database.mount' and 'Requires=var-lib-database.mount' to the database.service unit, systemd will ensure the mount unit is started before the database service and that the database service is stopped if the mount fails. This directly addresses the root cause—the filesystem not being ready—without altering the restart behavior or the fstab nofail option, which is appropriate for allowing the system to boot even if the mount fails.

Exam trap

The trap here is that candidates often focus on restart policies (Option A) or fstab options (Option B) without realizing that systemd's dependency system must be used to enforce ordering between services and mount units, especially when nofail is present.

How to eliminate wrong answers

Option A is wrong because changing Restart to 'always' would cause the database service to restart indefinitely even after successful runs, but it does not solve the underlying issue of the mount not being ready; the service would still fail on the first attempt if the mount is missing, and Restart=on-failure already handles restarts after failure, but the service never got a chance to restart because it was never started again after the initial failure. Option B is wrong because removing the nofail option from /etc/fstab would cause the system to fail to boot entirely if the filesystem cannot be mounted, which is worse than the current behavior; the nofail option is correctly used to allow boot to proceed, but the dependency must be expressed in systemd units. Option D is wrong because webapp.service already has 'After=database.service' and 'Requires=database.service' (implied by the requirement that the database service must be running), so adding them again does nothing; the problem is that database.service itself fails due to the mount, not that webapp.service lacks ordering or dependency on database.service.

62
MCQeasy

A small business uses a Linux server running CUPS to share a network printer. For several months, all employees could print successfully. Today, an employee in a different subnet reports that printing does not work. The administrator checks the server: cupsd is running, the printer is configured with an IPP URI pointing to the printer's IP address, and the printer is idle. The administrator can ping the printer from the server. The administrator checks the CUPS error log and sees the following line multiple times: 'E [04/Oct/2024:10:15:22 -0400] [Client 5] client-error-not-authorized'. Which of the following actions should the administrator take to resolve the issue?

A.Change the printer's URI from ipp:// to socket://
B.Add the employee's username to the lpadmin group
C.Restart the cupsd service with 'systemctl restart cupsd'
D.Add 'Allow from 192.168.2.0/24' to the appropriate policy in /etc/cups/cupsd.conf
AnswerD

This allows printing from the employee's subnet.

Why this answer

The error 'client-error-not-authorized' in CUPS indicates that the client's request was denied due to access control restrictions in cupsd.conf. Since the employee is in a different subnet (e.g., 192.168.2.0/24), the default CUPS policy likely only allows local subnet access. Adding 'Allow from 192.168.2.0/24' to the appropriate policy (e.g., under <Policy default>) grants printing access from that subnet, resolving the authorization failure.

Exam trap

The trap here is that candidates confuse 'client-error-not-authorized' with authentication issues (e.g., missing username/password) or service problems, when it is actually an IP-based access control restriction in CUPS' policy configuration.

How to eliminate wrong answers

Option A is wrong because changing the URI from ipp:// to socket:// would bypass CUPS' job management and authentication, but the error is about authorization, not protocol mismatch; the printer is reachable via ping, so the URI is not the issue. Option B is wrong because the lpadmin group is for printer administration (e.g., adding/removing printers), not for granting print access to users; the error is a client authorization failure, not a group membership issue. Option C is wrong because restarting cupsd would not change the access control rules; the service is already running and the error persists, indicating a configuration problem, not a service state issue.

63
Multi-Selectmedium

Which TWO commands can be used to schedule a one-time task at a specific time in the future? (Choose TWO.)

Select 2 answers
A.cron
B.batch
C.sleep
D.at
E.anacron
AnswersB, D

batch is similar to at but runs when load is low.

Why this answer

The `at` command is specifically designed to schedule a one-time task at a specified future time, using the `atd` daemon to execute the job. The `batch` command schedules a one-time task to run when system load levels permit, typically when the load average drops below 0.8 or as defined in `/proc/loadavg`.

Exam trap

The trap here is that candidates often confuse `cron` with `at` because both are time-based job schedulers, but `cron` is strictly for recurring tasks while `at` is for one-time execution, and `batch` is often overlooked as a valid one-time scheduler due to its load-dependent nature.

64
MCQhard

A small business runs a Linux server hosting a web application and a PostgreSQL database. The server uses LVM for storage, with a single volume group vg_data containing two logical volumes: lv_web (50GB) and lv_db (100GB). The root filesystem is on a separate disk. The administrator receives alerts that the database volume is at 95% capacity. The server has additional unused space from a recently added disk that was added to the volume group as an additional physical volume, but the space has not been allocated. The administrator runs 'vgs' which shows VG vg_data with total size 500GB, allocated 150GB, and free 350GB. The administrator wants to increase the size of lv_db by 50GB. Which course of action should the administrator take?

A.Run 'lvresize -L 50G /dev/vg_data/lv_db' and then 'xfs_growfs /mount/point'.
B.Run 'lvcreate -L 50G -n lv_backup vg_data' and mount it.
C.Run 'lvextend -L +50G /dev/vg_data/lv_db' and then 'resize2fs /dev/vg_data/lv_db' (if filesystem is ext4).
D.Run 'vgextend vg_data /dev/sdb1' and then 'lvextend -L 50G /dev/vg_data/lv_db'.
AnswerC

Correct: extends both the LV and filesystem.

Why this answer

Option C is correct because the administrator needs to extend the existing logical volume lv_db by 50GB using 'lvextend -L +50G /dev/vg_data/lv_db' (the '+' is critical for relative growth), and then if the filesystem is ext4, 'resize2fs /dev/vg_data/lv_db' resizes the filesystem to use the newly allocated space. The volume group already has 350GB free, so no new physical volume needs to be added.

Exam trap

The trap here is that candidates often forget the '+' sign in 'lvextend -L +50G' (which means add 50GB) versus '-L 50G' (which sets absolute size to 50GB), and they may also incorrectly assume a new physical volume must be added even when free space already exists in the volume group.

How to eliminate wrong answers

Option A is wrong because 'lvresize -L 50G' sets the absolute size to 50GB, which would shrink the volume from its current size (likely 100GB) to 50GB, causing data loss; also, xfs_growfs is only for XFS filesystems, not ext4. Option B is wrong because creating a new logical volume (lv_backup) does not increase the size of lv_db; it only adds a separate volume, leaving the database volume still at 95% capacity. Option D is wrong because 'vgextend' is unnecessary—the volume group already has 350GB free space—and 'lvextend -L 50G' without the '+' sign would set the absolute size to 50GB, potentially shrinking the volume.

65
MCQhard

An administrator wants to enforce a password history that prevents using the last 5 passwords. Which directive should be added to /etc/pam.d/system-auth?

A.password optional pam_pwhistory.so remember=5
B.password sufficient pam_pwhistory.so remember=5
C.password required pam_pwhistory.so remember=5
D.password requisite pam_pwhistory.so remember=5
AnswerC

Correct: enforces password history of 5 passwords.

Why this answer

Option C is correct because the `required` control flag ensures that the `pam_pwhistory.so` module must succeed for the password change to proceed, and `remember=5` enforces that the last 5 passwords cannot be reused. This is the standard way to enforce password history in PAM (Pluggable Authentication Modules) on Linux systems.

Exam trap

The trap here is confusing the PAM control flags (`required`, `requisite`, `sufficient`, `optional`) and their specific behaviors, especially thinking `requisite` is equivalent to `required` for password history, when in fact `required` is the standard choice for this module.

How to eliminate wrong answers

Option A is wrong because `optional` means the module's success or failure is ignored unless it is the only module in the stack, which would not enforce the password history requirement. Option B is wrong because `sufficient` means if this module succeeds, PAM skips remaining modules in the stack, which could bypass other password quality checks. Option D is wrong because `requisite` causes immediate failure if the module fails, but it is typically used for critical checks like account expiration, not for password history; `required` is the correct control for enforcing history without aborting the entire stack prematurely.

66
Multi-Selectmedium

An administrator needs to restart the SSH service after a configuration change. Which TWO commands can accomplish this on a systemd-based system?

Select 2 answers
A.initctl restart sshd
B.rc.d restart sshd
C.systemctl restart sshd
D.service sshd restart
E./etc/init.d/sshd restart
AnswersC, D

The correct systemd command to restart a service.

Why this answer

On a systemd-based system, the correct command to restart the SSH service is `systemctl restart sshd`. This command communicates directly with systemd's service manager to stop and then start the sshd unit, ensuring proper state tracking and dependency handling.

Exam trap

The trap here is that candidates may assume the `service` command (Option D) is always correct on systemd systems, but while it often works via a compatibility wrapper, the official and reliable command for systemd is `systemctl`, and the question explicitly asks for commands that 'can accomplish this on a systemd-based system'—both C and D are technically valid, but D relies on a legacy compatibility layer that may not be present in minimal or hardened systemd installations.

67
MCQhard

In the /etc/shadow file, a user's password hash begins with '$6$'. What hash algorithm does this prefix indicate?

A.SHA-512
B.SHA-256
C.MD5
D.Blowfish
AnswerA

$6$ corresponds to SHA-512.

Why this answer

The prefix '$6$' in the /etc/shadow file indicates that the password hash was generated using the SHA-512 (Secure Hash Algorithm 512-bit) algorithm. This is defined in the crypt(3) function's modular crypt format, where $1$ is MD5, $5$ is SHA-256, and $6$ is SHA-512. SHA-512 is the strongest of the commonly used hash algorithms in Linux password hashing, providing a 512-bit digest.

Exam trap

The trap here is that candidates often confuse the prefix '$6$' with SHA-256 (which uses '$5$') or mistakenly associate '$6$' with Blowfish due to similar numbering, but the correct mapping is $1$=MD5, $5$=SHA-256, $6$=SHA-512.

How to eliminate wrong answers

Option B (SHA-256) is wrong because SHA-256 uses the prefix '$5$', not '$6$'. Option C (MD5) is wrong because MD5 uses the prefix '$1$', and it is considered cryptographically broken for password storage. Option D (Blowfish) is wrong because Blowfish-based bcrypt uses the prefix '$2a$', '$2b$', or '$2y$', not '$6$'.

68
MCQhard

A company security policy requires that user accounts be disabled after 90 days of inactivity. The system administrator locks user accounts using 'usermod -L username'. However, users with SSH key authentication can still log in. The administrator has verified that the locked flag is set in /etc/shadow. Which of the following is the most likely explanation?

A.The administrator forgot to restart the SSH service after locking accounts.
B.The SSH daemon is configured to allow passwordless login for locked accounts.
C.The usermod -L command only locks password-based login, not SSH key login.
D.The users have valid SSH keys in their ~/.ssh/authorized_keys, and SSH does not check the account lock status.
AnswerC

usermod -L sets an '!' in the password field, which prevents password authentication but not SSH key authentication.

Why this answer

The `usermod -L` command locks a user account by placing a '!' in the password hash field of /etc/shadow, which only prevents authentication via password-based methods (e.g., PAM's pam_unix). SSH key authentication uses the SSH protocol's public-key challenge-response, which is handled by the SSH daemon (sshd) and does not consult the locked password field in /etc/shadow. Therefore, users with valid SSH keys in ~/.ssh/authorized_keys can still log in despite the account being locked.

Exam trap

The trap here is that candidates assume 'locking' an account with `usermod -L` disables all login methods, but it only affects password-based authentication, not SSH key-based or other non-password mechanisms.

How to eliminate wrong answers

Option A is wrong because restarting the SSH service would not change the behavior; SSH does not cache account lock status, and the lock is already applied in /etc/shadow. Option B is wrong because SSH does not have a configuration option to allow passwordless login specifically for locked accounts; the lock only affects password authentication, not key-based authentication. Option D is wrong because SSH does check account lock status for password authentication, but for key-based authentication it only verifies the key against authorized_keys and does not check the shadow lock flag.

69
MCQmedium

A system administrator wants to schedule a script to run every Monday at 3:00 AM, but only if the system clock is set to local time (not UTC). Which crontab entry should be used?

A.3 0 * * 1 /path/to/script
B.0 3 * * 1 /path/to/script
C.0 15 * * 1 /path/to/script
D.0 3 * * 0 /path/to/script
AnswerB

Correct: minute 0, hour 3, any day of month, any month, Monday (1).

Why this answer

Option B is correct because the crontab format is 'minute hour day-of-month month day-of-week command'. To run at 3:00 AM Monday, the minute field is 0, the hour field is 3 (using 24-hour time), and the day-of-week field is 1 (Monday). The cron daemon does not care about UTC vs local time; it uses the system's configured timezone, so no special flag is needed.

Exam trap

The trap here is that candidates confuse the order of minute and hour fields (minute first, then hour) or mistakenly use 0 for Monday instead of 1, leading to selection of option A or D.

How to eliminate wrong answers

Option A is wrong because it specifies minute=3 and hour=0, which would run at 12:03 AM (00:03), not 3:00 AM. Option C is wrong because hour=15 corresponds to 3:00 PM, not 3:00 AM. Option D is wrong because day-of-week=0 represents Sunday, not Monday (in cron, 0 and 7 both mean Sunday).

70
MCQeasy

Which command adds a new group named 'developers' to the system?

A.addgroup developers
B.groupadd developers
C.newgroup developers
D.groupadd -r developers
AnswerB

Correct: standard command to add a group.

Why this answer

The correct command to add a new group on a Linux system is `groupadd developers`. This command creates a new group entry in the system's group database (typically /etc/group). The `groupadd` utility is the standard tool for this task in Linux, and it is part of the shadow-utils package.

Exam trap

The trap here is that candidates may confuse `groupadd` with distribution-specific wrappers like `addgroup` (Debian/Ubuntu) or think that `newgroup` is a valid command, or they may overlook the significance of the `-r` flag which creates a system group instead of a regular group.

How to eliminate wrong answers

Option A is wrong because `addgroup` is not a standard Linux command; it is a Debian/Ubuntu-specific wrapper that may not exist on all distributions, and the standard command is `groupadd`. Option C is wrong because `newgroup` is not a valid Linux command; the correct command is `groupadd`. Option D is wrong because `groupadd -r developers` creates a system group (with a GID in the system range, typically below 1000), not a regular group named 'developers' as required by the question.

71
MCQmedium

An administrator needs to extend a logical volume by 10GB. The volume group has available physical extents. Which command should be used?

A.lvcreate -L 10G /dev/vg/lv
B.vgextend /dev/vg/lv -L +10G
C.lvextend -L +10G /dev/vg/lv
D.lvresize -L 10G /dev/vg/lv
AnswerC

Correct: extends the LV by 10GB.

Why this answer

Option C is correct because the `lvextend` command with the `-L +10G` flag increases the size of the existing logical volume `/dev/vg/lv` by exactly 10 GB, using available physical extents from the volume group. This is the standard LVM command for extending a logical volume without recreating it.

Exam trap

The trap here is that candidates confuse `lvcreate` with `lvextend` or forget the `+` sign in `lvresize`, leading them to choose an option that either creates a new volume or sets an absolute size instead of incrementing it.

How to eliminate wrong answers

Option A is wrong because `lvcreate` creates a new logical volume, not extends an existing one; using it would attempt to create a separate 10 GB LV, not modify the target LV. Option B is wrong because `vgextend` is used to add a physical volume to a volume group, not to extend a logical volume; the syntax and purpose are entirely mismatched. Option D is wrong because `lvresize -L 10G` sets the absolute size of the logical volume to exactly 10 GB, which would shrink it if it were larger than 10 GB, rather than adding 10 GB; the `+` sign is required for an extension operation.

Ready to test yourself?

Try a timed practice session using only Admin Tasks questions.