CCNA Essential Tools Questions

74 questions · Essential Tools topic · All types, answers revealed

1
Multi-Selecthard

Which THREE commands can be used to check the disk space usage of the /home partition?

Select 3 answers
A.df -h /home
B.lsblk /dev/sda1
C.fdisk -l /dev/sda
D.parted /dev/sda print
E.du -sh /home
AnswersA, B, E

Shows free and used space.

Why this answer

Option A is correct because `df -h /home` displays the disk space usage of the /home filesystem in human-readable format (e.g., GB, MB). The `df` command reports the total, used, and available space for mounted filesystems, making it the standard tool for checking partition-level disk usage.

Exam trap

The trap here is that candidates confuse partition table tools (fdisk, parted) with filesystem usage tools (df, du), or mistakenly think `lsblk` shows disk space usage when it only shows device size and mount points.

2
MCQmedium

What does the 's' in the owner execute position indicate?

A.Mandatory access control
B.SetGID
C.Sticky bit
D.No special permission
E.SetUID
AnswerE

SetUID shows 's' in the owner execute position.

Why this answer

In Linux file permissions, the 's' in the owner execute position (e.g., `-rwsr-xr-x`) indicates the SetUID (Set User ID) special permission. When set on an executable file, it allows the process to run with the effective user ID of the file's owner (typically root), rather than the user who launched it. This is why option E is correct.

Exam trap

Red Hat often tests the distinction between SetUID (owner execute 's') and SetGID (group execute 's'), and candidates confuse which position corresponds to which special permission.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) is a security model enforced by systems like SELinux or AppArmor, not represented by the 's' in the owner execute position. Option B is wrong because SetGID (Set Group ID) is indicated by an 's' in the group execute position, not the owner execute position. Option C is wrong because the sticky bit is indicated by a 't' in the 'others' execute position, not the owner execute position.

Option D is wrong because 'No special permission' would show a simple 'x' in the owner execute position, not an 's'.

3
MCQhard

A server has a disk with LVM logical volumes. The administrator needs to extend a logical volume to use all remaining free space in the volume group. Which command sequence is correct?

A.lvextend -l +100%FREE /dev/vg/lv && xfs_growfs /dev/vg/lv
B.lvextend -L +100%FREE /dev/vg/lv && resize2fs /dev/vg/lv
C.lvextend -l +50%FREE /dev/vg/lv && xfs_growfs /dev/vg/lv
D.lvresize -L +100%VG /dev/vg/lv && resize2fs /dev/vg/lv
AnswerA

Correct for XFS filesystem: extend using all free extents then grow.

Why this answer

Option A is correct because `lvextend -l +100%FREE` extends the logical volume to use all remaining free extents in the volume group, and `xfs_growfs` is the correct command to grow an XFS filesystem online. This sequence ensures the logical volume and filesystem both utilize all available space without unmounting.

Exam trap

Red Hat often tests the distinction between `-l` (extents/percentage) and `-L` (absolute size) in LVM commands, and the requirement to match the filesystem-specific grow tool (xfs_growfs vs. resize2fs) to the filesystem type.

How to eliminate wrong answers

Option B is wrong because `-L +100%FREE` uses an invalid size syntax (the `-L` option expects a size like `+10G`, not a percentage of free space; `-l` is required for extent-based percentages). Additionally, `resize2fs` is for ext2/3/4 filesystems, not XFS. Option C is wrong because `-l +50%FREE` only uses half the free space, not all remaining space as required.

Option D is wrong because `-L +100%VG` is invalid syntax (the `-L` option does not accept `%VG`; only `-l` accepts `%VG`, `%PVS`, `%FREE`, or `%ORIGIN`), and `resize2fs` is incorrect for XFS.

4
Multi-Selecteasy

Which TWO commands can be used to view the contents of a compressed gzip file without decompressing it permanently? (Choose two.)

Select 2 answers
A.zgrep file.gz
B.zless file.gz
C.gunzip file.gz
D.gzip -d file.gz
E.zcat file.gz
AnswersB, E

Allows paging through decompressed data without permanent decompression.

Why this answer

Options B and E are correct. zcat (B) decompresses to stdout, zless (E) allows paging. A and C permanently decompress. D searches text inside the archive.

5
MCQeasy

A user needs to find all files with the '.conf' extension under /etc. Which command should be used?

A.grep -r "*.conf" /etc
B.locate /etc/*.conf
C.ls /etc/*.conf
D.find /etc -name "*.conf"
AnswerD

find recursively searches the directory tree for files matching the pattern.

Why this answer

Option D is correct because the `find` command is designed to search for files and directories based on criteria such as name, type, or size. Using `find /etc -name "*.conf"` recursively searches the entire `/etc` directory tree for files ending in `.conf`, which is the standard and most reliable method for this task.

Exam trap

The trap here is that candidates confuse `grep` (for content search) with `find` (for file search), or assume `ls` with a glob is sufficient, overlooking the need for recursion across subdirectories.

How to eliminate wrong answers

Option A is wrong because `grep -r` searches for text patterns inside file contents, not for filenames; it would attempt to match the literal string "*.conf" within files, not find files with that extension. Option B is wrong because `locate` relies on a pre-built database (updated by `updatedb`) and may not reflect recent changes or include all files under `/etc` by default; also, the pattern `/etc/*.conf` is a shell glob, not a valid `locate` argument. Option C is wrong because `ls /etc/*.conf` only lists files matching the glob in the immediate `/etc` directory, not in subdirectories, and will fail or produce errors if no matches are found or if there are too many matches.

6
MCQeasy

Which command displays the current system time, timezone, and whether NTP synchronization is active?

A.ntpq -p
B.date
C.timedatectl
D.cal
AnswerC

Shows local time, universal time, RTC time, time zone, and NTP status.

Why this answer

The `timedatectl` command (option C) is the correct tool in Red Hat Enterprise Linux (RHEL) for querying and configuring system time, timezone, and NTP synchronization status. It displays the current local time, timezone, and whether NTP is active or enabled in a single, clear output, making it the standard utility for these tasks in systemd-based systems.

Exam trap

The trap here is that candidates often choose `ntpq -p` (option A) because they associate it with NTP, but they overlook that it does not show the system time or timezone, which the question explicitly requires.

How to eliminate wrong answers

Option A is wrong because `ntpq -p` only shows the list of NTP peers and their synchronization status (e.g., delay, offset, jitter), but it does not display the current system time or timezone. Option B is wrong because `date` outputs the current date and time but does not show the timezone name or NTP synchronization status. Option D is wrong because `cal` simply displays a calendar for a given month or year and has no relation to time, timezone, or NTP.

7
MCQhard

During boot, a server fails to mount an NFS filesystem listed in /etc/fstab. Which troubleshooting step should be taken first to isolate the issue?

A.Check the status of remote-fs.target with 'systemctl status remote-fs.target'
B.Check the status of nfs-client.target with 'systemctl status nfs-client.target'
C.Try to manually mount the NFS share with 'mount /mnt/nfs'
D.View kernel messages with 'dmesg | grep -i nfs'
AnswerA

remote-fs.target is responsible for mounting remote filesystems at boot.

Why this answer

Option A is correct because when an NFS filesystem fails to mount during boot, the first step is to check whether the remote-fs.target unit is active. This target is responsible for triggering the mounting of all remote filesystems (including NFS) after the network is available. If remote-fs.target is not active or has failed, the NFS mount will not be attempted, and troubleshooting should start here before investigating the NFS share itself.

Exam trap

Red Hat often tests the misconception that NFS client services (nfs-client.target) are responsible for mounting NFS filesystems, when in fact the mounting is orchestrated by remote-fs.target, and troubleshooting should start there.

How to eliminate wrong answers

Option B is wrong because nfs-client.target is a target that only ensures NFS client services (like rpcbind and nfs-idmapd) are started, but it does not directly control the mounting of filesystems listed in /etc/fstab; the actual mount is governed by remote-fs.target. Option C is wrong because attempting to manually mount the share with 'mount /mnt/nfs' assumes the issue is with the share or network, but if the boot failure is due to a missing or misconfigured remote-fs.target, the manual mount might succeed and mislead the troubleshooting; the correct first step is to check the target status. Option D is wrong because viewing kernel messages with 'dmesg | grep -i nfs' can provide useful details after the target status is verified, but it is not the first step; the boot failure may be caused by a target dependency issue that dmesg would not directly reveal.

8
MCQmedium

An administrator needs to measure the execution time of the command 'backup.sh'. Which command prefix should be used?

A.time
B.date
C.watch
D.timeout
AnswerA

time measures how long a command takes to complete.

Why this answer

The 'time' command is the correct prefix to measure the execution time of a command in Linux. When placed before 'backup.sh', it runs the script and then outputs the real, user, and system time consumed, providing the precise measurement the administrator needs.

Exam trap

The trap here is that candidates may confuse 'time' with 'timeout' because both involve time, but 'timeout' controls execution duration while 'time' measures it.

How to eliminate wrong answers

Option B is wrong because 'date' displays or sets the system date and time, not the execution duration of a command. Option C is wrong because 'watch' repeatedly runs a command at a specified interval (default 2 seconds) to monitor its output, not to measure its execution time. Option D is wrong because 'timeout' runs a command with a time limit and kills it if it exceeds that limit, which is for controlling runtime, not measuring it.

9
MCQmedium

A system administrator needs to find all regular files larger than 10MB in /var/log. Which find command should they use?

A.find /var/log -type f -size -10M
B.find /var/log -type d -size +10M
C.find /var/log -type f -size 10M
D.find /var/log -type f -size +10M
AnswerD

Correct syntax for larger than 10MB.

Why this answer

Option D is correct because it uses `-type f` to select only regular files and `-size +10M` to match files larger than 10 megabytes. The `+` prefix in the `-size` test means 'greater than', which is the correct syntax for finding files exceeding a given size.

Exam trap

Red Hat often tests the `+` and `-` prefix syntax for `-size`, and the trap here is that candidates confuse `-size +10M` with `-size 10M` or `-size -10M`, or they mistakenly use `-type d` instead of `-type f` when the question specifies regular files.

How to eliminate wrong answers

Option A is wrong because `-size -10M` uses the `-` prefix, which means 'less than 10MB', not 'greater than'. Option B is wrong because `-type d` selects directories, not regular files, and the question specifically asks for regular files. Option C is wrong because `-size 10M` without a `+` or `-` prefix matches files exactly 10MB in size, not files larger than 10MB.

10
Multi-Selecthard

Which THREE commands can be used to monitor real-time process status and update the display every 2 seconds? (Choose three.)

Select 3 answers
A.htop
B.top -d 2
C.ps aux
D.watch -n 2 ps aux
E.at 2
AnswersA, B, D

htop is an interactive process viewer that updates in real-time.

Why this answer

A is correct because `htop` is an interactive process viewer that by default updates in real-time (every ~1-2 seconds) and allows you to monitor processes dynamically. It provides a color-coded, user-friendly interface with CPU, memory, and swap usage bars, updating continuously without needing a separate interval flag.

Exam trap

Red Hat often tests the distinction between snapshot commands (like `ps aux`) and real-time monitoring tools (like `top`, `htop`, or `watch`), trapping candidates who think `ps aux` can update continuously without an external wrapper like `watch`.

11
MCQmedium

Refer to the exhibit. Why did the sshd service fail?

A.The service binary is missing.
B.The service start was requested too many times in quick succession.
C.The configuration file /etc/ssh/sshd_config has a syntax error.
D.The system ran out of memory.
AnswerB

The log explicitly says 'start request repeated too quickly', resulting in start-limit.

Why this answer

B is correct because systemd's `StartLimitIntervalSec` and `StartLimitBurst` settings (default: 10 seconds and 5 starts) prevent rapid service restarts. When `sshd` fails repeatedly within the interval, systemd marks it as failed with the status 'start-limit-hit' to avoid resource exhaustion from restart loops.

Exam trap

The trap here is that candidates assume the failure is due to a configuration error or missing binary, but the 'start-limit-hit' status is a systemd mechanism that explicitly indicates too many restart attempts, not a problem with the service itself.

How to eliminate wrong answers

Option A is wrong because if the service binary were missing, `systemctl status sshd` would show 'Exec format error' or 'No such file or directory', not a start-limit-hit failure. Option C is wrong because a syntax error in `/etc/ssh/sshd_config` would cause `sshd` to exit with a specific error message in the journal (e.g., 'Bad configuration option'), not a start-limit-hit from systemd. Option D is wrong because out-of-memory conditions produce OOM-killer logs or 'Cannot allocate memory' errors in the journal, not the start-limit-hit status shown in the exhibit.

12
Multi-Selecteasy

Which TWO commands can be used to view the contents of a compressed file named 'data.log.gz' without decompressing it permanently? (Choose exactly two.)

Select 2 answers
A.gunzip data.log.gz
B.zcat data.log.gz
C.zless data.log.gz
D.gzip -d data.log.gz
E.bzcat data.log.gz
AnswersB, C

zcat decompresses to stdout without modifying the file.

Why this answer

B is correct because `zcat` reads the contents of a gzip-compressed file and outputs them to standard output without permanently decompressing the file. It is functionally equivalent to `gunzip -c` and is the standard tool for viewing compressed text files in place.

Exam trap

Red Hat often tests the distinction between commands that permanently decompress (gunzip, gzip -d) versus those that only view the contents (zcat, zless, zmore), and candidates frequently confuse `bzcat` as a valid alternative for .gz files.

13
MCQhard

An administrator wants to create a symbolic link named 'link_to_hosts' in /tmp that points to /etc/hosts. Which command is correct?

A.ln -s /tmp/link_to_hosts /etc/hosts
B.ln -s /etc/hosts /tmp/link_to_hosts
C.ln -s /etc/hosts link_to_hosts
D.ln -s /tmp/link_to_hosts /etc/hosts
AnswerB

Correct order: target /etc/hosts, link name /tmp/link_to_hosts.

Why this answer

The `ln -s` command creates a symbolic link. The correct syntax is `ln -s TARGET LINK_NAME`. Option B correctly specifies the existing target file `/etc/hosts` first, followed by the new link path `/tmp/link_to_hosts`, which creates the symbolic link in `/tmp` pointing to `/etc/hosts`.

Exam trap

Red Hat often tests the argument order of `ln -s`, where candidates mistakenly place the link name before the target, confusing it with the `cp` or `mv` command syntax where the destination comes last.

How to eliminate wrong answers

Option A is wrong because it reverses the arguments, attempting to create a link named `/etc/hosts` pointing to `/tmp/link_to_hosts`, which would fail if `/etc/hosts` already exists or create an incorrect link. Option C is wrong because it omits the full path for the link name, creating `link_to_hosts` in the current working directory instead of `/tmp` as required. Option D is wrong because it is identical to Option A, with the same reversed argument order, leading to the same incorrect behavior.

14
MCQeasy

Refer to the exhibit. Why does the 'bin' user have /sbin/nologin as its shell?

A.The user's home directory is missing.
B.The user is a system account that should not log in interactively.
C.The user is locked.
D.The shell is not installed.
AnswerB

System accounts use nologin.

Why this answer

Option B is correct because the /sbin/nologin shell is explicitly assigned to system accounts like 'bin' to prevent interactive logins. This shell prints a message and exits, ensuring that the account can only be used for non-interactive system processes, such as owning files or running daemons, without providing a login session.

Exam trap

Red Hat often tests the distinction between a locked account (password disabled) and a non-interactive shell (shell set to /sbin/nologin), leading candidates to confuse the two mechanisms for restricting access.

How to eliminate wrong answers

Option A is wrong because a missing home directory does not cause the shell to be set to /sbin/nologin; the shell field in /etc/passwd is independent of the home directory. Option C is wrong because a locked account (e.g., with 'passwd -l') places an exclamation mark in the password hash field in /etc/shadow, not by changing the shell to /sbin/nologin. Option D is wrong because /sbin/nologin is a valid executable that is part of the util-linux package; if it were missing, the system would fall back to /bin/sh or display an error, but the shell field would not be set to a non-existent path by default.

15
MCQmedium

An administrator needs to compress a directory 'data' into an archive named backup.tar.gz using gzip compression. Which command should they use?

A.gzip -r data > backup.tar.gz
B.tar -cjf backup.tar.gz data
C.tar -xzf backup.tar.gz data
D.tar -czf backup.tar.gz data
AnswerD

Correct: -c create, -z gzip, -f file.

Why this answer

Option D is correct because the `tar -czf` command creates a compressed archive: `-c` creates a new archive, `-z` filters the archive through gzip compression, `-f` specifies the archive filename `backup.tar.gz`, and `data` is the directory to archive. This produces a tarball compressed with gzip, matching the requirement exactly.

Exam trap

The trap here is confusing the compression flags: Red Hat often tests whether candidates know that `-z` is for gzip, `-j` for bzip2, and `-J` for xz, and that `-c` creates while `-x` extracts.

How to eliminate wrong answers

Option A is wrong because `gzip -r` compresses individual files recursively but does not create a single archive; redirecting output with `>` produces a corrupted file, not a valid tar.gz. Option B is wrong because `-j` specifies bzip2 compression, not gzip; this would create `backup.tar.bz2`, not `backup.tar.gz`. Option C is wrong because `-x` extracts an archive instead of creating one; this would attempt to extract from `backup.tar.gz` into the `data` directory, which is the opposite of the required action.

16
Multi-Selectmedium

Which THREE of the following are valid methods to schedule a recurring task in Red Hat Enterprise Linux 8? (Choose exactly three.)

Select 3 answers
A.Using the 'batch' command
B.Creating a systemd timer unit
C.Using the 'at' command
D.Configuring /etc/anacrontab
E.Adding an entry in /etc/crontab
AnswersB, D, E

systemd timers are the modern way to schedule tasks.

Why this answer

Systemd timer units are the modern, recommended method for scheduling recurring tasks in RHEL 8. They replace traditional cron-based scheduling by leveraging systemd's service and timer units, providing features like monotonic timers, calendar events, and integration with systemd's logging and dependency management.

Exam trap

Red Hat often tests the distinction between one-time scheduling tools (at, batch) and recurring scheduling tools (cron, anacron, systemd timers), leading candidates to mistakenly select 'at' or 'batch' for recurring tasks.

17
MCQmedium

A system administrator runs the command 'ls -l' and sees that a file has permissions '-rwxr-xr-x'. The administrator wants to remove execute permission for the group and others while keeping it for the owner. Which chmod command should be used?

A.chmod u-x file
B.chmod 755 file
C.chmod go-x file
D.chmod a+x file
AnswerC

go-x removes execute permission from group and others.

Why this answer

Option C is correct because the command 'chmod go-x file' removes execute permission for group (g) and others (o) while leaving the owner's permissions unchanged. The current permissions '-rwxr-xr-x' indicate owner has rwx, group has r-x, and others have r-x, so removing execute from group and others yields '-rwxr--r--'.

Exam trap

The trap here is that candidates often confuse the symbolic notation (u, g, o, a) and may incorrectly choose 'chmod u-x' thinking it affects group/others, or they misapply numeric modes like 755 which set permissions absolutely rather than modifying them incrementally.

How to eliminate wrong answers

Option A is wrong because 'chmod u-x file' removes execute permission from the owner, not from group and others, which would change the file to '-rw-r-xr-x'. Option B is wrong because 'chmod 755 file' sets permissions to rwxr-xr-x (owner rwx, group r-x, others r-x), which is the current state and does not remove execute from group and others. Option D is wrong because 'chmod a+x file' adds execute permission for all (owner, group, others), which is the opposite of what is needed.

18
MCQhard

A Red Hat Enterprise Linux server has been configured with a custom repository for offline updates. The administrator runs 'yum repolist' and the custom repository is not listed. Which command should be used to verify that the repository configuration file is valid and located in the correct directory?

A.yum repoinfo
B.cat /etc/yum.repos.d/custom.repo
C.yum check-repo
D.yum-config-manager --dump
AnswerB

Directly displays the file content, verifying its existence and location in the correct directory.

Why this answer

Option B is correct because the most direct way to verify that a repository configuration file is valid and located in the correct directory is to check its presence and syntax using 'cat /etc/yum.repos.d/custom.repo'. The repository configuration files must reside in /etc/yum.repos.d/ and have a .repo extension; if the file is missing or malformed, 'yum repolist' will not list the repository. This command simply reads the file, allowing the administrator to confirm its location and inspect its contents for errors.

Exam trap

The trap here is that candidates may assume a specialized yum subcommand exists for repository validation (like 'yum repoinfo' or 'yum check-repo'), when in fact the simplest and most reliable method is to directly inspect the configuration file with 'cat' or 'vim'.

How to eliminate wrong answers

Option A is wrong because 'yum repoinfo' is not a valid yum command; the correct command is 'yum repoinfo <repoid>' to display details about a repository that is already recognized, not to verify the configuration file's existence or validity. Option C is wrong because 'yum check-repo' is not a valid yum command; yum does not have a built-in 'check-repo' subcommand for validating repository configuration files. Option D is wrong because 'yum-config-manager --dump' is used to display the current yum configuration settings, not to verify the location or validity of a specific repository configuration file; it requires the repository to already be recognized.

19
Multi-Selecteasy

Which THREE file descriptors are always available for every Unix process?

Select 3 answers
A.4: socket
B.3: log file
C.2: stderr
D.1: stdout
E.0: stdin
AnswersC, D, E

Always open for error output.

Why this answer

Option C is correct because file descriptor 2 (stderr) is one of the three standard file descriptors that every Unix process inherits from its parent process. These descriptors are opened automatically by the kernel when a process starts, providing default channels for input (stdin, fd 0), output (stdout, fd 1), and error output (stderr, fd 2).

Exam trap

Red Hat often tests the misconception that file descriptors beyond 0, 1, and 2 are standard or always available, leading candidates to select options like '3: log file' or '4: socket' as if they were universally present.

20
MCQmedium

Refer to the exhibit. An administrator runs these commands on a server. The administrator suspects a performance issue. Which observation from the exhibit is most likely causing a bottleneck?

A.The 'notifempty' directive may cause delays in rotation.
B.The 'compress' directive uses bzip2 by default, which is not installed.
C.The 'weekly' directive uses cron syntax incorrectly.
D.The 'create' directive requires root privileges, but the job runs as appuser.
AnswerD

The logrotate job run by appuser cannot change ownership to appuser or appgroup without sudo.

Why this answer

Option D is correct because the `create` directive in logrotate requires root privileges to create new log files with the specified ownership and permissions. Since the job runs as `appuser`, it lacks the necessary privileges to execute the `create` directive, causing the rotation to fail and potentially leading to a bottleneck as logs are not rotated properly.

Exam trap

Red Hat often tests the misconception that `compress` defaults to bzip2 or that `weekly` uses cron syntax, but the real trap here is overlooking that `create` requires root privileges, which is a common oversight when configuring logrotate for non-root users.

How to eliminate wrong answers

Option A is wrong because `notifempty` prevents rotation of empty log files, which avoids unnecessary rotations and does not cause delays; it is a standard optimization. Option B is wrong because `compress` uses gzip by default, not bzip2, and even if bzip2 were intended, logrotate would fall back to no compression or fail gracefully, not cause a bottleneck. Option C is wrong because `weekly` is a valid logrotate frequency directive that uses its own scheduling logic, not cron syntax; it correctly triggers rotation once per week.

21
MCQeasy

A junior administrator is tasked with finding all files in the /var/log directory that have been modified within the last 24 hours and are owned by the 'root' user. The administrator runs the command: find /var/log -user root -mtime 0. However, the command returns no output, even though there are files that meet the criteria. What is the most likely issue with the find command?

A.The /var/log path is not accessible; the administrator should use sudo.
B.The -user root argument is invalid; it should be -uid 0.
C.The find command requires the -type f argument to search for files only.
D.The -mtime 0 argument is incorrect; it should be -mtime -1 to find files modified in the last 24 hours.
AnswerD

Correct: -mtime -1 finds files modified less than 24 hours ago; -mtime 0 finds files exactly 24 hours ago.

Why this answer

Option D is correct because `-mtime 0` matches files modified exactly 24 hours ago (i.e., between 0 and 24 hours ago, but not including the current 24-hour window). To find files modified within the last 24 hours (i.e., less than 24 hours ago), the correct argument is `-mtime -1`, which matches files modified less than 1 day ago. The administrator's command returns no output because no files have a modification time that falls exactly in the 24-hour-old window.

Exam trap

The trap here is that candidates confuse `-mtime 0` with 'modified within the last 24 hours' when it actually means 'modified exactly 24 hours ago', leading them to choose a different wrong option or think the command is correct.

How to eliminate wrong answers

Option A is wrong because the `/var/log` directory is typically accessible by any user for reading file metadata; the issue is not about permissions but the `-mtime` logic. Option B is wrong because `-user root` is a valid and correct argument; `-uid 0` would also work but is not required, and the command's failure is not due to the user specification. Option C is wrong because `-type f` is not required to find files; `find` searches for all entry types (files, directories, symlinks) by default, and the problem is not about filtering to files only.

22
MCQhard

A system administrator is troubleshooting a cron job that runs a script as root. The script is located at /root/scripts/backup.sh and has permissions 755. The cron job is defined in /etc/crontab with the line: 0 2 * * * root /root/scripts/backup.sh. However, the script does not run at the scheduled time. The administrator checks the cron logs and finds no errors. The administrator then runs the script manually as root and it executes successfully. What is the most likely cause of the cron job not running?

A.The cron job line uses absolute path to the script but the script requires an environment variable that is not set in cron's minimal environment.
B.The script is not executable by the root user.
C.The cron daemon is not running.
D.The /etc/crontab file does not allow running scripts from /root.
AnswerA

Cron runs with a sparse environment. The script may depend on variables like PATH or custom variables that are not exported.

Why this answer

Option A is correct because cron jobs run with a minimal environment, typically lacking user-specific environment variables like PATH, HOME, or custom variables set in shell startup files. The script at /root/scripts/backup.sh may rely on an environment variable (e.g., a database password or directory path) that is defined in root's interactive shell but not in cron's environment. When run manually as root, the variable is available, but cron does not source /root/.bashrc or /root/.bash_profile, causing the script to fail silently or not execute as expected.

Exam trap

Red Hat often tests the misconception that file permissions or cron daemon status are the primary causes of cron job failures, when in reality the minimal cron environment and missing environment variables are the subtle but frequent issue.

How to eliminate wrong answers

Option B is wrong because the script has permissions 755, which includes execute permission for the owner (root), so it is executable by root. Option C is wrong because if the cron daemon were not running, the cron logs would typically show an error or the job would not be logged at all; the administrator found no errors in the logs, indicating the daemon is active. Option D is wrong because /etc/crontab has no restriction on running scripts from /root; the root user can execute scripts from any directory, and the cron job specifies the user 'root' explicitly.

23
MCQhard

A user is unable to delete a file named '-f' in the current directory. Which command will successfully remove it?

A.rm \-f
B.rm -- -f
C.rm -f
D.rm "-f"
AnswerB

-- ends option parsing, so -f is treated as a filename.

Why this answer

Option B is correct because the '--' double dash signals the end of command options to most Linux utilities, including rm. This allows rm to interpret '-f' as a literal filename rather than the '--force' option, enabling its deletion.

Exam trap

The trap here is that candidates assume quoting or escaping the dash will prevent option parsing, but only the '--' separator reliably tells rm to stop interpreting arguments as options.

How to eliminate wrong answers

Option A is wrong because 'rm \-f' escapes the hyphen with a backslash, but rm still interprets '-f' as the force option, not a filename. Option C is wrong because 'rm -f' is the standard force-delete option, which does not target a file named '-f' and will fail or delete unintended files. Option D is wrong because 'rm "-f"' uses quotes, but the shell still passes the string '-f' as an argument, which rm interprets as the force option, not a filename.

24
MCQeasy

A system administrator needs to view the last 10 lines of the log file /var/log/messages in real time as new lines are added. Which command should be used?

A.tail -f /var/log/messages
B.less /var/log/messages
C.head -n 10 /var/log/messages
D.cat /var/log/messages
AnswerA

tail -f outputs the last 10 lines and updates in real time.

Why this answer

The `tail -f /var/log/messages` command displays the last 10 lines of the file by default and then continues to output new lines as they are appended, providing real-time monitoring. The `-f` (follow) option keeps the file open and polls for changes, making it the correct tool for live log watching.

Exam trap

Red Hat often tests the distinction between `tail -f` and `tail` without `-f`, where candidates mistakenly think `tail` alone provides real-time updates, or confuse `head` and `tail` for viewing the end of a file.

How to eliminate wrong answers

Option B is wrong because `less` is a pager that shows the file content page by page but does not automatically follow new lines in real time (unless used with `+F` mode, which is not specified). Option C is wrong because `head -n 10` only shows the first 10 lines, not the last 10, and does not follow updates. Option D is wrong because `cat` dumps the entire file to stdout and exits, providing no real-time monitoring capability.

25
MCQhard

A developer needs to compile software from source and install it under /opt/custom. To avoid affecting the system package manager, which approach should be used?

A.Compile and install with default paths, then use 'make uninstall' to remove
B.Compile with './configure --prefix=/opt/custom' and use 'checkinstall' to create an RPM
C.Compile with './configure --prefix=/usr' and then install
D.Compile with './configure --prefix=/opt/custom' and then 'make install'
AnswerD

Keeps installation isolated in /opt/custom.

Why this answer

Option D is correct because using `./configure --prefix=/opt/custom` sets the installation root to `/opt/custom`, which keeps the compiled software completely separate from the system-managed directories (e.g., `/usr`, `/usr/local`). Running `make install` then installs all files under this custom prefix, ensuring the system package manager (RPM/YUM/DNF) is not affected by the manual installation.

Exam trap

Red Hat often tests the misconception that `--prefix=/usr/local` is safe, but the trap here is that `/usr/local` can still be managed by the system package manager in some configurations, and the only way to guarantee no interference is to use a completely separate directory like `/opt/custom`.

How to eliminate wrong answers

Option A is wrong because compiling with default paths (typically `/usr/local`) still places files in a location that may conflict with system-managed packages, and `make uninstall` is unreliable (many Makefiles do not support it or leave residual files). Option B is wrong because `checkinstall` creates an RPM that, when installed, registers the software with the system package manager, which defeats the goal of avoiding package manager interference. Option C is wrong because `--prefix=/usr` installs directly into the system-managed directory, which can overwrite or conflict with RPM-managed files and corrupt the package database.

26
MCQeasy

A new Linux administrator needs to read the manual page for the 'ls' command but also wants to search for the word 'color' within the manual. Which command accomplishes this?

A.man -k color
B.man ls and then type /color
C.man ls | grep color
D.man color
AnswerB

Within man, / searches for the string.

Why this answer

Option B is correct because the man command opens the manual page for 'ls', and typing '/color' within the pager (usually less) performs an interactive forward search for the string 'color'. This allows the administrator to read the manual and search for the term in one session.

Exam trap

The trap here is that candidates may confuse 'man -k' (keyword search in manual page descriptions) with searching within a specific manual page, or they may think piping to grep is equivalent to the interactive search inside the man pager.

How to eliminate wrong answers

Option A is wrong because 'man -k color' searches the manual page name and short description (whatis database) for the keyword 'color', not within the content of a specific manual page. Option C is wrong because 'man ls | grep color' pipes the formatted output of the man page to grep, which searches for 'color' but does not allow interactive reading of the manual; it also may miss matches due to formatting escape sequences. Option D is wrong because 'man color' attempts to open a manual page named 'color', which does not exist as a standard command, and does not search within the 'ls' manual.

27
MCQeasy

A system administrator needs to find all files modified in the last 24 hours under /var/log. Which command accomplishes this?

A.find /var/log -ctime -1
B.find /var/log -atime -1
C.find /var/log -mmin 1440
D.find /var/log -mtime -1
AnswerD

-mtime -1 finds files modified in the last 24 hours.

Why this answer

Option D is correct because `find /var/log -mtime -1` searches for files under `/var/log` whose modification time (`mtime`) is less than 1 day ago (i.e., modified within the last 24 hours). The `-mtime` flag checks the last modification time of file content, which is the standard criterion for 'modified' files.

Exam trap

The trap here is confusing `-mtime -1` (modified within the last 24 hours) with `-mtime 1` (modified exactly 1 day ago) or with `-ctime` (metadata change), leading candidates to pick options that check the wrong timestamp or an exact time rather than a range.

How to eliminate wrong answers

Option A is wrong because `-ctime -1` checks the last change time of file metadata (inode change), not the modification of file content; this includes permission or ownership changes, not just content edits. Option B is wrong because `-atime -1` checks the last access time (read time), which is unrelated to file modification and can be misleading due to access caching. Option C is wrong because `-mmin 1440` checks for files modified exactly 1440 minutes ago (i.e., exactly 24 hours ago), not within the last 24 hours; the `-mmin` flag with a positive number matches files modified exactly that many minutes ago, not a range.

28
MCQeasy

A system administrator is trying to compress the contents of the directory /home/user/project into a tarball named project_backup.tar.gz using the command: tar -czf project_backup.tar.gz /home/user/project. The command completes without errors, but when the administrator tries to list the contents of the tarball using tar -tzf project_backup.tar.gz, it shows a leading slash (/) in the paths, like /home/user/project/file1. The administrator wants to create the tarball with relative paths instead. What change should be made to the tar command?

A.Use tar -czf project_backup.tar.gz --absolute-names /home/user/project
B.Use tar -czf project_backup.tar.gz -P /home/user/project
C.Use tar -czf project_backup.tar.gz -C /home/user project
D.Use tar -czf project_backup.tar.gz -h /home/user/project
AnswerC

The -C option changes to /home/user and then archives the 'project' directory, resulting in relative paths.

Why this answer

Option C is correct because the `-C` option changes the working directory to `/home/user` before archiving, so the argument `project` is interpreted as a relative path. This strips the leading slash and stores paths like `project/file1` instead of absolute paths. The `-C` option is the standard way to create tarballs with relative paths in a single command.

Exam trap

Red Hat often tests the `-C` option as the correct way to create tarballs with relative paths, and the trap here is that candidates mistakenly think `-P` or `--absolute-names` removes leading slashes, when in fact they preserve them.

How to eliminate wrong answers

Option A is wrong because `--absolute-names` (or `-P`) preserves absolute paths, which is the opposite of what the administrator wants. Option B is wrong because `-P` is the short form of `--absolute-names` and also preserves leading slashes, not removes them. Option D is wrong because `-h` (or `--dereference`) follows symlinks and archives the files they point to, but does not affect path stripping or relative path creation.

29
MCQmedium

An administrator receives an alert that a process named 'apache2' is consuming excessive CPU. The administrator needs to identify the PID of the process and then change its priority to the lowest possible value (least favorable scheduling). Which sequence of commands should be used?

A.pidof apache2; renice -n 20 -p <PID>
B.pidof apache2; renice -n 19 -p <PID>
C.ps -C apache2 -o pid=; renice -n -20 -p <PID>
D.ps aux | grep apache2; nice -n 19 <PID>
AnswerB

pidof gives PID, renice -n 19 sets low priority.

Why this answer

Option B is correct because `pidof apache2` retrieves the PID of the apache2 process, and `renice -n 19 -p <PID>` sets the priority to the lowest possible (least favorable) scheduling value. In Linux, `renice` accepts nice values from -20 (highest priority) to 19 (lowest priority), so 19 is the correct value for the least favorable scheduling.

Exam trap

Red Hat often tests the exact range of nice values (0-19 for non-root users, -20 to 19 for root) and the distinction between `nice` (for starting processes) and `renice` (for changing priority of running processes), leading candidates to confuse the two or use out-of-range values.

How to eliminate wrong answers

Option A is wrong because it uses `renice -n 20`, but the valid nice range is -20 to 19; a value of 20 is out of range and will be rejected or clamped. Option C is wrong because it uses `renice -n -20`, which sets the highest priority (most favorable scheduling), not the lowest. Option D is wrong because `nice` is used to start a new process with a given priority, not to change the priority of an existing process; also, the syntax `nice -n 19 <PID>` is incorrect as `nice` expects a command, not a PID.

30
MCQeasy

A user needs to view the last 15 lines of a log file that is constantly being updated. Which command should they use?

A.tail -n 15 /var/log/messages
B.tail -f /var/log/messages
C.cat /var/log/messages
D.head -15 /var/log/messages
AnswerA

Shows last 15 lines.

Why this answer

Option A is correct because the `tail -n 15 /var/log/messages` command displays the last 15 lines of the specified log file without following it. This meets the requirement to view the last 15 lines of a file that is constantly being updated, as it provides a static snapshot of the most recent entries.

Exam trap

The trap here is that candidates often confuse `tail -f` (which follows the file in real time) with `tail -n` (which shows a specific number of lines from the end), leading them to choose option B when the requirement is for a static view of the last lines.

How to eliminate wrong answers

Option B is wrong because `tail -f /var/log/messages` continuously follows the file, displaying new lines as they are appended, which does not limit the output to the last 15 lines and is not suitable for a one-time view. Option C is wrong because `cat /var/log/messages` outputs the entire file content, which is impractical for viewing only the last 15 lines, especially in a large log file. Option D is wrong because `head -15 /var/log/messages` displays the first 15 lines, not the last 15 lines, which is the opposite of what the user needs.

31
MCQeasy

A system administrator has created a new group named 'ops'. The administrator wants to add the existing user 'alice' to this group as a supplementary group without affecting her current group memberships. Which command should be used?

A.usermod -aG ops alice
B.usermod -G ops alice
C.groupadd ops alice
D.usermod -g ops alice
AnswerA

The -aG flag appends the user to the supplementary group 'ops' while preserving existing group memberships.

Why this answer

Option A is correct because the `-a` (append) flag combined with `-G` (supplementary groups) in `usermod` adds the user 'alice' to the 'ops' group without removing her from any existing supplementary groups. Without `-a`, the `-G` flag alone would replace the user's current supplementary group list with only the specified groups, which would remove her from any other groups she already belongs to.

Exam trap

The trap here is that candidates often forget the `-a` flag and choose `usermod -G ops alice`, mistakenly thinking it adds the user to the group, when in fact it replaces all supplementary group memberships.

How to eliminate wrong answers

Option B is wrong because `usermod -G ops alice` without the `-a` flag sets the user's supplementary groups to exactly 'ops', overwriting and removing all other supplementary group memberships. Option C is wrong because `groupadd` creates a new group, not a user; the syntax `groupadd ops alice` is invalid and would fail or be misinterpreted. Option D is wrong because `usermod -g ops alice` changes the user's primary group (the group listed in /etc/passwd) to 'ops', not a supplementary group, and would alter the default group ownership for files created by alice.

32
MCQhard

A system administrator wants to monitor all files in /var/log that are currently being written to by processes. Which command shows file descriptors that are open for writing by any process?

A.inotifywait -m /var/log
B.lsof +D /var/log | grep -E '(REG|DIR).*[0-9]+[w]'
C.fuser -v /var/log
D.lsof /var/log
AnswerB

lsof +D recursively lists open files in directory, and the grep filters for regular files with write access.

Why this answer

Option B is correct because `lsof +D /var/log` lists all open file descriptors under the /var/log directory recursively, and the `grep` pattern `(REG|DIR).*[0-9]+[w]` filters for regular files or directories with a write file descriptor (the 'w' in the file descriptor mode column). This directly shows which files are currently being written to by any process.

Exam trap

The trap here is that candidates often pick `inotifywait` (option A) because it monitors writes in real-time, but the question asks for files *currently being written to* (current state), not future events, and `lsof` is the correct tool for listing open descriptors.

How to eliminate wrong answers

Option A is wrong because `inotifywait -m /var/log` monitors filesystem events (like writes) in real-time but does not show currently open file descriptors; it only reports events as they happen, not the current state. Option C is wrong because `fuser -v /var/log` shows processes using the /var/log directory itself (as a file or mount point), not the individual files within it that are open for writing. Option D is wrong because `lsof /var/log` without the `+D` flag only lists open file descriptors for the /var/log directory itself, not recursively for all files inside it.

33
MCQhard

An administrator needs to list the permissions, owner, group, and filenames of all files in /var/log, including hidden files, in a human-readable format. Which command does this?

A.ls -lh /var/log
B.ls -la /var/log
C.ls -ld /var/log
D.ls -lah /var/log
AnswerD

Combines -l (long), -a (all), -h (human-readable) to meet all requirements.

Why this answer

Option D is correct because `ls -lah /var/log` combines the `-l` (long format), `-a` (show all files including hidden ones), and `-h` (human-readable sizes) flags. This meets all requirements: listing permissions, owner, group, filenames, and hidden files with sizes in KiB/MiB/GiB.

Exam trap

The trap here is that candidates may forget the `-a` flag for hidden files or the `-h` flag for human-readable sizes, assuming `-l` alone provides enough detail, or they might mistakenly choose `-ld` thinking it lists directory contents.

How to eliminate wrong answers

Option A is wrong because `ls -lh /var/log` omits the `-a` flag, so hidden files (those starting with a dot) are not listed. Option B is wrong because `ls -la /var/log` includes hidden files but lacks the `-h` flag, so file sizes are displayed in raw bytes rather than human-readable format. Option C is wrong because `ls -ld /var/log` uses the `-d` flag, which lists only the directory itself (its metadata) and not its contents.

34
MCQmedium

A user wants to display the contents of a file in reverse line order. Which command should be used?

A.tail -r file
B.sort -r file
C.rev file
D.tac file
AnswerD

tac is cat reversed, prints lines in reverse order.

Why this answer

The `tac` command is the standard Linux utility for displaying a file in reverse line order. It reads the file from the last line to the first, effectively reversing the line sequence. This is the correct tool for the task described.

Exam trap

The trap here is that candidates may confuse `tac` with `tail` or `rev`, or incorrectly assume `sort -r` reverses line order, when in fact `tac` is the specific command for reversing line order in a file.

How to eliminate wrong answers

Option A is wrong because `tail -r` is not a valid command in standard Linux; `tail` displays the last lines of a file, and the `-r` flag is not supported. Option B is wrong because `sort -r` sorts lines in reverse alphabetical order, not reverse line order. Option C is wrong because `rev` reverses the characters within each line, not the order of lines themselves.

35
MCQmedium

An administrator needs to schedule a script to run every Monday, Wednesday, and Friday at 2:30 PM. Which cron expression should be used?

A.30 14 * * 1,3,5
B.30 14 * * 1-5
C.14 30 * * 1,3,5
D.30 14 * * 0,2,4
AnswerA

Correct: 30th minute, 14th hour, every day of month, every month, on Monday (1), Wednesday (3), Friday (5).

Why this answer

Option A is correct because cron uses five fields (minute, hour, day-of-month, month, day-of-week). 2:30 PM is 14:30 in 24-hour format, so minute=30 and hour=14. The day-of-week field uses 0-7 (0 and 7 = Sunday), with Monday=1, Wednesday=3, Friday=5. The asterisks for day-of-month and month mean 'every day' and 'every month', so the expression `30 14 * * 1,3,5` runs the script at 2:30 PM on Monday, Wednesday, and Friday.

Exam trap

Red Hat often tests the 24-hour time format and the correct ordering of minute and hour fields, causing candidates to swap them (as in Option C) or to confuse the day-of-week numbering (Sunday=0 vs Monday=1) as seen in Option D.

How to eliminate wrong answers

Option B is wrong because `1-5` in the day-of-week field specifies Monday through Friday (days 1,2,3,4,5), which includes Tuesday and Thursday, not just Monday, Wednesday, and Friday. Option C is wrong because the fields are reversed: `14 30` would mean minute=14 and hour=30, which is invalid (hour 30 does not exist) and would never run at 2:30 PM. Option D is wrong because `0,2,4` in the day-of-week field corresponds to Sunday (0), Tuesday (2), and Thursday (4), which is the wrong set of days.

36
MCQeasy

An administrator wants to display a list of all currently logged-in users. Which command is most appropriate?

A.who
B.w
C.last
D.users
AnswerA

Displays currently logged-in users.

Why this answer

The `who` command displays a list of currently logged-in users along with their terminal, login time, and originating host. It is the most straightforward and appropriate command for this specific task, as it directly queries the system's utmp database to show active sessions.

Exam trap

The trap here is that candidates often confuse `w` (which shows additional process information) with `who` for a simple user listing, or mistakenly think `last` shows current users because it lists login records.

How to eliminate wrong answers

Option B is wrong because `w` shows detailed information about currently logged-in users, including their current process and CPU usage, but it is more verbose than needed for simply listing users. Option C is wrong because `last` displays a history of previous logins and logouts from the wtmp file, not currently logged-in users. Option D is wrong because `users` prints only the usernames of currently logged-in users, but it does not show terminal or login time details, making it less comprehensive than `who` for a full list.

37
MCQhard

A system administrator wants to find all files in /var that are larger than 100MB and have been modified within the last 7 days. The output should be a list of file paths with sizes in human-readable format, sorted by size descending. Which command pipeline accomplishes this?

A.find /var -type f -size +100M -mtime -7 -ls | sort -k7 -n
B.find /var -type f -size +100M -mtime -7 -exec ls -lh {} \; | sort -k5 -h
C.find /var -type f -size +100M -mtime -7 -exec du -h {} + | sort -rh
D.find /var -type f -size +100M -mtime -7 -printf '%s %p\n' | sort -n -r | head -20
AnswerC

du -h gives human-readable sizes, sort -rh sorts by size descending correctly.

Why this answer

Option C is correct because it uses `find` with `-size +100M` and `-mtime -7` to match files larger than 100MB modified within 7 days, then `-exec du -h {} +` aggregates sizes in human-readable format, and `sort -rh` sorts by the first field (size) in reverse human-numeric order, producing the required descending list.

Exam trap

Red Hat often tests the distinction between `-exec ls -lh` and `-exec du -h` for human-readable sizes, and the requirement for `sort -rh` (reverse human-numeric) versus `sort -n` (plain numeric) to correctly sort sizes with suffixes like 'M' or 'G'.

How to eliminate wrong answers

Option A is wrong because `-ls` outputs a detailed listing with size in the 7th column, but `sort -k7 -n` sorts numerically on that column, which does not handle human-readable suffixes (e.g., 'M', 'G') and would sort incorrectly. Option B is wrong because `-exec ls -lh {} \;` runs `ls` per file, but `sort -k5 -h` sorts by the 5th column (size), which works for human-readable sizes; however, `ls -lh` output includes multiple columns and the size column may vary in position (e.g., with symlinks or ACLs), and the pipeline lacks `-r` for descending order, so it would sort ascending, not descending. Option D is wrong because `-printf '%s %p\n'` prints size in bytes (not human-readable) and `sort -n -r` sorts numerically descending, but the output is not in human-readable format as required, and `head -20` limits output to 20 lines, which is not requested.

38
MCQmedium

A system administrator needs to replace all occurrences of 'enabled' with 'disabled' in /etc/ssh/sshd_config, but only on lines that do not start with '#'. Which sed command accomplishes this?

A.sed '/^#/!s/enabled/disabled/g' /etc/ssh/sshd_config
B.sed 's/enabled/disabled/g' /etc/ssh/sshd_config
C.sed -n '/^#/!s/enabled/disabled/gp' /etc/ssh/sshd_config
D.sed '/^#/s/enabled/disabled/g' /etc/ssh/sshd_config
AnswerA

Correctly skips comment lines and replaces all occurrences on non-comment lines.

Why this answer

Option A is correct because it uses an address range `/^#/!` to negate lines starting with `#` (comments), then applies the substitution `s/enabled/disabled/g` only to non-comment lines. The `!` operator inverts the match, so the command acts on lines that do NOT match the pattern, which is exactly what the requirement specifies.

Exam trap

The trap here is that candidates may confuse the `!` negation operator with the `-n` suppress-print option, or mistakenly apply the substitution to commented lines instead of non-commented lines, leading to incorrect configuration changes.

How to eliminate wrong answers

Option B is wrong because it applies the substitution to all lines, including commented lines, which violates the requirement to only change lines that do not start with `#`. Option C is wrong because the `-n` flag suppresses automatic printing, and `gp` prints only lines where a substitution occurred; this would output only changed lines, not the entire file, so it does not produce the full modified configuration. Option D is wrong because the address `/^#/` selects only lines that start with `#` (comments), so the substitution is applied to comments instead of non-comment lines, which is the opposite of what is needed.

39
MCQhard

A system administrator notices that a server is responding slowly. The administrator runs `top` and sees a process named `backup_script` consuming 95% CPU. The process runs as root and is supposed to run nightly backups. However, the system load average is low. The administrator wants to investigate without killing the process. Which of the following is the best course of action?

A.Use `renice -n 19 -p <PID>` to lower the priority of the process.
B.Use `nice -n 19 ./backup_script` to start the process with lower priority next time.
C.Use `chrt -i 0 <PID>` to set the scheduling policy to idle.
D.Use `kill -STOP <PID>` to pause the process and then resume later.
AnswerA

This reduces CPU impact while allowing the process to continue.

Why this answer

Option A is correct because `renice -n 19 -p <PID>` lowers the CPU scheduling priority of the running `backup_script` process to the lowest possible value (19), which reduces its CPU consumption without killing it. This allows the administrator to investigate the cause of the high CPU usage while minimizing the impact on other processes and system responsiveness.

Exam trap

Red Hat often tests the distinction between `nice` (for starting a new process) and `renice` (for adjusting an existing process), and candidates may confuse the two or think `nice` can be applied to a running process.

How to eliminate wrong answers

Option B is wrong because `nice` sets the priority of a new process, not an already running one; the administrator needs to adjust the priority of the currently running `backup_script`, not start a new instance. Option C is wrong because `chrt -i 0 <PID>` sets the scheduling policy to SCHED_IDLE, which is an idle scheduling class that only runs when no other process needs the CPU, but this is a more drastic change than needed and may not be appropriate for a backup script that should eventually complete; also, the `-i` option is for SCHED_IDLE, but the correct syntax for setting idle policy is `chrt -i 0 <PID>` (though `chrt` typically uses `-i` for idle, but the policy value 0 is for SCHED_OTHER, not idle — the trap is that `chrt -i` expects a priority argument, and 0 is not valid for idle). Option D is wrong because `kill -STOP` pauses the process, which would halt the backup entirely, preventing it from completing its work and potentially leaving data in an inconsistent state; the administrator wants to investigate without killing or stopping the process.

40
Multi-Selectmedium

Which THREE actions will create a new empty file named 'testfile' in the current directory? (Choose three.)

Select 3 answers
A.> testfile
B.ls > testfile
C.touch testfile
D.cp /dev/null testfile
E.echo "content" > testfile
AnswersA, C, D

Output redirection with no command creates an empty file.

Why this answer

Option A is correct because the shell redirection operator `>` without a preceding command truncates or creates the specified file. When used alone, `> testfile` opens 'testfile' for writing, which creates an empty file if it does not exist, or truncates it to zero length if it does. This is a standard POSIX shell feature.

Exam trap

The trap here is that candidates may think only `touch` creates an empty file, overlooking the shell redirection operator `>` used alone and the `cp /dev/null` technique, both of which are valid methods for creating or truncating files to empty.

41
Multi-Selecthard

Which TWO methods can be used to permanently set the system's hostname to 'server01.example.com'?

Select 2 answers
A.hostnamectl set-hostname server01.example.com
B.echo '127.0.1.1 server01.example.com' >> /etc/hosts
C.echo 'server01.example.com' > /etc/hostname
D.hostname server01.example.com
E.echo 'HOSTNAME=server01.example.com' >> /etc/sysconfig/network
AnswersA, C

Updates the static hostname persistently.

Why this answer

Option A is correct because `hostnamectl set-hostname server01.example.com` is the systemd-based command that permanently sets the hostname by writing to `/etc/hostname` and applying the change immediately via the `hostnamed` service. This is the recommended method on RHEL 8/9 systems, as it updates both the transient and static hostnames, ensuring persistence across reboots.

Exam trap

The trap here is that candidates confuse setting the hostname with hostname resolution, picking option B (editing `/etc/hosts`) because they think it permanently sets the hostname, when it only affects local DNS-like lookups and does not change the system's actual hostname.

42
MCQmedium

A Red Hat Enterprise Linux server has multiple network interfaces, and the administrator needs to ensure that the service 'httpd' starts automatically after a reboot. The administrator has already enabled the service using 'systemctl enable httpd', but after a reboot, the service is not running. The administrator checks the status and finds that the service is enabled but not started. The system uses systemd. Which additional step is required to ensure the service starts automatically at boot?

A.Set the service to be started by the network target using systemctl add-wants.
B.Run systemctl start httpd after enabling it.
C.Check that the service's unit file has an [Install] section and is properly configured.
D.Create a symlink in /etc/rc.d/rc3.d/ for the service.
AnswerC

Without an [Install] section, systemctl enable may not create the required symlinks in the .wants directory.

Why this answer

Option C is correct because for a service to start automatically at boot, its unit file must contain a properly configured [Install] section that defines the target (e.g., WantedBy=multi-user.target). Running 'systemctl enable httpd' creates the necessary symlinks only if the [Install] section is present. Without it, 'systemctl enable' may succeed silently but no symlinks are created, so the service is marked as enabled but never started by systemd at boot.

Exam trap

The trap here is that candidates assume 'systemctl enable' always guarantees automatic startup at boot, but they overlook the critical requirement of a properly configured [Install] section in the unit file, which is essential for systemd to create the necessary boot-time symlinks.

How to eliminate wrong answers

Option A is wrong because 'systemctl add-wants' is not a valid systemd command; the correct command is 'systemctl add-wants' (though it exists, it is rarely used and not the standard way to ensure a service starts at boot; the proper method is to rely on the [Install] section and 'systemctl enable'). Option B is wrong because 'systemctl start httpd' only starts the service immediately; it does not configure automatic startup at boot, which is the goal after a reboot. Option D is wrong because modern RHEL systems use systemd, not SysV init; creating symlinks in /etc/rc.d/rc3.d/ is an outdated approach and will not work with systemd, which uses unit files and targets.

43
MCQmedium

A user complains that the 'ls' command no longer outputs colors. The administrator suspects a change in environment variables. Which command would help diagnose the issue?

A.set
B.declare
C.env
D.alias
AnswerC

Lists environment variables including LS_COLORS.

Why this answer

Option C is correct because the `env` command displays all current environment variables, which directly affect the behavior of commands like `ls`. The `ls` command uses the `LS_COLORS` environment variable to determine color output; if this variable is missing or altered, colors will not appear. Running `env` allows the administrator to inspect the current environment and identify if `LS_COLORS` has been changed or unset.

Exam trap

The trap here is that candidates often confuse `env` with `set` or `declare`, thinking all three show the same information, but `env` specifically shows only exported environment variables, which is exactly what affects child processes like `ls`.

How to eliminate wrong answers

Option A is wrong because `set` displays shell variables (including local variables) and shell functions, not just environment variables; it may show environment variables but is not the standard tool for diagnosing environment-specific issues like `LS_COLORS`. Option B is wrong because `declare` is used to declare and display shell variables and attributes in Bash, but it is not the primary command for listing environment variables; it also shows local variables and functions, which can clutter the output. Option D is wrong because `alias` displays or defines command aliases, which are not environment variables; while an alias could override `ls` (e.g., `alias ls='ls --color=auto'`), the question specifically points to a change in environment variables, not aliases.

44
MCQmedium

An administrator needs to terminate a hung process with PID 3456 that does not respond to 'kill -15 3456'. Which signal should be used next?

A.kill -9 3456
B.kill -15 3456
C.kill -19 3456
D.kill -1 3456
AnswerA

Forceful kill; cannot be caught.

Why this answer

Option A is correct because kill -9 (SIGKILL) is the signal of last resort for a process that does not respond to SIGTERM (kill -15). SIGKILL cannot be caught, blocked, or ignored by the process; it forces immediate termination by the kernel. Since the process is hung and unresponsive to SIGTERM, SIGKILL is the appropriate next step.

Exam trap

Red Hat often tests the distinction between signals that can be caught/ignored (SIGTERM, SIGHUP) and those that cannot (SIGKILL, SIGSTOP), and candidates may mistakenly choose SIGSTOP (kill -19) thinking it will terminate the process, when it actually only suspends it.

How to eliminate wrong answers

Option B is wrong because kill -15 (SIGTERM) was already attempted and the process did not respond; repeating the same signal will not change the outcome. Option C is wrong because kill -19 (SIGSTOP) suspends a process rather than terminating it, which would leave the hung process in a stopped state, not resolve the issue. Option D is wrong because kill -1 (SIGHUP) typically causes a process to reread its configuration or terminate gracefully, but it is not a guaranteed termination signal and may be ignored or handled by the process, similar to SIGTERM.

45
MCQmedium

An administrator notices that the /tmp directory is filling up quickly. They want to find all files in /tmp that are larger than 100 MB and owned by user 'ftp', then delete them. The administrator runs: find /tmp -type f -size 100M -user ftp -exec rm {} \;. However, this command deletes only files that are exactly 100 MB, not larger. Which find expression should be used instead?

A.find /tmp -type f -size 100M -user ftp -exec rm {} \;
B.find /tmp -type f -size +100M -user ftp -exec rm {} \;
C.find /tmp -type f -size +100M ! -size 100M -user ftp -exec rm {} \;
D.find /tmp -type f -size +100M -size -100M -user ftp -exec rm {} \;
AnswerB

The + prefix means greater than the specified size, so +100M selects files larger than 100 MB.

Why this answer

Option B is correct because the `find` command uses `+` before a size value to match files larger than that size, not exactly equal. The original command omitted the `+`, so it matched only files exactly 100 MB. Adding `+100M` correctly selects files larger than 100 MB.

Exam trap

Red Hat often tests the subtle difference between exact size matching and size range matching using the `+` and `-` prefixes, trapping candidates who assume `-size 100M` means 'greater than or equal to' instead of 'exactly equal to'.

How to eliminate wrong answers

Option A is wrong because `-size 100M` matches files exactly 100 MB, not larger, so it fails to delete files exceeding that size. Option C is wrong because `-size +100M ! -size 100M` is redundant and incorrect; `-size +100M` already excludes files exactly 100 MB, and the negation adds no benefit while potentially causing confusion. Option D is wrong because `-size +100M -size -100M` is contradictory and matches no files, as a file cannot be both larger than 100 MB and smaller than 100 MB simultaneously.

46
MCQhard

During a security audit, an administrator needs to list all TCP ports on which the system is listening, showing only the port numbers and the associated process names. Which command best achieves this?

A.netstat -tulpn
B.nmap -sT localhost
C.sudo ss -tlnp
D.lsof -i TCP:1-65535
AnswerC

Modern tool; shows listening TCP ports with process info.

Why this answer

Option C is correct because `sudo ss -tlnp` lists TCP listening sockets with numeric port numbers and process names. The `-t` flag filters for TCP, `-l` shows only listening sockets, `-n` displays numeric addresses/ports (avoiding DNS resolution), and `-p` reveals the process name. This command requires root privileges to see process information, hence `sudo`.

Exam trap

The trap here is that candidates often default to `netstat -tulpn` (Option A) because it is familiar, but Red Hat EX200 emphasizes `ss` as the modern replacement, and the question specifically asks for only TCP ports and process names, making `-u` (UDP) and the lack of `-l` (listening only) in the default `netstat` command incorrect.

How to eliminate wrong answers

Option A is wrong because `netstat -tulpn` lists both TCP and UDP sockets (due to `-u`), which is not requested, and it shows all sockets (including non-listening) unless combined with `-l`; also, `netstat` is deprecated in many distributions in favor of `ss`. Option B is wrong because `nmap -sT localhost` performs a TCP connect scan against the local host, which is an active scanning technique that may alter system state and does not simply list listening ports; it also requires root for certain scan types and does not show process names. Option D is wrong because `lsof -i TCP:1-65535` lists all open TCP file descriptors across the entire port range, which includes both listening and established connections, and it does not filter to only listening sockets without additional flags like `-sTCP:LISTEN`.

47
Multi-Selecteasy

Which TWO commands can be used to view the kernel ring buffer?

Select 2 answers
A.journalctl -f
B.dmesg
C.cat /var/log/messages
D.systemctl status
E.journalctl -k
AnswersB, E

dmesg displays the kernel ring buffer.

Why this answer

The kernel ring buffer stores kernel-related messages, such as hardware driver and boot messages. The `dmesg` command is specifically designed to print or control this buffer, making it a direct and correct tool for viewing kernel ring buffer messages.

Exam trap

The trap here is that candidates may confuse general log viewing commands (like `journalctl -f` or `cat /var/log/messages`) with the specific tools designed to read the kernel ring buffer, or forget that `journalctl -k` is the systemd-native way to access kernel messages.

48
Multi-Selectmedium

Which TWO commands can be used to view the contents of a compressed file named 'archive.tar.gz' without extracting it?

Select 2 answers
A.gzip -d archive.tar.gz
B.tar -tzf archive.tar.gz
C.gunzip -c archive.tar.gz
D.tar -xf archive.tar.gz
E.zcat archive.tar.gz | tar -t
AnswersB, E

Lists contents of tar.gz.

Why this answer

Option B is correct because `tar -tzf archive.tar.gz` lists the contents of a gzip-compressed tar archive without extracting it. The `-t` option tells tar to list the table of contents, `-z` filters the archive through gzip decompression, and `-f` specifies the archive file. This command reads the archive metadata directly without writing any files to disk.

Exam trap

The trap here is that candidates confuse decompression commands (like `gunzip -c`) with listing commands, or they assume `tar -xf` can list contents because of the `-x` (extract) flag, but `-x` always writes files unless combined with `-t` which overrides it to list mode.

49
MCQeasy

An administrator wants to gracefully terminate a process with PID 12345. Which command should be used?

A.kill -STOP 12345
B.kill -9 12345
C.kill -KILL 12345
D.kill -TERM 12345
AnswerD

SIGTERM requests graceful termination.

Why this answer

Option D is correct because `kill -TERM` (or `kill -15`) sends the SIGTERM signal, which requests a process to terminate gracefully. This allows the process to perform cleanup tasks (e.g., closing files, releasing resources) before exiting, making it the standard way to stop a process politely.

Exam trap

Red Hat often tests the distinction between signals that allow graceful termination (SIGTERM) versus those that force immediate termination (SIGKILL), and candidates frequently confuse `kill -9` as the 'standard' way to stop a process, missing the 'graceful' requirement in the question.

How to eliminate wrong answers

Option A is wrong because `kill -STOP` sends SIGSTOP, which pauses (suspends) the process rather than terminating it; the process remains in a stopped state and can be resumed with SIGCONT. Option B is wrong because `kill -9` sends SIGKILL, which forcefully terminates the process without allowing any cleanup, which is not graceful. Option C is wrong because `kill -KILL` is equivalent to `kill -9` (SIGKILL), which also forcefully kills the process and does not permit graceful shutdown.

50
Multi-Selecteasy

Which TWO commands can be used to display the current date and time in a format like '2023-10-05 14:30:00'?

Select 2 answers
A.date '+%Y-%m-%d %H:%M:%S'
B.cal
C.timedatectl
D.date -Iseconds
E.hwclock
AnswersA, D

Formats date as required.

Why this answer

Option A is correct because the `date` command with the format string `'+%Y-%m-%d %H:%M:%S'` explicitly outputs the current date and time in the requested 'YYYY-MM-DD HH:MM:SS' format. The `%Y`, `%m`, `%d`, `%H`, `%M`, and `%S` specifiers correspond to the year, month, day, hour, minute, and second respectively, giving precise control over the output.

Exam trap

Red Hat often tests the distinction between commands that display time in a raw format versus those that require explicit formatting; candidates may mistakenly choose `timedatectl` because it shows the current time, but it does not output in the exact 'YYYY-MM-DD HH:MM:SS' format without additional parsing.

51
MCQeasy

Which command displays the current working directory?

A.pwd
B.ls
C.dir
D.cd
AnswerA

pwd prints the full pathname of the current directory.

Why this answer

The `pwd` command stands for 'print working directory' and is the standard Linux/Unix command to display the absolute path of the current directory. It is part of the GNU Core Utilities and is the correct tool for this task in the Red Hat Enterprise Linux environment tested in EX200.

Exam trap

Red Hat often tests the distinction between commands that navigate (`cd`), list contents (`ls`), and display the current path (`pwd`), and candidates may confuse `cd` with `pwd` because both are commonly used together in shell navigation.

How to eliminate wrong answers

Option B is wrong because `ls` lists the contents of a directory, not the current working directory path. Option C is wrong because `dir` is a command typically used in Windows or DOS environments to list directory contents, and it is not a standard command in Linux for displaying the working directory. Option D is wrong because `cd` is used to change the current working directory, not to display it.

52
Multi-Selecteasy

Which two commands can be used to display the contents of a compressed .tar.gz archive without extracting it? (Choose two)

Select 2 answers
A.gzcat archive.tar.gz
B.less archive.tar.gz
C.tar -tzf archive.tar.gz
D.tar -tf archive.tar.gz
E.tar -xf archive.tar.gz
AnswersC, D

The -z option tells tar to use gzip decompression; -t lists contents; -f specifies the file.

Why this answer

Option C is correct because `tar -tzf` lists the contents of a gzip-compressed tar archive without extracting it. The `-t` flag tells tar to list the table of contents, `-z` handles the gzip decompression on the fly, and `-f` specifies the archive file. This is the standard way to inspect a .tar.gz file's contents without extraction.

Exam trap

Red Hat often tests the distinction between `-t` (list) and `-x` (extract), and candidates mistakenly choose `tar -xf` thinking it only displays contents, or they confuse `gzcat` with a listing tool.

53
Multi-Selecthard

Which TWO of the following are valid examples of using redirection and pipes in bash to append the output of a command to a file while also displaying it on the terminal? (Choose exactly two.)

Select 2 answers
A.command 2>&1 | tee file
B.command | tee -a file
C.command > file
D.command |& tee -a file
E.command >> file
AnswersB, D

tee -a appends to file and writes to stdout.

Why this answer

Option B is correct because `tee -a file` reads from stdin and writes both to stdout and appends to the named file. The pipe `|` sends the stdout of `command` to `tee`, so the output is displayed on the terminal and appended to `file`. The `-a` flag ensures append mode, not overwrite.

Exam trap

Red Hat often tests the distinction between `|` (stdout only) and `|&` (stdout and stderr), and the requirement for `-a` to append rather than overwrite, causing candidates to miss that option A lacks `-a` and option D correctly uses `|&` with `-a`.

54
MCQmedium

A system is experiencing high CPU usage. The administrator suspects a process is stuck in an infinite loop. Which command can be used to identify the most CPU-intensive process in real-time?

A.top
B.lsof
C.ps aux
D.strace
AnswerA

top displays real-time process activity and can sort by CPU usage.

Why this answer

The `top` command provides a real-time, dynamic view of system processes, sorted by CPU usage by default. It continuously refreshes, making it ideal for identifying the most CPU-intensive process as it runs, which directly addresses the scenario of a suspected infinite loop causing high CPU usage.

Exam trap

Red Hat often tests the distinction between real-time monitoring (`top`) and static snapshots (`ps`), where candidates mistakenly choose `ps aux` because they see CPU columns, but fail to recognize that `ps` does not refresh dynamically to catch a looping process.

How to eliminate wrong answers

Option B is wrong because `lsof` lists open files and the processes using them, but it does not show CPU usage or sort processes by CPU consumption in real-time. Option C is wrong because `ps aux` provides a static snapshot of all processes with CPU usage at the moment of execution, but it does not update in real-time to track a rapidly changing CPU-intensive process. Option D is wrong because `strace` traces system calls and signals for a specific process, but it is not designed to identify the most CPU-intensive process; it is a debugging tool for analyzing a process's behavior, not for monitoring overall system CPU usage.

55
MCQmedium

A script needs to be run at system boot for a specific user. Which method ensures the script runs with that user's environment?

A.Place the script in /etc/rc.d/rc.local
B.Add an entry to ~/.xprofile
C.Create a systemd user unit in ~/.config/systemd/user/
D.Add the script to the user's crontab with @reboot
AnswerC

User units run with the user's environment and can start at login.

Why this answer

Option C is correct because systemd user units, placed in ~/.config/systemd/user/, are executed in the user's own session context, inheriting the user's environment variables, PATH, and D-Bus session. This ensures the script runs with the specific user's environment at boot, as systemd starts the user manager (systemd --user) early in the boot process for each enabled user.

Exam trap

The trap here is that candidates often assume @reboot in crontab runs with the full user environment, but in reality cron provides a stripped-down environment (e.g., no D-Bus, no systemd user session), making it unsuitable for scripts that depend on user-specific services or graphical session variables.

How to eliminate wrong answers

Option A is wrong because /etc/rc.d/rc.local runs as root during system boot, not as a specific user, so it does not load the target user's environment (e.g., $HOME, $USER, or desktop session variables). Option B is wrong because ~/.xprofile is sourced only when the X display server starts (e.g., via a display manager), not at system boot, and it depends on a graphical session being available. Option D is wrong because @reboot in a user's crontab runs the script under the cron daemon's minimal environment, which lacks the full user session context (e.g., D-Bus, systemd user services, or graphical session variables), and cron may not start until after the user logs in.

56
MCQmedium

A user reports that they cannot use the 'systemctl' command to manage services. The user is part of the 'wheel' group. Which configuration change is required to allow this?

A.Set the 'permissive' mode for systemd via systemd.conf
B.Add the user to the 'systemd-journal' group
C.Add the user to /etc/sudoers with 'ALL ALL=(ALL) ALL'
D.Ensure /etc/polkit-1/rules.d/10-admin.rules includes an admin rule for the wheel group
AnswerD

polkit rules grant systemctl permissions to members of wheel.

Why this answer

The 'systemctl' command requires PolicyKit authorization for non-root users to manage systemd services. The correct configuration is to add a PolicyKit rule in /etc/polkit-1/rules.d/10-admin.rules that grants the 'wheel' group administrative privileges, allowing them to invoke systemctl without a password or with appropriate authentication.

Exam trap

The trap here is that candidates often confuse group membership (like 'wheel' for sudo) with direct authorization via PolicyKit, assuming being in the 'wheel' group automatically grants all administrative privileges, when in fact systemctl relies on polkit rules for non-root users.

How to eliminate wrong answers

Option A is wrong because there is no 'systemd.conf' file; systemd uses 'system.conf' and 'user.conf' for daemon configuration, and 'permissive' mode is a SELinux concept, not a systemd setting. Option B is wrong because the 'systemd-journal' group only grants access to read systemd journal logs, not to manage services with systemctl. Option C is wrong because adding the user to /etc/sudoers with 'ALL ALL=(ALL) ALL' would allow them to run any command as root via sudo, but the question specifies using 'systemctl' directly, not via sudo, and the user is already in the 'wheel' group which typically has sudo access; the issue is about direct PolicyKit authorization for systemctl.

57
MCQmedium

You are a Linux administrator. A user reports that when they log in via SSH, they see the message 'Could not chdir to home directory /home/john: No such file or directory' and are dropped into the root directory. The user's home directory does exist at /home/john but is empty. The user's entry in /etc/passwd is: 'john:x:1001:1001::/home/john:/bin/bash'. What is the most likely cause and the correct fix?

A.The home directory path in /etc/passwd has a typo. Change it to /home/john.
B.The home directory is not owned by john. Run chown john:john /home/john.
C.The home directory is missing the .bashrc file. Copy default files from /etc/skel.
D.The user's shell is invalid. Change shell to /bin/bash.
AnswerB

Correct ownership solves permission issue.

Why this answer

The error 'Could not chdir to home directory /home/john: No such file or directory' occurs even though the directory exists, because the SSH daemon (or login process) cannot access it. The most likely cause is that the home directory is not owned by the user john, so the system denies permission to change into it. Running 'chown john:john /home/john' corrects the ownership, allowing the user to enter their home directory.

Exam trap

The trap here is that candidates focus on the literal 'No such file or directory' message and assume the directory is missing or misconfigured, rather than recognizing that permission errors (due to incorrect ownership) can produce the same misleading message.

How to eliminate wrong answers

Option A is wrong because the /etc/passwd entry shows the correct path '/home/john', so there is no typo; changing it would not fix the issue. Option C is wrong because missing .bashrc or skeleton files would not cause a 'No such file or directory' error; that error is about the directory itself, not its contents. Option D is wrong because the shell '/bin/bash' is valid and present; an invalid shell would produce a different error (e.g., 'shell not found').

58
MCQmedium

An administrator needs to monitor network traffic on a specific interface in real time. Which tool is most appropriate for this task?

A.tcpdump -i eth0
B.ip -s link
C.ss -tulpn
D.nload eth0
AnswerA

Captures and displays packets on eth0 in real time.

Why this answer

tcpdump -i eth0 captures and displays packet headers in real time on the specified interface (eth0). It uses libpcap to intercept raw network frames at the data link layer, making it the standard tool for live traffic monitoring and analysis.

Exam trap

Red Hat often tests the distinction between tools that show aggregate statistics (ip -s link, nload) versus tools that capture individual packets (tcpdump), leading candidates to choose nload because it shows real-time data, but it does not show packet contents.

How to eliminate wrong answers

Option B is wrong because 'ip -s link' shows cumulative statistics (bytes, packets, errors) for interfaces, not real-time packet-by-packet traffic. Option C is wrong because 'ss -tulpn' lists current TCP/UDP sockets and listening services, not live network traffic on an interface. Option D is wrong because 'nload eth0' displays real-time bandwidth usage (in/out rates) but does not show individual packets or their contents; it is a traffic meter, not a packet capture tool.

59
MCQeasy

Refer to the exhibit. What does the file permission -rw------- indicate about /etc/shadow?

A.Root user can read, write, and execute; group and others have no access.
B.Owner can read and write; group can read; others can read.
C.Owner can read; group can read; others cannot access.
D.Only root user can read and write; others have no access.
AnswerD

The permissions are rw for owner only, no access for group or others.

Why this answer

The permission string `-rw-------` breaks down as: owner (root) has read (4) and write (2) permissions, and no execute (0); group has no permissions (---); others have no permissions (---). Since `/etc/shadow` is owned by root, only the root user can read and write the file, while all other users (including group members and others) have zero access. Option D correctly states this.

Exam trap

Red Hat often tests the misconception that `-rw-------` means the owner can execute, or that the hyphen in the execute position is easily overlooked, causing candidates to incorrectly assume execute permission is present.

How to eliminate wrong answers

Option A is wrong because the permission string shows no execute bit for the owner (the third character is `-`, not `x`), so the root user cannot execute the file; also, group and others have no access, but the statement incorrectly includes execute. Option B is wrong because it claims group and others can read, but the permission string shows `---` for both group and others, meaning no read access. Option C is wrong because it says the owner can only read, but the owner actually has both read and write permissions (the second character is `w`).

60
MCQhard

A backup script uses tar to create an archive, but the administrator wants to exclude the /tmp directory from the backup. Which tar option should be added?

A.--exclude=/tmp
B.--ignore-failed-read
C.--exclude-from=/tmp
D.-X /tmp
AnswerA

Excludes the /tmp directory.

Why this answer

Option A is correct because the `--exclude=PATTERN` option in tar tells the command to skip files or directories matching the given pattern. By specifying `--exclude=/tmp`, the tar archive will omit the /tmp directory and all its contents, which is exactly what the administrator needs for the backup script.

Exam trap

The trap here is that candidates confuse `--exclude` (which excludes a pattern) with `--exclude-from` (which reads patterns from a file), leading them to pick option C or D, thinking they can pass a directory path directly to exclude it.

How to eliminate wrong answers

Option B is wrong because `--ignore-failed-read` tells tar to continue archiving even if it cannot read a file (e.g., due to permissions), but it does not exclude any directory. Option C is wrong because `--exclude-from=FILE` reads exclusion patterns from a file, not from a directory path; using `--exclude-from=/tmp` would try to read patterns from the /tmp directory itself, which is not a valid pattern file and would cause an error. Option D is wrong because `-X /tmp` is the short form of `--exclude-from`, which again expects a file containing patterns, not a directory to exclude; it would attempt to read exclusion patterns from /tmp, not exclude the /tmp directory.

61
MCQeasy

A user reports that a script in their home directory fails to execute. The script has permissions -rw-r--r-- and is owned by the user. Which command will allow execution for the owner?

A.chmod u+r script.sh
B.chmod a+x script.sh
C.chmod u+x script.sh
D.chmod u-x script.sh
AnswerC

Adds execute for owner.

Why this answer

The script currently has permissions `-rw-r--r--`, meaning the owner has read and write but not execute. To allow the owner to execute it, you need to add the execute permission for the owner only. `chmod u+x script.sh` adds the execute bit for the user (owner) without affecting group or others, which is the precise requirement.

Exam trap

Red Hat often tests the distinction between adding execute permission for the owner only versus adding it for all users, and the trap here is that candidates might choose `a+x` (option B) thinking it is the simplest solution, but the question explicitly asks for execution for the owner.

How to eliminate wrong answers

Option A is wrong because `chmod u+r script.sh` adds read permission for the owner, but the owner already has read access; it does not add execute permission. Option B is wrong because `chmod a+x script.sh` adds execute permission for all (owner, group, and others), which is excessive and not the minimal change requested. Option D is wrong because `chmod u-x script.sh` removes execute permission from the owner, which would make the script even less executable.

62
MCQhard

An administrator wants to ensure that when a user presses Ctrl+C during a long-running script, the script cleans up temporary files before exiting. Which approach should the script use?

A.Use 'trap' to catch SIGINT and run cleanup.
B.Use 'set -o ignoreeof' to ignore Ctrl+C.
C.Run the script in the background with '&'.
D.Use 'set -e' to exit on any error.
AnswerA

Trap can execute commands on signal.

Why this answer

The `trap` command in Bash allows a script to catch signals like SIGINT (sent when Ctrl+C is pressed) and execute a custom function or command before exiting. By setting `trap cleanup SIGINT`, the script can remove temporary files or perform other cleanup actions automatically, ensuring a graceful termination.

Exam trap

Red Hat often tests the distinction between signals like SIGINT (Ctrl+C) and EOF (Ctrl+D), leading candidates to confuse `ignoreeof` with signal handling.

How to eliminate wrong answers

Option B is wrong because `set -o ignoreeof` prevents the shell from exiting on Ctrl+D (EOF), not Ctrl+C, and does not handle signal-based interruption. Option C is wrong because running a script in the background with `&` does not change how Ctrl+C affects the script; it still receives SIGINT and exits without cleanup. Option D is wrong because `set -e` causes the script to exit immediately if any command fails, but it does not catch or handle the SIGINT signal from Ctrl+C.

63
MCQeasy

A user wants to set an environment variable named 'EDITOR' to the value '/usr/bin/vim' so that it is available in all future login sessions. Which file should the user add the export command to?

A.~/.bash_logout
B.~/.bash_profile
C./etc/bashrc
D.~/.bashrc
AnswerB

Environment variables for login shells are set in ~/.bash_profile.

Why this answer

The ~/.bash_profile file is executed for login shells, making it the correct place to set environment variables like EDITOR that should persist across all future login sessions. Adding 'export EDITOR=/usr/bin/vim' to this file ensures the variable is defined each time the user logs in.

Exam trap

Red Hat often tests the distinction between login and non-login shell startup files, and the trap here is that candidates mistakenly choose ~/.bashrc because they associate it with user-specific settings, not realizing it is not sourced by login shells.

How to eliminate wrong answers

Option A is wrong because ~/.bash_logout is executed when the user logs out, not at login, so it cannot set environment variables for future sessions. Option C is wrong because /etc/bashrc is a system-wide file that affects all users and is typically sourced by non-login shells, not the appropriate per-user file for login shell environment variables. Option D is wrong because ~/.bashrc is executed for interactive non-login shells (e.g., opening a terminal in a GUI), not for login shells, so it would not guarantee the variable is set in all future login sessions.

64
MCQmedium

Refer to the exhibit. Why does the /etc/shadow file have no read permissions for any user?

A.Only root can read it, but the permissions are not displayed correctly.
B.The file is empty.
C.The file is a symbolic link.
D.The file is a character device.
AnswerA

Root can bypass permissions.

Why this answer

The /etc/shadow file stores hashed user passwords and must be readable only by root to prevent unauthorized access to password hashes. The displayed permissions (---------- 1 root root) indicate that no user, including root, has read access according to standard `ls -l` output, but this is misleading because root can always read the file regardless of permission bits due to Linux's superuser bypass (DAC override). The correct answer is A because root's ability to read the file is not reflected in the permission display, which only shows the file's mode bits.

Exam trap

Red Hat often tests the misconception that permission bits shown by `ls -l` are absolute and that root is bound by them, when in fact root can always read any file regardless of the mode.

How to eliminate wrong answers

Option B is wrong because an empty file would still show permissions (e.g., -rw-------) and a file size of 0, but the exhibit shows a non-zero file size (e.g., 1234 bytes) and the question implies the file contains password data. Option C is wrong because a symbolic link would display an 'l' as the first character in the permissions string (e.g., lrwxrwxrwx) and would point to another file, but the exhibit shows a '-' indicating a regular file. Option D is wrong because a character device would show a 'c' as the first character (e.g., crw-rw-rw-) and would have major/minor device numbers instead of a file size, but the exhibit shows a regular file with a size.

65
MCQmedium

A developer needs to search for the string 'ERROR' in all files under /var/log, but wants to exclude files ending with '.gz'. Which command is correct?

A.grep -r --exclude='*.gz' 'ERROR' /var/log
B.grep -R --exclude='*.gz' 'ERROR' /var/log
C.grep -l 'ERROR' /var/log/*.gz
D.grep -v '*.gz' -r 'ERROR' /var/log
AnswerA

Correctly excludes .gz files.

Why this answer

Option A is correct because `grep -r` performs a recursive search through all files under /var/log, and the `--exclude='*.gz'` option tells grep to skip any files matching the glob pattern '*.gz'. This combination ensures that only non-compressed log files are searched for the string 'ERROR', meeting the requirement exactly.

Exam trap

Red Hat often tests the distinction between `--exclude` (which filters files by name) and `-v` (which inverts line matches), leading candidates to mistakenly use `-v` with a glob pattern to try to exclude files.

How to eliminate wrong answers

Option B is wrong because `grep -R` is equivalent to `grep -r` in most implementations, but the key issue is that the `--exclude` pattern is incorrectly quoted with single quotes inside double quotes or vice versa; however, the primary flaw is that `-R` is not a standard grep option (it is often used for dereferencing symlinks, but the correct recursive flag is `-r`). Option C is wrong because `grep -l 'ERROR' /var/log/*.gz` only lists files matching 'ERROR' that end with '.gz', which is the opposite of what is needed (it excludes non-.gz files). Option D is wrong because `grep -v '*.gz'` treats '*.gz' as a regex pattern to invert matches on lines, not as a file exclusion pattern, and the `-r` flag is misplaced after the pattern; this command would search recursively but exclude lines containing the literal string '*.gz', not files ending with '.gz'.

66
Multi-Selectmedium

Which TWO commands can be used to display the contents of a compressed log file without decompressing it first?

Select 2 answers
A.bzless /var/log/messages.bz2
B.zcat /var/log/messages.gz
C.grep 'error' /var/log/messages.gz
D.vim /var/log/messages.gz
E.less /var/log/messages.gz
AnswersA, B

bzless can read bzip2-compressed files.

Why this answer

Option A is correct because `bzless` is a utility specifically designed to view bzip2-compressed files without decompressing them first. It decompresses the file on the fly and pipes the output to a pager, allowing you to scroll through the content. Similarly, option B is correct because `zcat` reads a gzip-compressed file and writes the decompressed data to standard output, effectively displaying the contents without permanently decompressing the file.

Exam trap

The trap here is that candidates often assume `less` or `grep` can handle compressed files natively, but they cannot; the correct approach is to use dedicated tools like `zcat`, `zless`, `bzcat`, or `bzless` that perform on-the-fly decompression.

67
MCQhard

You are a system administrator for a company running Red Hat Enterprise Linux 8. A developer reports that a script which runs daily at 2 AM is failing. The script is located at /opt/scripts/backup.sh and is owned by root. The developer says the script runs fine when executed manually with './backup.sh' from the /opt/scripts directory. The script is scheduled via a root crontab entry: '0 2 * * * /opt/scripts/backup.sh'. However, the script fails because it cannot find a configuration file located at './config.ini'. What is the most likely cause and the correct solution?

A.Cron uses a different PATH. Modify the script to use absolute paths for all files, including config.ini.
B.The configuration file is missing. Copy config.ini to /root.
C.The cron job runs as a different user. Change the cron job to run as the developer's user.
D.The script is not executable. Run chmod +x /opt/scripts/backup.sh.
AnswerA

Absolute paths resolve the working directory issue.

Why this answer

The script fails because cron jobs run with a minimal environment, including a restricted PATH that typically does not include the script's directory. When the script uses a relative path like './config.ini', the cron job's working directory is not /opt/scripts (it defaults to the user's home directory, /root for root cron), so the file is not found. The correct solution is to modify the script to use absolute paths, such as /opt/scripts/config.ini, ensuring it works regardless of the cron environment.

Exam trap

The trap here is that candidates may assume the script's working directory is the same as the script's location, but cron sets the working directory to the user's home directory, not the script's directory.

How to eliminate wrong answers

Option B is wrong because the configuration file is not missing; it exists at /opt/scripts/config.ini, but the cron job cannot find it due to the working directory mismatch. Option C is wrong because the cron job already runs as root (the same user who owns the script and can execute it manually), so changing the user would not fix the relative path issue and could introduce permission problems. Option D is wrong because the script runs fine when executed manually with './backup.sh', which proves it is already executable; the issue is not about execute permissions.

68
MCQhard

A company policy requires that all cron jobs run by non-root users must be logged to a specific file /var/log/usercron.log. The system administrator decides to use rsyslog to capture these messages. Which configuration directive should be added to /etc/rsyslog.conf or a file in /etc/rsyslog.d/ to achieve this?

A.user.* /var/log/usercron.log
B.cron.* /var/log/usercron.log
C.*.* /var/log/usercron.log
D.authpriv.* /var/log/usercron.log
AnswerB

The cron facility handles cron job messages.

Why this answer

Option B is correct because the cron facility in rsyslog captures messages generated by the cron daemon, including cron jobs run by non-root users. By adding the directive `cron.* /var/log/usercron.log` to the rsyslog configuration, all cron messages (regardless of priority) are logged to the specified file, satisfying the policy requirement.

Exam trap

The trap here is that candidates may confuse the `cron` facility with the `user` facility, mistakenly thinking user cron jobs are logged under `user.*` instead of the dedicated `cron` facility.

How to eliminate wrong answers

Option A is wrong because `user.*` captures messages from user-level processes (e.g., user applications), not from the cron daemon; cron jobs are logged under the `cron` facility, not `user`. Option C is wrong because `*.*` logs all syslog messages from every facility to the file, which is overly broad and violates the policy of logging only cron jobs; it would also clutter the log with unrelated system messages. Option D is wrong because `authpriv.*` captures authentication and security-related messages (e.g., sudo, login), not cron job logs; this would miss all cron activity.

69
MCQeasy

A user wants to run a command in the background after logging out of an SSH session. Which method ensures the process continues even after logout?

A.Run 'nohup command &' before logout
B.Run 'command', press Ctrl+Z, then type 'bg' and logout
C.Run 'command &' and then exit
D.Run 'command & disown' then logout
AnswerA

nohup ignores SIGHUP, allowing the process to continue.

Why this answer

Option A is correct because `nohup` ignores the SIGHUP signal that the shell sends to its child processes when the parent shell exits (e.g., upon logout). By running `nohup command &`, the command is placed in the background and will continue running even after the SSH session terminates, as it is immune to the hangup signal.

Exam trap

The trap here is that candidates often think `&` alone or `bg` is sufficient to keep a process running after logout, but they miss that the shell sends SIGHUP to all child processes (including background jobs) upon exit unless explicitly ignored with `nohup` or handled with `disown` in a shell that supports `huponexit` off.

How to eliminate wrong answers

Option B is wrong because suspending a job with Ctrl+Z and then resuming it in the background with `bg` does not protect the process from SIGHUP; when the shell exits, the background job will still receive SIGHUP and terminate. Option C is wrong because running `command &` alone does not prevent SIGHUP; the background job is still a child of the shell and will be killed when the shell exits. Option D is wrong because `disown` removes the job from the shell's job table, but it does not prevent the shell from sending SIGHUP to the process on logout; the process may still receive SIGHUP depending on the shell implementation (e.g., bash sends SIGHUP to disowned jobs by default unless `huponexit` is disabled).

70
MCQeasy

A system administrator needs to find all files in /var/log that have been modified in the last 2 hours. Which command should be used?

A.find /var/log -mmin -120
B.find /var/log -amin -120
C.find /var/log -mtime -0.08
D.find /var/log -cmin -120
AnswerA

Correctly finds files modified in the last 120 minutes.

Why this answer

Option A is correct because the `find` command with `-mmin -120` searches for files whose data was modified (changed content) within the last 120 minutes. This directly matches the requirement to find files modified in the last 2 hours in /var/log.

Exam trap

The trap here is confusing `-mmin` (modification time) with `-cmin` (change time) or `-amin` (access time), as candidates often misremember which flag tracks content changes versus metadata or access events.

How to eliminate wrong answers

Option B is wrong because `-amin -120` searches for files accessed (read) within the last 120 minutes, not modified. Option C is wrong because `-mtime -0.08` uses a fractional day value that is not precise for a 2-hour window; `-mtime` works in 24-hour increments and rounding can cause inaccuracies. Option D is wrong because `-cmin -120` searches for files whose status (metadata) changed within the last 120 minutes, which includes permission or ownership changes, not necessarily data modification.

71
MCQmedium

An administrator needs to compress a directory containing subdirectories and files into a single archive file, with maximum compression, and exclude all '*.tmp' files. Which command should be used?

A.tar -czvf archive.tar.gz --exclude='*.tmp' /path/to/dir
B.tar -czvf archive.tar.gz /path/to/dir --exclude='*.tmp'
C.tar -cjvf archive.tar.bz2 --exclude='*.tmp' /path/to/dir
D.tar -czvf archive.tar.gz /path/to/dir
AnswerA

Max compression with gzip (z), exclude pattern works.

Why this answer

Option A is correct because it uses `tar -czvf` to create a gzip-compressed archive with maximum compression (the `z` flag invokes gzip, which by default uses level 6; for maximum compression you would add `--gzip --level=9` or use `GZIP=-9`, but the question's 'maximum compression' is a common phrasing for gzip). The `--exclude='*.tmp'` option is placed before the source directory, which is the correct syntax for tar to apply the exclusion pattern to all files during archiving. This command compresses the directory into a single `.tar.gz` file while omitting all temporary files.

Exam trap

Red Hat often tests the positional requirement of `--exclude` relative to the source path — many candidates incorrectly place the exclude pattern after the directory, assuming tar will still apply it, but tar only honors exclusions that appear before the source argument.

How to eliminate wrong answers

Option B is wrong because the `--exclude` option is placed after the source directory `/path/to/dir`, which causes tar to ignore the exclusion pattern — tar processes positional arguments in order, and the exclude pattern must precede the source path to take effect. Option C is wrong because it uses `-j` for bzip2 compression instead of `-z` for gzip; while bzip2 can achieve higher compression ratios, the question specifies 'maximum compression' in the context of the commonly used gzip format, and the output file extension `.tar.bz2` does not match the expected `.tar.gz` archive. Option D is wrong because it omits the `--exclude='*.tmp'` option entirely, so all `*.tmp` files will be included in the archive, failing the requirement to exclude them.

72
MCQhard

Refer to the exhibit. The backup script runs every 5 minutes but generates errors. What is the most likely cause?

A.The script is owned by root.
B.The cron daemon is not running.
C.The script uses absolute paths.
D.The script is not executable.
AnswerD

The file permissions are 644, missing the execute bit (x). cron will attempt to run it but fail with permission denied.

Why this answer

The cron job fails because the script lacks execute permissions. Cron requires that scripts specified in crontab entries have the executable bit set (chmod +x) for the user under whose crontab the job runs. Without this, the cron daemon cannot spawn the script as a process, resulting in errors.

Exam trap

Red Hat often tests the distinction between file ownership and file permissions, where candidates mistakenly assume root ownership is the problem, but the actual issue is the missing executable bit that cron strictly enforces.

How to eliminate wrong answers

Option A is wrong because ownership by root does not prevent a script from executing; root ownership is common and cron can run root-owned scripts if the crontab belongs to root or the script has appropriate permissions. Option B is wrong because if the cron daemon were not running, no cron jobs would execute at all, not just this one script — the question states the script runs but generates errors, implying the daemon is active. Option C is wrong because using absolute paths is actually a best practice in cron scripts to avoid PATH issues; absolute paths do not cause execution errors.

73
MCQeasy

An administrator wants to edit a configuration file and ensure only the intended changes are saved. Which practice is recommended?

A.Copy the file to a temporary location, edit, and then overwrite
B.Use 'ls -l' to check the file size before and after editing
C.Edit the file in place with a backup using 'sed -i.bak'
D.Use 'git' to track changes and commit after editing
AnswerD

Git provides a history of changes and allows reverting.

Why this answer

Option D is correct because using 'git' to track changes and commit after editing provides a version control system that allows you to review, stage, and commit only the intended modifications. This ensures that unintended changes are not saved, as you can use 'git diff' to verify changes before committing and 'git checkout' to revert unwanted edits. Git is a standard tool for configuration management in Red Hat Enterprise Linux environments, aligning with the EX200 objective of using essential tools for system administration.

Exam trap

Red Hat often tests the misconception that creating a backup file (e.g., with 'sed -i.bak') is sufficient to ensure only intended changes are saved, but this ignores the need for a review and staging process that version control systems like Git provide.

How to eliminate wrong answers

Option A is wrong because copying the file to a temporary location, editing, and then overwriting does not provide a mechanism to verify that only intended changes are saved; it risks overwriting the original file with unintended modifications if the edit is not carefully reviewed. Option B is wrong because using 'ls -l' to check file size before and after editing only reveals size changes, not the content or correctness of edits, and cannot prevent unintended changes from being saved. Option C is wrong because 'sed -i.bak' creates a backup but edits the file in place without any staging or review step, so unintended changes are immediately written to the file and the backup only preserves the original state, not a way to selectively save intended changes.

74
Multi-Selectmedium

Which three of the following are valid methods to view the manual page for the 'ls' command? (Choose three)

Select 3 answers
A.help ls
B.man ls
C.whatis ls
D.info ls
E.ls --help
AnswersB, D, E

The man command displays the manual page for ls.

Why this answer

Option B is correct because the 'man' command is the primary method for viewing manual pages in Linux. Running 'man ls' displays the full manual page for the 'ls' command, including its description, options, and usage details.

Exam trap

Red Hat often tests the distinction between commands that provide full manual pages ('man', 'info') versus those that give brief summaries ('--help', 'whatis'), and the trap here is that candidates may mistakenly think 'help' or 'whatis' are valid methods for viewing the full manual page.

Ready to test yourself?

Try a timed practice session using only Essential Tools questions.