- In Linux, what is the purpose of the 'chroot' command?
- To change the root user's password
- To modify file permissions
- To change the root directory of the current running process
- To check disk space usage
Correct answer: To change the root directory of the current running process
Correct answer: To change the root directory of the current running process. Explanation: The 'chroot' command in Linux is used to change the root directory of the current running process and its children to a new location in the filesystem. This is often used for system maintenance and to create a sandbox environment for testing.
- Which command is used to update the package database in a Debian-based system?
- Yum update
- Apt-get update
- Rpm -u
- Dnf refresh
Correct answer: Apt-get update
Correct answer: apt-get update. Explanation: On Debian-based systems, the 'apt-get update' command is used to update the package database. This command refreshes the list of available packages and their versions, but it does not install or upgrade any packages.
- In Linux, what is the purpose of the 'nohup' command?
- To give highest priority to a process
- To prevent a process from being stopped upon logout
- To change the ownership of a file
- To schedule a process to run at a later time
Correct answer: To prevent a process from being stopped upon logout
Correct answer: To prevent a process from being stopped upon logout. Explanation: The 'nohup' command in Linux is used to run a command that will not stop when the user logs out. It prevents the process from receiving the SIGHUP (hangup signal), allowing it to continue running in the background.
- Which file in Linux contains system-wide environment variables?
- /etc/bashrc
- /etc/environment
- /etc/profile
- ~/.bash_profile
Correct answer: /etc/environment
Correct answer: /etc/environment. Explanation: The /etc/environment file in Linux is used for setting system-wide environment variables. Unlike shell-specific files like /etc/bashrc or /etc/profile, it is not a script but a simple list of variable assignments.
- How is a Kernel module loaded manually in Linux?
- Using the 'modprobe' command
- Editing the /etc/modules file
- Using the 'insmod' command
- Editing the /boot/grub/grub.cfg file
Correct answer: Using the 'insmod' command
Correct answer: Using the 'insmod' command. Explanation: The 'insmod' command is used to load a Kernel module manually in Linux. While 'modprobe' can also load modules, 'insmod' is the direct method that doesn't check dependencies.
- In Linux, what is the primary function of the 'systemd' system and service manager?
- To manage user permissions and groups
- To control the startup and management of services and daemons
- To monitor system performance
- To configure network settings
Correct answer: To control the startup and management of services and daemons
Correct answer: To control the startup and management of services and daemons. Explanation: The primary function of the 'systemd' system and service manager in Linux is to control the startup and management of services and daemons, replacing traditional init scripts.
- In Linux, what is the effect of setting the sticky bit on a directory?
- Files within the directory cannot be deleted by non-owners
- The directory permissions are inherited by all files within it
- Files in the directory are kept in the swap space for quick access
- The directory is set to be unmodifiable by non-root users
Correct answer: Files within the directory cannot be deleted by non-owners
Correct answer: Files within the directory cannot be deleted by non-owners. Explanation: Setting the sticky bit on a directory in Linux means that files within that directory can only be renamed or deleted by the file's owner, the directory's owner, or the root user, regardless of the directory's other permissions.
- Which command in Linux is used to display the status of a RAID array?
- Mdadm --detail
- Raidctl -s
- Lshw -class disk
- Fdisk -l
Correct answer: Mdadm --detail
Correct answer: mdadm --detail. Explanation: The 'mdadm --detail' command in Linux is used to display detailed information about a RAID array, including its status, components, and configuration.
- What is the purpose of the 'tar' command in Linux?
- To trace network packets
- To modify file timestamps
- To create or extract archived files
- To display disk usage
Correct answer: To create or extract archived files
Correct answer: To create or extract archived files. Explanation: The 'tar' (tape archive) command in Linux is used to create or extract archived files, commonly known as tarballs. It is a widely used method for bundling multiple files into a single archive file.
- In Linux, which file should be edited to change the system's hostname permanently?
- /etc/hostname
- /etc/hosts
- /etc/network/interfaces
- /etc/sysconfig/network
Correct answer: /etc/hostname
Correct answer: /etc/hostname. Explanation: The /etc/hostname file in Linux is used to set the system's hostname permanently. Changing this file and rebooting the system will update the hostname.
- What does the 'lsof' command do in Linux?
- Lists open files and the processes that opened them
- Displays detailed information about the CPU
- Lists the open network ports and associated processes
- Shows the log files currently being written to
Correct answer: Lists open files and the processes that opened them
Correct answer: Lists open files and the processes that opened them. Explanation: The 'lsof' (list open files) command in Linux is used to list open files and the processes that opened them. This is useful for troubleshooting and system monitoring purposes.
- What is the primary function of the 'iptables' command in Linux?
- Managing the system's IP addresses
- Configuring network interfaces
- Setting up and managing firewall rules
- Monitoring network traffic
Correct answer: Setting up and managing firewall rules
Correct answer: Setting up and managing firewall rules. Explanation: The 'iptables' command in Linux is used for setting up, maintaining, and inspecting the tables of IP packet filter rules in the Linux kernel. It is essentially used for configuring firewall rules.
- Which Linux command is used to view the kernel's message buffer?
- Dmesg
- Syslog
- Kernlog
- Tail /var/log/messages
Correct answer: Dmesg
Correct answer: dmesg. Explanation: The 'dmesg' command in Linux is used to examine or control the kernel ring buffer. It displays the kernel's message buffer, which includes messages related to hardware devices, drivers, and system initialization.
- In Linux, what is the primary purpose of the '/etc/fstab' file?
- To configure network interfaces
- To set system environment variables
- To store filesystem mount information
- To manage user accounts and passwords
Correct answer: To store filesystem mount information
Correct answer: To store filesystem mount information. Explanation: The '/etc/fstab' file in Linux is used to store information about filesystems. It lists all available disks and disk partitions and their associated mount points, and is used by the 'mount' command to mount filesystems at system startup.
- Which command is used to modify the priority of a running process in Linux?
Correct answer: Renice
Correct answer: renice. Explanation: The 'renice' command in Linux is used to modify the priority (nice value) of one or more running processes. This command allows the user to adjust the scheduling priority of a process after it has started.
- In Linux, what is the function of the '/var' directory?
- It contains variable data like log files and mail spools
- It stores system configuration files
- It holds user-specific application settings and files
- It contains the static binary files essential for booting the system
Correct answer: It contains variable data like log files and mail spools
Correct answer: It contains variable data like log files and mail spools. Explanation: The '/var' directory in Linux is used to store variable data, such as log files, mail spools, and other data that changes frequently. It is a key part of the filesystem hierarchy for storing dynamic data.
- In Linux, what is the function of the 'crontab' command?
- To monitor system performance
- To schedule automated tasks
- To change file permissions
- To configure network settings
Correct answer: To schedule automated tasks
Correct answer: To schedule automated tasks. Explanation: The 'crontab' command in Linux is used to schedule automated tasks at specific times. It allows users to run scripts or commands at regular intervals, defined in a crontab file.
- Which command in Linux is used to display the current Linux Kernel version?
- Uname -r
- Lsb_release -a
- Kernel -v
- Cat /proc/version
Correct answer: Uname -r
Correct answer: uname -r. Explanation: The 'uname -r' command in Linux displays the current Linux Kernel version running on the system. This command provides information about the Kernel release.
- What is the primary purpose of the '/boot' directory in a Linux system?
- To store user login and authentication files
- To contain files required for system booting, including the kernel
- To hold application-specific configuration files
- To store temporary files during system operation
Correct answer: To contain files required for system booting, including the kernel
Correct answer: To contain files required for system booting, including the kernel. Explanation: The '/boot' directory in a Linux system contains files required for booting, including the Linux kernel, initial RAM disk image, and the bootloader configuration file (like GRUB).
- In Linux, what is the purpose of the 'useradd' command?
- To create a new user account
- To add a user to a group
- To display user information
- To modify user privileges
Correct answer: To create a new user account
Correct answer: To create a new user account. Explanation: The 'useradd' command in Linux is used to create a new user account. It allows administrators to add new users to the system with default or specified configurations.
- How is the 'rsync' command primarily used in Linux?
- For system backup and file synchronization
- For remote system monitoring
- For managing user permissions
- For network configuration
Correct answer: For system backup and file synchronization
Correct answer: For system backup and file synchronization. Explanation: The 'rsync' command in Linux is primarily used for system backup and file synchronization. It enables efficient transfer and synchronization of files between different systems or locations.
- Which Linux command is used to assign an owner to a file?
Correct answer: Chown
Correct answer: chown. Explanation: The 'chown' command in Linux is used to change the ownership of a file or directory. It assigns a new user and/or group owner to a file or directory.
- In Linux, what is the function of the '/etc/sysctl.conf' file?
- To configure the system's time zone
- To manage user accounts and groups
- To configure kernel parameters at runtime
- To store network configuration settings
Correct answer: To configure kernel parameters at runtime
Correct answer: To configure kernel parameters at runtime. Explanation: The '/etc/sysctl.conf' file in Linux is used to configure kernel parameters at runtime. It allows administrators to set various system-level parameters and preferences that are applied when the system is booted.
- What is the primary use of the 'iptables-save' command in Linux?
- To back up current iptables configuration
- To restore iptables configuration from a file
- To monitor live iptables traffic
- To reset iptables rules
Correct answer: To back up current iptables configuration
Correct answer: To back up current iptables configuration. Explanation: The 'iptables-save' command in Linux is used to output the current iptables configuration. This output can be redirected to a file, serving as a backup for the iptables rules.
- Which command in Linux is used to display the current SELinux security context?
- Getenforce
- Sestatus
- Ls -Z
- Selinuxconfig
Correct answer: Ls -Z
Correct answer: ls -Z. Explanation: The 'ls -Z' command in Linux is used to display the SELinux security context of files and directories. It adds a field to the traditional 'ls' output showing the SELinux security context.
- In Linux, what is the main function of the 'cron' daemon?
- Monitoring system logs
- Managing background services
- Scheduling tasks to run at regular intervals
- Handling user authentication requests
Correct answer: Scheduling tasks to run at regular intervals
Correct answer: Scheduling tasks to run at regular intervals. Explanation: The 'cron' daemon in Linux is used for scheduling tasks to run at specific times or regular intervals. It reads the crontab (cron table) files for predefined jobs and scripts.
- Which file in Linux should be edited to permanently set system-wide environmental variables?
- /etc/bash.bashrc
- /etc/environment
- ~/.bashrc
- /etc/profile
Correct answer: /etc/environment
Correct answer: /etc/environment. Explanation: The /etc/environment file in Linux is used to set system-wide environmental variables. Unlike shell-specific initialization files, it provides a system-wide environment for all processes.
- What is the primary use of the 'usermod' command in Linux?
- To create a new user
- To delete a user account
- To modify user account properties
- To switch the current user account
Correct answer: To modify user account properties
Correct answer: To modify user account properties. Explanation: The 'usermod' command in Linux is used to modify user account properties, such as changing the username, home directory, or adding the user to additional groups.
- In Linux, what is the purpose of the '/boot' directory?
- To store temporary files for boot process
- To contain system log files
- To house kernel images and boot loader files
- To store user-specific application settings
Correct answer: To house kernel images and boot loader files
Correct answer: To house kernel images and boot loader files. Explanation: The '/boot' directory in Linux is used to store the kernel images and boot loader files. It contains the essential files needed to boot the system.
- Which Linux command is used to change the default runlevel of the system?
- Init
- Runlevel
- Systemctl set-default
- Update-rc.d
Correct answer: Systemctl set-default
Correct answer: systemctl set-default. Explanation: The 'systemctl set-default' command in Linux is used to change the default runlevel (or target) of the system. This command is part of the systemd suite, which is used in many modern Linux distributions.
- In the context of Linux file permissions, what is the effect of setting a sticky bit on a directory?
- It allows users to execute files even if they do not have execute permission.
- It prevents users from deleting files they do not own.
- It sets the directory to be only accessible by the root user.
- It encrypts the contents of the directory.
Correct answer: It prevents users from deleting files they do not own.
Correct answer: It prevents users from deleting files they do not own. Explanation: Setting a sticky bit on a directory in Linux (often seen in /tmp) means that even if users have write permission to the directory, they can only delete or rename files that they own. This is crucial for directories where many users have write access but should not interfere with each other's files.
- Which command in Linux is used to verify the integrity of files and detect unauthorized changes, especially for system binaries and configuration files?
- Chattr
- Md5sum
- Tripwire
- Lsattr
Correct answer: Tripwire
Correct answer: tripwire. Explanation: Tripwire is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. It's commonly used to check the integrity of key files and directories, detecting changes that might indicate a security breach.
- In Linux, which type of encryption is used by the cryptsetup command when setting up disk encryption?
Correct answer: AES
Correct answer: AES. Explanation: The cryptsetup command in Linux typically uses the Advanced Encryption Standard (AES) for disk encryption. AES is a symmetric key algorithm widely recognized for its speed and security, making it a standard choice for disk encryption.
- What is the primary function of AppArmor in Linux?
- Network packet filtering
- Managing user privileges
- Enforcing mandatory access controls on programs
- Auditing system logs
Correct answer: Enforcing mandatory access controls on programs
Correct answer: Enforcing mandatory access controls on programs. Explanation: AppArmor (Application Armor) in Linux is a security module that helps in enforcing mandatory access controls on programs. It restricts programs' capabilities with per-program profiles, limiting what files and operations they can access.
- Which Linux command is used to change the password expiry information for a user account?
- Passwd
- Usermod
- Chage
- Useradd
Correct answer: Chage
Correct answer: chage. Explanation: The chage command in Linux is used to change the user password expiry information. It allows administrators to set password aging policies, such as expiry date, warning days, and inactive periods for user accounts.
- In Linux, what is the purpose of the sshd_config file?
- To configure system logging
- To manage network interfaces
- To configure the SSH daemon settings
- To set up firewall rules
Correct answer: To configure the SSH daemon settings
Correct answer: To configure the SSH daemon settings. Explanation: The sshd_config file in Linux is the configuration file for the SSH daemon. It contains various settings that dictate how the SSH server behaves, including port number, login permissions, and security options.
- What is the primary purpose of the iptables command in Linux?
- Managing system services
- Configuring network interfaces
- Setting up network packet filtering rules
- Monitoring network traffic
Correct answer: Setting up network packet filtering rules
Correct answer: Setting up network packet filtering rules. Explanation: The iptables command in Linux is used for setting up, maintaining, and inspecting the tables of IP packet filter rules in the Linux kernel. It allows for configuring network packet filtering rules, which is fundamental for network security.
- Which command is used in Linux to generate key pairs for SSH?
- Ssh-keygen
- Ssh-agent
- Ssh-add
- Sshd
Correct answer: Ssh-keygen
Correct answer: ssh-keygen. Explanation: The ssh-keygen command in Linux is used to create RSA or DSA key pairs used for SSH authentication. It is fundamental for setting up key-based secure SSH logins, enhancing security by eliminating the need for password-based logins.
- In Linux, which file stores the local system's trusted CA (Certificate Authority) certificates?
- /etc/ssl/certs/ca-certificates.crt
- /etc/ssh/ssh_known_hosts
- /etc/pki/tls/certs/ca-bundle.crt
- /home/user/.ssh/authorized_keys
Correct answer: /etc/ssl/certs/ca-certificates.crt
Correct answer: /etc/ssl/certs/ca-certificates.crt. Explanation: In Linux, the /etc/ssl/certs/ca-certificates.crt file commonly stores the trusted CA certificates. This file is used by various applications to verify the authenticity of SSL/TLS certificates.
- What is the primary purpose of the fail2ban service in a Linux environment?
- To back up system data
- To manage user accounts
- To monitor and block suspicious login attempts
- To update software packages
Correct answer: To monitor and block suspicious login attempts
Correct answer: To monitor and block suspicious login attempts. Explanation: fail2ban is a daemon that monitors log files (such as those for SSH) and temporarily or persistently bans IPs that show the malicious signs of too many password failures. It's an effective tool for protecting against brute-force attacks.
- Which Linux command is used for verifying the digital signatures of packages before installation?
Correct answer: Gpg
Correct answer: gpg. Explanation: The gpg (GNU Privacy Guard) command in Linux is used for encryption and signing data and communications. It is often utilized to verify digital signatures of packages, ensuring their integrity and authenticity before installation.
- In Linux, which file controls the automatic mounting of filesystems at boot?
- /etc/fstab
- /boot/grub/grub.cfg
- /etc/mtab
- /etc/rc.local
Correct answer: /etc/fstab
Correct answer: /etc/fstab. Explanation: The /etc/fstab file in Linux is used to define how disk partitions, various other block devices, or remote filesystems should be mounted into the filesystem. It is crucial for the automatic mounting of filesystems at system startup.
- Which SELinux mode operates by logging actions that would have been denied in enforcing mode, but not actually preventing them?
- Disabled
- Permissive
- Enforcing
- Logging
Correct answer: Permissive
Correct answer: Permissive. Explanation: In SELinux permissive mode, policy violations are logged as if they would be in enforcing mode, but the actions are not actually denied. This mode is useful for debugging and auditing system behavior without enforcing policy restrictions.
- What is the purpose of the chroot command in a Linux environment?
- Changing the root user's password
- Modifying the root directory for a process
- Checking disk space usage
- Rotating system logs
Correct answer: Modifying the root directory for a process
Correct answer: Modifying the root directory for a process. Explanation: The chroot command in Linux changes the root directory for a process. It effectively isolates the process by limiting its view of the filesystem to a specific directory, enhancing security by restricting the process's access.
- In Linux, what is the main function of the auditd daemon?
- Managing user authentication
- Monitoring and logging system events
- Configuring network interfaces
- Synchronizing system time
Correct answer: Monitoring and logging system events
Correct answer: Monitoring and logging system events. Explanation: The auditd daemon in Linux is part of the Linux Auditing System, responsible for monitoring and logging system events, particularly those that have security implications. This logging is crucial for system security auditing and compliance.
- Which command in Linux is specifically used to update the user's password expiry information?
- Passwd
- Usermod
- Chpasswd
- Chage
Correct answer: Chage
Correct answer: chage. Explanation: The chage command in Linux is used to change user password expiry information. This command allows administrators to enforce password aging policies by setting expiry dates, warning days, and inactive periods for user accounts.
- In the context of Linux security, what does Mandatory Access Control MAC primarily focus on?
- User-based permissions
- Discretionary access by the file owner
- System-enforced security policies
- Network access control
Correct answer: System-enforced security policies
Correct answer: System-enforced security policies. Explanation: Mandatory Access Control MAC in Linux focuses on system-enforced security policies, where the operating system restricts the ability to read and write to files and directories based on security labels. Unlike Discretionary Access Control DAC, MAC is not based on user identity alone.
- What is the primary purpose of the tcpdump tool in Linux?
- Monitoring network traffic
- Managing TCP/IP settings
- Configuring firewall rules
- Testing network connectivity
Correct answer: Monitoring network traffic
Correct answer: Monitoring network traffic. Explanation: tcpdump is a powerful command-line packet analyzer in Linux. Its primary purpose is to capture and display the TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
- In Linux, which tool is used for creating and managing encrypted directories for storing sensitive data?
Correct answer: EncFS
Correct answer: EncFS. Explanation: EncFS provides an encrypted filesystem in user-space. It's used to encrypt and decrypt directories, as well as the files within them, making it a useful tool for storing sensitive data securely.
- Which command is used to modify the SELinux context of a file or directory in Linux?
- Setsebool
- Chcon
- Semanage
- Restorecon
Correct answer: Chcon
Correct answer: chcon. Explanation: The chcon command in Linux is used to change the SELinux security context of a file or directory. It's a crucial command for managing and fixing SELinux contexts, directly affecting file access permissions under SELinux policy.
- What is the primary role of the Linux PAM (Pluggable Authentication Modules) system?
- Managing network connections
- Integrating multiple low-level authentication schemes
- Encrypting data transmissions
- Logging system events
Correct answer: Integrating multiple low-level authentication schemes
Correct answer: Integrating multiple low-level authentication schemes. Explanation: PAM (Pluggable Authentication Modules) in Linux provides a way to develop programs that are independent of authentication scheme. It integrates multiple authentication technologies such as LDAP, Kerberos, and others into a single, unified interface.
- In Linux, which tool is used for scanning system logs and alerting based on predefined rules?
- Logwatch
- Syslog
- Fail2ban
- Auditd
Correct answer: Logwatch
Correct answer: logwatch. Explanation: Logwatch is a customizable log analysis system. It scans through your system's logs for a given period of time and creates a report analyzing areas that you specify, based on predefined rules.
- Which Linux command is used to set or view user quotas for disk space usage?
Correct answer: Quota
Correct answer: quota. Explanation: The quota command in Linux is used for monitoring and controlling disk space usage per user or group basis. It allows administrators to set limits on the amount of disk space and inodes a user or group can use.
- In Linux, which command is used to display SELinux security context of files?
- Ls -Z
- Seinfo
- Getsebool
- Ps -Z
Correct answer: Ls -Z
Correct answer: ls -Z. Explanation: The ls -Z command in Linux shows the SELinux security context of files and directories. This context includes user, role, type, and level, which are crucial for determining access permissions under SELinux policy.
- Which feature in Linux allows for the execution of a program with the temporary privilege elevation of the executing user?
Correct answer: Setuid
Correct answer: setuid. Explanation: The setuid (set user ID) feature in Linux allows users to execute a program with the privileges of the program's owner. This is crucial for programs that require higher privileges than those possessed by the current user.
- What does the umask command do in a Linux environment?
- Sets user permissions for new files and directories
- Manages user passwords
- Configures network interfaces
- Monitors system performance
Correct answer: Sets user permissions for new files and directories
Correct answer: Sets user permissions for new files and directories. Explanation: The umask (user mask) command in Linux sets the default file permission or base permissions given when a new file or directory is created. It is an essential part of Linux file permission management.
- Which Linux command is used to add new rules to the existing iptables configuration?
- Iptables -A
- Iptables -C
- Iptables -R
- Iptables -P
Correct answer: Iptables -A
Correct answer: iptables -A. Explanation: The iptables -A command in Linux is used to append one or more rules to the end of the selected chain. This is a fundamental aspect of managing firewall rules and network packet filtering in Linux.
- In Linux, what is the primary purpose of the ldd command?
- Listing the shared libraries required by a program
- Displaying disk usage
- Managing dynamic link editing
- Viewing active network connections
Correct answer: Listing the shared libraries required by a program
Correct answer: Listing the shared libraries required by a program. Explanation: The ldd command in Linux prints the shared libraries required by each program or shared library passed as an argument. This is important for debugging dependencies and ensuring that the necessary libraries are available for programs to run.
- Which type of firewall filtering technique inspects incoming network packets based on the state of the connection?
- Packet filtering
- Stateful inspection
- Proxy filtering
- Application-level gateway
Correct answer: Stateful inspection
Correct answer: Stateful inspection. Explanation: Stateful inspection, in the context of firewalls, refers to the capability of the firewall to not only inspect incoming and outgoing network packets but also keep track of the state of active connections. This allows for more sophisticated decision-making based on the context of the packets.
- In Linux, what does the getfacl command display?
- Filesystem access control lists
- Current firewall rules
- System file attributes
- Active network connections
Correct answer: Filesystem access control lists
Correct answer: Filesystem access control lists. Explanation: The getfacl command in Linux displays the access control lists (ACLs) of files or directories. ACLs provide a more fine-grained permission mechanism than the traditional read/write/execute permissions.
- Which command in Linux is used to update the Access Control Lists (ACLs) of a file or directory?
Correct answer: Setfacl
Correct answer: setfacl. Explanation: The setfacl command is used to modify the Access Control Lists (ACLs) of a file or directory in Linux. ACLs allow for more fine-grained access control beyond the standard file permissions.
- What is the primary function of the rkhunter tool in Linux?
- Managing network interfaces
- Monitoring system performance
- Scanning for rootkits and other malicious software
- Configuring system logging
Correct answer: Scanning for rootkits and other malicious software
Correct answer: Scanning for rootkits and other malicious software. Explanation: rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux.
- In a Bash script, which statement is used to terminate a loop when a certain condition is met?
Correct answer: Break
Correct answer: break. Explanation: The break statement in a Bash script is used to exit the current loop before its normal ending. This is particularly useful when you want to terminate the loop based on a specific condition being met inside the loop.
- In Bash scripting, what is the purpose of the trap command?
- To debug the script
- To catch and handle signals and other system events
- To pause the execution of the script
- To create a function
Correct answer: To catch and handle signals and other system events
Correct answer: To catch and handle signals and other system events. Explanation: The trap command in Bash scripting is used to catch and handle signals and other system events. It allows a script to execute a command or a set of commands when a signal is received, enhancing the control over script execution.
- Which YAML key in a Docker Compose file specifies the custom build context for a service?
- Image
- Build
- Context
- Dockerfile
Correct answer: Build
Correct answer: build. Explanation: In a Docker Compose file, the build key is used to specify custom build context for a service. It can include context (the path to the build context), dockerfile (the path to the Dockerfile), and other configuration parameters.
- In a Linux environment, what is the primary use of Ansible?
- Version control
- Network monitoring
- Configuration management and automation
- Data encryption
Correct answer: Configuration management and automation
Correct answer: Configuration management and automation. Explanation: Ansible is an open-source tool primarily used for configuration management and automation. It automates software provisioning, configuration management, and application deployment, simplifying complex IT tasks.
- When writing a shell script, what is the purpose of the shebang (#!) at the start of the script?
- To comment out the first line
- To specify the interpreter to be used to execute the script
- To set environment variables for the script
- To add a delay to the script execution
Correct answer: To specify the interpreter to be used to execute the script
Correct answer: To specify the interpreter to be used to execute the script. Explanation: The shebang (#!) at the beginning of a shell script specifies the interpreter that should be used to execute the script. This line directs the system to the interpreter path which can be Bash, Python, Perl, or any other scripting language.
- Which command in a Linux shell script is used to iterate over a series of values?
Correct answer: For
Correct answer: for. Explanation: The for command in a shell script is used to iterate over a series of values. It's commonly used in loops to repeatedly execute a block of commands for each item in a list or range.
- In Docker, what is the main purpose of a 'volume'?
- To increase the container's processing power
- To store and manage configuration files
- To persist data generated by and used by Docker containers
- To optimize container networking
Correct answer: To persist data generated by and used by Docker containers
Correct answer: To persist data generated by and used by Docker containers. Explanation: In Docker, a 'volume' is used to persist data generated by and used by Docker containers. Unlike data in container layers, which are ephemeral, volumes are designed to persist data, independent of the container's life cycle.
- What is the main purpose of the kubectl command in a Kubernetes environment?
- To manage Docker containers
- To encrypt data transmissions
- To control Kubernetes clusters
- To compile source code into binaries
Correct answer: To control Kubernetes clusters
Correct answer: To control Kubernetes clusters. Explanation: kubectl is a command-line tool that allows you to run commands against Kubernetes clusters. It is used for deploying applications, inspecting and managing cluster resources, and viewing logs.
- In Linux scripting, what does the $$ variable represent?
- The total number of arguments passed to the script
- The exit status of the last executed command
- The process ID of the current script
- The number of lines in the script
Correct answer: The process ID of the current script
Correct answer: The process ID of the current script. Explanation: In Linux scripting, the $$ variable is a special variable that holds the process ID (PID) of the script currently being executed. This can be useful for tracking or differentiating instances of the script.
- In Bash scripting, what does the set -e command do?
- Enables extended globbing
- Sets the script to exit on first error
- Exports environment variables
- Enables echo of each command
Correct answer: Sets the script to exit on first error
Correct answer: Sets the script to exit on first error. Explanation: The set -e command in Bash scripting instructs the script to exit immediately if any command it runs exits with a non-zero status (indicating failure). This is useful for robust error handling in scripts.
- Which file in a Git repository specifies intentionally untracked files to ignore?
- .gitignore
- .gitconfig
- .gitkeep
- .gitattributes
Correct answer: .gitignore
Correct answer: .gitignore. Explanation: The .gitignore file in a Git repository is used to specify intentionally untracked files that Git should ignore. Files already tracked by Git are not affected by this file.
- What is the purpose of the cron daemon in Linux?
- Monitoring system logs
- Managing user permissions
- Scheduling tasks to run at regular intervals
- Handling email services
Correct answer: Scheduling tasks to run at regular intervals
Correct answer: Scheduling tasks to run at regular intervals. Explanation: The cron daemon in Linux is used for scheduling tasks to run at specific times or regular intervals. It is widely used for system maintenance tasks, backups, and other recurring jobs.
- In a Dockerfile, what does the CMD instruction do?
- Specifies the command to execute when the container starts
- Compiles the application source code
- Defines environment variables
- Installs software packages
Correct answer: Specifies the command to execute when the container starts
Correct answer: Specifies the command to execute when the container starts. Explanation: The CMD instruction in a Dockerfile specifies the command that will be executed when a Docker container starts. It provides defaults for executing a container and can be overridden from the command line when the container is run.
- In Bash scripting, what does the $? variable represent?
- The process ID of the current script
- The exit status of the last executed command
- The number of arguments passed to the script
- The script's current working directory
Correct answer: The exit status of the last executed command
Correct answer: The exit status of the last executed command. Explanation: In Bash scripting, the $? variable holds the exit status of the most recently executed command. An exit status of 0 typically indicates success, while any non-zero status indicates an error or issue.
- Which Kubernetes object is used to manage a set of identical pods ensuring that a specified number of them are running at any given time?
- Service
- Deployment
- Pod
- Volume
Correct answer: Deployment
Correct answer: Deployment. Explanation: In Kubernetes, a Deployment provides declarative updates for Pods and ReplicaSets. It ensures that a specified number of identical pods are running at any given time, facilitating scaling, rollouts, and rollbacks.
- What is the primary use of the awk command in Linux scripting?
- Searching text files for patterns
- Automated network configuration
- Text processing and data extraction
- Managing disk usage
Correct answer: Text processing and data extraction
Correct answer: Text processing and data extraction. Explanation: The awk command in Linux scripting is a powerful text processing tool. It is used for data extraction and reporting from text files, particularly useful for manipulating data and generating reports.
- In the context of Git, what does the rebase command do?
- Combines multiple commit histories
- Clones a repository
- Reverts previous commits
- Creates a new branch
Correct answer: Combines multiple commit histories
Correct answer: Combines multiple commit histories. Explanation: The rebase command in Git is used to combine multiple commit histories into a single history. It's often used to keep a clean and linear project history by integrating changes from one branch into another.
- What is the main function of a Makefile in software development?
- Defining system dependencies
- Managing user access controls
- Defining rules for compiling and linking a program
- Encrypting sensitive data
Correct answer: Defining rules for compiling and linking a program
Correct answer: Defining rules for compiling and linking a program. Explanation: A Makefile is used in software development to define rules for compiling and linking a program. It simplifies the build process by allowing developers to automate the compilation and linking of source code into executable programs.
- In a Linux environment, what is Jenkins primarily used for?
- Continuous Integration and Continuous Delivery 'CI/CD'
- Database management
- User authentication
- File encryption
Correct answer: Continuous Integration and Continuous Delivery 'CI/CD'
Correct answer: Continuous Integration and Continuous Delivery 'CI/CD'. Explanation: Jenkins is an open-source automation server used primarily for Continuous Integration and Continuous Delivery CI/CD in a software development process. It automates the building, testing, and deploying of applications, facilitating a more efficient and reliable development process.
- In Linux, what does the sed command primarily perform?
- File compression
- System auditing
- Stream editing
- User management
Correct answer: Stream editing
Correct answer: Stream editing. Explanation: The sed (Stream Editor) command in Linux is used for parsing and transforming text. It's a powerful tool for performing text transformations on an input stream (a file or input from a pipeline).
- Which command is used in Linux to monitor real-time system resource usage, such as CPU and memory?
Correct answer: Top
Correct answer: top. Explanation: The top command in Linux provides a dynamic real-time view of a running system. It displays system summary information and a list of processes or threads currently being managed by the Linux kernel, including information about CPU and memory usage.
- What is the primary function of the grep command in Linux?
- File encryption
- Network monitoring
- Text searching and pattern matching
- Disk partitioning
Correct answer: Text searching and pattern matching
Correct answer: Text searching and pattern matching. Explanation: The grep command in Linux is used for searching plain-text data for lines matching a regular expression. It's a powerful tool for text searching and pattern matching within files.
- In a Docker environment, what is the purpose of a Dockerfile?
- To start a Docker container
- To define the steps to create a Docker image
- To manage Docker volumes
- To configure Docker networking
Correct answer: To define the steps to create a Docker image
Correct answer: To define the steps to create a Docker image. Explanation: A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. It automates the process of creating Docker images.
- In Linux, which command is used to display the current network configuration?
- Ifconfig
- Netstat
- Iptables
- Nslookup
Correct answer: Ifconfig
Correct answer: ifconfig. Explanation: The ifconfig (interface configuration) command in Linux is used to configure, control, and query TCP/IP network interface parameters. It displays the current network configuration, including IP addresses and network interfaces.
- Which command in Linux is used to list the contents of a directory, including hidden files?
Correct answer: Ls -a
Correct answer: ls -a. Explanation: The ls -a command in Linux lists the contents of a directory, including hidden files (files that start with a dot). This is a fundamental command for file and directory management in Linux.
- In the context of Linux scripting, what does a #! followed by a path (e.g., #!/bin/bash) at the beginning of a script signify?
- A comment
- A file path
- The interpreter directive
- An environment variable
Correct answer: The interpreter directive
Correct answer: The interpreter directive. Explanation: A #! followed by a path at the beginning of a script (known as a shebang) is the interpreter directive. It tells the system which interpreter to use to execute the script, such as /bin/bash for a Bash script.
- What is the main purpose of the tar command in Linux?
- Text searching
- Time synchronization
- Creating and extracting archives
- User authentication
Correct answer: Creating and extracting archives
Correct answer: Creating and extracting archives. Explanation: The tar (tape archive) command in Linux is used for creating and extracting archive files. It is a common method for bundling a collection of files and directories into a single archive file, often for distribution or backup purposes.
- In Kubernetes, what is a 'Pod'?
- A storage unit
- A network policy
- The smallest deployable unit
- A user account
Correct answer: The smallest deployable unit
Correct answer: The smallest deployable unit. Explanation: In Kubernetes, a 'Pod' is the smallest and simplest deployable unit that can be created and managed. It represents a single instance of a running process in a cluster and can contain one or more containers.
- Which command in Linux is primarily used for viewing the contents of a file on the terminal?
Correct answer: Cat
Correct answer: cat. Explanation: The cat (concatenate) command in Linux is commonly used to display the contents of a file on the terminal. It can also be used to concatenate and display multiple files.
- In Linux, when troubleshooting a network issue, which command can be used to trace the path packets take to reach a network host?
- Netstat
- Ifconfig
- Traceroute
- Ip
Correct answer: Traceroute
Correct answer: traceroute. Explanation: The traceroute command in Linux is used to display the route and measure transit delays of packets across a network. It's essential for diagnosing network path issues and determining the route packets take to reach a destination.
- Which Linux tool is used to diagnose and repair hard disk problems, including bad sectors?
Correct answer: Badblocks
Correct answer: badblocks. Explanation: The badblocks command in Linux is specifically designed to search for bad sectors on a disk. It's a crucial tool for diagnosing disk integrity and preventing data corruption by identifying and handling bad sectors.
- In Linux, what is the primary function of the strace command?
- Monitoring network traffic
- Displaying disk usage
- Tracing system calls and signals
- Viewing active processes
Correct answer: Tracing system calls and signals
Correct answer: Tracing system calls and signals. Explanation: strace is a powerful command-line tool in Linux used for debugging and troubleshooting. It traces system calls and signals, providing valuable insights into how a program interacts with the system, which is essential for diagnosing complex application issues.
- When a Linux system runs out of RAM and swap space, which kernel component is responsible for deciding which processes to kill to free up memory?
- OOM Killer
- Init
- Systemd
- Cron
Correct answer: OOM Killer
Correct answer: OOM Killer. Explanation: The Out-Of-Memory (OOM) Killer is a kernel component in Linux that automatically kills processes when the system runs critically low on memory. This mechanism is crucial for maintaining system stability in low-memory situations.
- What is the purpose of the lsof command in a Linux system?
- Listing open files and the processes using them
- Showing the system's log files
- Displaying the current user's file permissions
- Managing open network ports
Correct answer: Listing open files and the processes using them
Correct answer: Listing open files and the processes using them. Explanation: The lsof (list open files) command in Linux is used to list information about files that are opened by processes. It's a valuable tool for troubleshooting, as it reveals which files are in use and by which processes.
- Which command should be used to identify the presence of network packet loss in Linux?
- Ping
- Netstat
- Ifconfig
- Traceroute
Correct answer: Ping
Correct answer: ping. Explanation: The ping command in Linux is a simple yet effective tool for diagnosing network connectivity issues, including packet loss. It sends ICMP echo requests to a target host and listens for replies, providing insights into packet loss and network delays.
- In Linux, what is the primary purpose of the dmesg command?
- Displaying user login history
- Monitoring network traffic
- Printing the kernel message buffer
- Managing system services
Correct answer: Printing the kernel message buffer
Correct answer: Printing the kernel message buffer. Explanation: The dmesg command in Linux displays the kernel message buffer, a crucial tool for diagnosing hardware and driver-related problems. It provides insight into what the kernel is experiencing and helps in understanding hardware issues.
- What does the fsck command do in a Linux system?
- Fixes filesystem inconsistencies and errors
- Monitors file system disk space usage
- Changes file system types
- Encrypts file system data
Correct answer: Fixes filesystem inconsistencies and errors
Correct answer: Fixes filesystem inconsistencies and errors. Explanation: The fsck (file system check) command in Linux is used to check and repair filesystem inconsistencies and errors. It's an essential tool for maintaining file system health and integrity, particularly after improper shutdowns or system crashes.
- Which tool in Linux is used for interactive process manipulation, such as stopping and resuming processes?
Correct answer: Htop
Correct answer: htop. Explanation: htop is an interactive process viewer in Linux, similar to the top command, but with additional features. It allows users to manage processes in real-time, including stopping, resuming, and changing the priority of processes.
- In Linux, which command is used to test the reachability of a host on an Internet Protocol (IP) network?
- Netstat
- Ifconfig
- Ping
- Traceroute
Correct answer: Ping
Correct answer: ping. Explanation: The ping command in Linux is a fundamental network diagnostic tool used to test the reachability of a host on an IP network. It measures the round-trip time for messages sent from the originating host to a destination computer and back, helping to diagnose connectivity issues.
- Which Linux command is used to determine the type of a file (text, executable, image, etc.)?
Correct answer: File
Correct answer: file. Explanation: The file command in Linux is used to determine the type of a file, such as text, executable, image, etc. It's essential for identifying file content, especially when file extensions are missing or misleading.
- In Linux, which tool is typically used to monitor and interactively manage running processes?
Correct answer: Htop
Correct answer: htop. Explanation: htop is an interactive process viewer in Linux, which is used to monitor and manage running processes. It provides a real-time view of a running system, including CPU, memory usage, and the ability to manage processes directly.
- When diagnosing disk space issues in Linux, which command displays the sizes of directories and their contents in a readable format?
Correct answer: Du
Correct answer: du. Explanation: The du (disk usage) command in Linux displays the sizes of directories and their contents, making it a valuable tool for diagnosing disk space usage and identifying directories that are consuming large amounts of space.
- What is the primary purpose of the tshark tool in a Linux environment?
- Managing network interfaces
- Monitoring and capturing network packet data
- Configuring network routing
- Testing network speed
Correct answer: Monitoring and capturing network packet data
Correct answer: Monitoring and capturing network packet data. Explanation: tshark is the command-line version of Wireshark in Linux, used for network protocol analysis. It captures and displays packet data from a network, aiding in network troubleshooting and analysis.
- In Linux, which command can be used to display the current system load and CPU usage?
Correct answer: Uptime
Correct answer: uptime. Explanation: The uptime command in Linux displays the current system load, including the time the system has been running, number of users, and CPU usage. It's a quick way to check the load on the system.
- Which command in Linux is used to diagnose and isolate networking issues, reporting packet loss and latency?
- Ping
- Traceroute
- Netstat
- Ifconfig
Correct answer: Ping
Correct answer: ping. Explanation: The ping command is widely used in Linux to test the reachability of a host on an IP network and diagnose networking issues. It measures packet loss and latency, providing essential information for network troubleshooting.
- In Linux, which command is used to display the status of a particular service or a list of all running services?
Correct answer: Systemctl
Correct answer: systemctl. Explanation: The systemctl command in Linux is used to examine and control the systemd system and service manager. It's essential for managing services, including checking their status, starting, stopping, and restarting them.
- What is the function of the smartctl tool in a Linux system?
- Monitoring network traffic
- Controlling and monitoring storage devices
- Managing system services
- Configuring firewall rules
Correct answer: Controlling and monitoring storage devices
Correct answer: Controlling and monitoring storage devices. Explanation: smartctl is a command-line tool in Linux for controlling and monitoring storage devices using the Self-Monitoring, Analysis, and Reporting Technology (SMART) system. It's used for checking the health of drives and predicting drive failures.
- In Linux, which command is used to diagnose DNS resolution issues?
Correct answer: Dig
Correct answer: dig. Explanation: The dig (Domain Information Groper) command in Linux is used for querying DNS name servers. It's a useful tool for troubleshooting DNS problems, including testing and analyzing DNS resolution.
- Which tool in Linux provides real-time system monitoring, including CPU, memory, and I/O statistics?
Correct answer: Top
Correct answer: top. Explanation: The top command in Linux provides a dynamic, real-time view of a running system. It shows a system summary and a list of tasks currently managed by the Linux kernel, including information on CPU, memory, and I/O.
- In Linux, what is the primary purpose of the journalctl command?
- Configuring system logging
- Viewing system log files
- Monitoring network traffic
- Managing user accounts
Correct answer: Viewing system log files
Correct answer: Viewing system log files. Explanation: The journalctl command is used for querying and displaying messages from the systemd journal, which is part of the systemd system and service manager. It's an essential tool for viewing and analyzing system log files.
- Which Linux command is used to list the status of ports (both listening and non-listening)?
Correct answer: Netstat
Correct answer: netstat. Explanation: The netstat (network statistics) command in Linux is used to list the status of ports and interfaces, including both listening and non-listening ports. It's a crucial tool for network troubleshooting and monitoring.
- In Linux, which command is used to identify the amount of time a system has been running along with the average load?
Correct answer: Uptime
Correct answer: uptime. Explanation: The uptime command in Linux is used to show how long the system has been running and the average load. It's a quick and useful command for assessing system performance and stability.
- What is the function of the iostat command in a Linux environment?
- Monitoring network traffic
- Displaying CPU usage
- Generating disk I/O statistics
- Viewing active processes
Correct answer: Generating disk I/O statistics
Correct answer: Generating disk I/O statistics. Explanation: The iostat command in Linux is used for monitoring system input/output device loading by observing the time the devices are active in relation to their average transfer rates. It's essential for diagnosing performance issues related to disk I/O.
- Which command in Linux displays information about CPU architecture, including the number of CPUs, threads, cores, sockets, and more?
Correct answer: Lscpu
Correct answer: lscpu. Explanation: The lscpu command in Linux gathers information about the CPU architecture, such as the number of CPUs, threads, cores, and sockets. It's useful for system diagnostics and performance analysis.
- In Linux, which command is used for interactive monitoring of system calls made or received by a process?
Correct answer: Strace
Correct answer: strace. Explanation: strace is a diagnostic, debugging, and instructional userspace utility in Linux used for monitoring the system calls used by a program and the signals it receives. It's a key tool for troubleshooting and understanding how a program interacts with the system.
- What does the nmap command do in a Linux environment?
- Manages network interfaces
- Monitors network traffic
- Scans networks and performs security audits
- Configures network routing
Correct answer: Scans networks and performs security audits
Correct answer: Scans networks and performs security audits. Explanation: nmap (Network Mapper) is a free and open-source tool for network discovery and security auditing. It's widely used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
- Which tool in Linux is primarily used for diagnosing issues with the X Window System?
- Xdiag
- Xorg.conf
- Xdpyinfo
- Xwininfo
Correct answer: Xdpyinfo
Correct answer: xdpyinfo. Explanation: xdpyinfo is a utility for displaying information about an X server. It is used to examine the capabilities of a server, the predefined values for various parameters, and to determine which extensions are supported.
- When troubleshooting a Linux system that is running slowly, which command is useful for identifying processes that are consuming excessive CPU or memory?
Correct answer: Top
Correct answer: top. Explanation: The top command in Linux is an invaluable tool for real-time monitoring of system processes and resource usage, including CPU and memory. It helps identify processes that are consuming excessive system resources, aiding in diagnosing performance issues.
- In Linux, which command is used to display the status of a network interface and to enable or disable network interfaces?
Correct answer: Ifconfig
Correct answer: ifconfig. Explanation: The ifconfig command in Linux is traditionally used to display the status of currently active network interfaces. It can also be used to enable or disable a network interface, making it a fundamental tool for network troubleshooting.
- What is the purpose of the vmstat command in Linux?
- Managing virtual machines
- Displaying virtual memory statistics
- Monitoring network traffic of virtual interfaces
- Configuring virtual network adapters
Correct answer: Displaying virtual memory statistics
Correct answer: Displaying virtual memory statistics. Explanation: The vmstat (virtual memory statistics) command in Linux reports information about processes, memory, paging, block IO, traps, and CPU activity. It's particularly useful for monitoring the system's virtual memory and understanding performance issues.
- Which Linux command can help identify and diagnose issues with the SSH (Secure Shell) service, such as connection and authentication problems?
- Ssh -v
- Netstat
- Ping
- Traceroute
Correct answer: Ssh -v
Correct answer: ssh -v. Explanation: The ssh -v command in Linux runs the SSH client in verbose mode. This mode provides detailed information about the connection and authentication process, which is helpful for diagnosing SSH-related issues.
- A trainer is asked to put the Linux boot process in correct order. After the hardware powers on, which sequence of handoffs is correct on a modern UEFI system?
- GRUB runs POST, then the kernel loads UEFI, then systemd loads the initramfs, then services start
- UEFI firmware (POST) loads GRUB, GRUB loads the kernel and initramfs, the kernel mounts the real root filesystem, then systemd starts as PID 1
- The kernel runs first and performs POST, then hands off to UEFI firmware, which launches GRUB
- Systemd starts first as PID 1, loads the kernel, then GRUB mounts the root filesystem
Correct answer: UEFI firmware (POST) loads GRUB, GRUB loads the kernel and initramfs, the kernel mounts the real root filesystem, then systemd starts as PID 1
The correct order is UEFI/BIOS firmware (which runs POST) loads the GRUB bootloader, GRUB loads the kernel and its initramfs into memory, the kernel uses the initramfs to mount the real root filesystem, and then it executes /sbin/init (systemd) as PID 1, which starts services. The other sequences reverse these handoffs; firmware always runs first and systemd always runs last among these stages.
- An administrator needs to load the kernel module 'vfat' along with any modules it depends on, using the dependency map the system has already built. Which command is the preferred tool for this?
- Lsmod vfat
- Modinfo vfat
- Modprobe vfat
- Insmod vfat
Correct answer: Modprobe vfat
modprobe vfat loads the module and automatically pulls in its dependencies using the modules.dep map generated by depmod, which is why it is preferred over insmod. insmod requires the full path to the .ko file and does not resolve dependencies. lsmod only lists currently loaded modules and takes no arguments; passing a module name to it does nothing useful. modinfo only displays metadata about a module without loading it.
- An administrator wants to see every kernel module currently loaded in memory along with its size and how many other modules depend on it. Which command provides this?
- Rmmod -v
- Modprobe -l
- Depmod -a
- Lsmod
Correct answer: Lsmod
lsmod reads /proc/modules and lists every currently loaded module with its memory size and the count of modules using it. modprobe -l was a legacy option that listed available (not loaded) modules on disk and has been removed from modern kmod implementations; it does not show the live loaded set. depmod -a rebuilds the dependency database (modules.dep) rather than displaying loaded modules, and rmmod removes a module rather than listing them.
- An administrator must cleanly unload the kernel module 'pcspkr' and any modules that exist only to support it, in the correct order. Which command is the safest choice?
- Rmmod pcspkr
- Modinfo -r pcspkr
- Insmod -r pcspkr
- Modprobe -r pcspkr
Correct answer: Modprobe -r pcspkr
modprobe -r pcspkr removes the module and any dependent modules that are no longer in use, handling the dependency order automatically. rmmod removes only the named module and will fail if other modules still depend on it, since it does not manage dependencies. insmod loads modules and has no -r removal mode of this kind, and modinfo only prints module information.
- An administrator just attached a new disk /dev/sdb and wants to use it under LVM. Which ordered sequence correctly initializes the disk and adds its space to an existing volume group named 'vg_data'?
- Pvcreate /dev/sdb, then vgextend vg_data /dev/sdb
- Lvcreate /dev/sdb, then vgmerge vg_data /dev/sdb
- Mkfs.ext4 /dev/sdb, then vgimport vg_data /dev/sdb
- Vgcreate /dev/sdb, then pvextend vg_data /dev/sdb
Correct answer: Pvcreate /dev/sdb, then vgextend vg_data /dev/sdb
pvcreate /dev/sdb initializes the disk as an LVM physical volume, and vgextend vg_data /dev/sdb adds that physical volume's capacity to the existing volume group. The other options invert the tool roles: vgcreate makes a new volume group rather than initializing a disk, lvcreate carves out logical volumes, and formatting with mkfs first would be premature and is not how a PV is added to a VG.
- After running 'lvextend -L +10G /dev/vg_data/lv_app' on a mounted ext4 logical volume, an administrator finds the filesystem still shows the old size. Which command grows the ext4 filesystem to use the new space without unmounting it?
- Lvresize -r only /dev/vg_data/lv_app
- Xfs_growfs /dev/vg_data/lv_app
- Resize2fs /dev/vg_data/lv_app
- Fsck -f /dev/vg_data/lv_app
Correct answer: Resize2fs /dev/vg_data/lv_app
resize2fs grows an ext2/ext3/ext4 filesystem online to fill the enlarged logical volume after lvextend. xfs_growfs is the equivalent only for XFS filesystems, so it would not apply to ext4. fsck checks and repairs but does not resize, and 'lvresize -r only' is not valid syntax (the resize-the-filesystem flag is -r, which would have resized it during lvresize itself).
- An administrator is documenting how Linux file permissions are read in an 'ls -l' listing that begins with '-rwxr-xr--'. What access does this represent?
- A regular file: owner read/write/execute, group read/execute, others read only
- A symbolic link: owner read only, group write, others execute
- A directory: owner full access, group and others no access
- A regular file: owner read only, group read/write, others full access
Correct answer: A regular file: owner read/write/execute, group read/execute, others read only
The leading dash marks a regular file, then the bits read as three triplets: rwx for the owner (read/write/execute), r-x for the group (read/execute), and r-- for others (read only). A leading 'd' would indicate a directory and 'l' a symbolic link, neither of which applies here, and the remaining triplets in the wrong answers misread the rwx pattern.
- An administrator must terminate every running process named 'firefox' at once by name rather than looking up each PID. Which command does this directly?
- Pkill -PID firefox
- Killall firefox
- Kill firefox
- Kill -9 firefox
Correct answer: Killall firefox
killall firefox sends a signal (SIGTERM by default) to all processes matching the name 'firefox', so no PID lookup is needed. The plain kill command expects a numeric PID, not a process name, so 'kill firefox' and 'kill -9 firefox' fail because they cannot accept a name. 'pkill -PID' is not valid syntax; pkill matches by name but uses signal flags like -9, not -PID.
- A junior administrator confuses kill and killall. Which statement correctly distinguishes them?
- Kill always sends SIGKILL and cannot be changed, while killall always sends SIGTERM
- Kill terminates all processes by name, while killall terminates a single process by PID
- Kill sends a signal to a specific process by its PID, while killall sends a signal to all processes matching a given name
- Kill works only on the current user's processes, while killall works only on root's processes
Correct answer: Kill sends a signal to a specific process by its PID, while killall sends a signal to all processes matching a given name
kill targets one specific process by its numeric PID, whereas killall targets every process matching a supplied name. Both default to SIGTERM (signal 15) and can send other signals such as SIGKILL (9) with a flag like -9, so neither is locked to a single signal. The user-ownership claim is also wrong; both honor normal permission rules and root can signal any process.
- An administrator wants to launch a backup job at a lower CPU scheduling priority so it does not compete with interactive work. Which command starts it with a reduced priority (higher niceness)?
- Nice -n 10 ./backup.sh
- Nice -n -10 ./backup.sh
- Renice 10 ./backup.sh
- Ionice -c3 nice ./backup.sh
Correct answer: Nice -n 10 ./backup.sh
nice -n 10 ./backup.sh starts a new process with a niceness of +10, meaning lower CPU priority (higher nice value = nicer to others). renice adjusts an already-running process by PID, not a command being launched. A nice value of -10 would raise priority, the opposite of the goal, and ionice controls I/O scheduling class rather than CPU niceness.
- A long-running process with PID 4821 is hogging the CPU. An administrator wants to lower its priority while it continues running. Which command does this?
- Nice +5 -p 4821
- Renice +5 -p 4821
- Renice +5 4821.sh
- Nice -n +5 4821
Correct answer: Renice +5 -p 4821
renice +5 -p 4821 changes the niceness of the already-running process with PID 4821 to +5, lowering its priority. nice can only set the niceness of a command at launch time, so it cannot adjust an existing PID. renice operates on PIDs (or users/groups), not script names, and nice -n applies to a command rather than a running PID.
- On a Debian-based server an administrator must refresh the package index and then upgrade all installed packages to the latest available versions. Which command sequence does this?
- Apt update, then apt upgrade
- Apt upgrade, then apt update
- Dnf check-update, then dnf upgrade
- Apt refresh, then apt install --all
Correct answer: Apt update, then apt upgrade
apt update refreshes the local package index from the repositories, and apt upgrade then installs the newest versions of installed packages. Running upgrade before update would act on a stale index. There is no 'apt refresh' or 'apt install --all' subcommand, and dnf is the Red Hat-family tool, not the Debian one.
- An administrator is choosing the correct high-level package manager for two servers: one Ubuntu and one Fedora. Which pairing is correct?
- Use dnf on Ubuntu and apt on Fedora
- Use apt on Ubuntu (.deb packages) and dnf on Fedora (.rpm packages)
- Use yum on Ubuntu and apt on Fedora
- Use apt on both, since it is now the universal Linux package manager
Correct answer: Use apt on Ubuntu (.deb packages) and dnf on Fedora (.rpm packages)
apt is the high-level package manager for Debian-based distributions like Ubuntu, working with .deb packages, while dnf is the high-level manager for Fedora and RHEL-family systems, working with .rpm packages. The pairings are not interchangeable, yum is the older RHEL-family tool (not for Ubuntu), and apt is not universal across all distributions.
- A team compares Linux package managers and wants the accurate mapping of high-level tool to underlying low-level tool and package format. Which mapping is correct?
- Apt and dnf both sit above dpkg; rpm is unrelated to either
- Apt sits above rpm for .rpm packages; dnf sits above dpkg for .deb packages
- Yum sits above apt, which sits above dpkg, on Red Hat systems
- Apt sits above dpkg for .deb packages; dnf (and legacy yum) sit above rpm for .rpm packages
Correct answer: Apt sits above dpkg for .deb packages; dnf (and legacy yum) sit above rpm for .rpm packages
On Debian-based systems apt is the dependency-resolving front end over the low-level dpkg tool for .deb packages, and on Red Hat-based systems dnf (and the legacy yum) are the front ends over the low-level rpm tool for .rpm packages. The other options swap the formats or invent layering that does not exist, such as yum stacking on apt.
- An administrator needs to combine three identical disks so that data is striped with parity for fault tolerance, surviving a single disk failure while keeping most capacity usable. Which software RAID level should be created with mdadm?
- RAID 5
- RAID 1
- JBOD (linear/concatenation)
- RAID 0
Correct answer: RAID 5
RAID 5 stripes data with distributed parity across three or more disks, tolerating the loss of a single disk while using only one disk's worth of capacity for parity. RAID 0 stripes with no redundancy and cannot survive any failure, RAID 1 mirrors and would not stripe with parity, and JBOD simply concatenates disks with no fault tolerance.
- An administrator wants the device name in /etc/fstab to remain stable even if disk detection order changes between reboots. Which identifier is the most robust choice for the first field?
- The mount point path
- The kernel device path such as /dev/sdb1
- The current major:minor number
- The filesystem UUID
Correct answer: The filesystem UUID
Referencing a filesystem by its UUID keeps the fstab entry valid even when the kernel assigns a different /dev/sdX letter after a hardware or boot-order change, since the UUID stays with the filesystem. Plain /dev/sdb1 names can shift between boots, major:minor numbers are not stable persistent identifiers for this purpose, and the mount point belongs in the second field, not the device field.
- An administrator must create an XFS filesystem on the new partition /dev/sdc1 before mounting it. Which command does this?
- Mount -t xfs /dev/sdc1
- Mkxfs /dev/sdc1
- Xfs_growfs /dev/sdc1
- Mkfs.xfs /dev/sdc1
Correct answer: Mkfs.xfs /dev/sdc1
mkfs.xfs /dev/sdc1 builds a new XFS filesystem on the partition. There is no 'mkxfs' command; the family uses the mkfs.TYPE naming such as mkfs.ext4 and mkfs.xfs. mount attaches an already-formatted filesystem rather than creating one, and xfs_growfs only enlarges an existing XFS filesystem.
- An administrator wants to add a 4 GiB swap file at /swapfile and activate it immediately. After creating and sizing the file, which sequence enables it as swap?
- Fallocate --swap /swapfile, then systemctl start swap
- Swapon /swapfile, then mkswap /swapfile
- Mkfs.swap /swapfile, then mount /swapfile
- Mkswap /swapfile, then swapon /swapfile
Correct answer: Mkswap /swapfile, then swapon /swapfile
mkswap /swapfile writes the swap signature/area onto the file, and swapon /swapfile then activates it for paging. The order matters: running swapon before mkswap fails because there is no swap area yet. The tool is mkswap, not mkfs.swap, and swap is enabled with swapon rather than mount.
- An administrator needs to change a kernel parameter, net.ipv4.ip_forward, so that it takes effect now and persists across reboots. Which approach accomplishes both?
- Edit /etc/fstab to add the parameter, then run mount -a
- Echo the value only into /proc once, which automatically makes it permanent
- Run 'sysctl -w net.ipv4.ip_forward=1' for the running system and add 'net.ipv4.ip_forward=1' to a file in /etc/sysctl.d/
- Pass the parameter to modprobe so the kernel reloads it each boot
Correct answer: Run 'sysctl -w net.ipv4.ip_forward=1' for the running system and add 'net.ipv4.ip_forward=1' to a file in /etc/sysctl.d/
sysctl -w net.ipv4.ip_forward=1 applies the change to the running kernel immediately, and adding the same line to a config file under /etc/sysctl.d/ (or /etc/sysctl.conf) makes it persist across reboots. Writing to /proc/sys directly is not persistent, kernel tunables do not belong in /etc/fstab, and modprobe loads modules rather than setting sysctl parameters.
- On a systemd-based server an administrator wants to view kernel and service log messages from the current boot only, in real time as new entries arrive. Which command is appropriate?
- Cat /var/log/journal/current
- Dmesg --persistent
- Journalctl -b -f
- Journalctl --all-boots
Correct answer: Journalctl -b -f
journalctl -b limits output to the current boot, and -f follows the journal live, appending new entries as they are written. '--all-boots' is not a valid journalctl flag name; multi-boot viewing uses -b with an offset (e.g. -b -1) or the special argument 'journalctl -b all'. dmesg shows the kernel ring buffer without journald's boot-filtering and follow mode combined this way, and the journal files are binary so cat does not produce readable output.
- An administrator must assign the static IP address 192.168.10.50/24 to the interface ens33 right now using the modern iproute2 tooling. Which command does this?
- Ip route add 192.168.10.50/24 dev ens33
- Ifconfig ens33 add 192.168.10.50/24
- Ip addr add 192.168.10.50/24 dev ens33
- Nmcli addr set 192.168.10.50/24 ens33
Correct answer: Ip addr add 192.168.10.50/24 dev ens33
ip addr add 192.168.10.50/24 dev ens33 assigns the address to the interface using the current iproute2 suite that replaced the deprecated ifconfig. 'ip route add' manages routing entries, not interface addresses, ifconfig uses a different syntax and is legacy, and the nmcli syntax shown is not valid (nmcli works through connection profiles, e.g. nmcli con mod).
- An administrator edited /etc/default/grub to change the default timeout and added a kernel argument in a file under /etc/grub.d, but a reboot showed no change. On a RHEL-family system using GRUB2, what step regenerates the active boot configuration from these source files?
- Hand-edit /boot/grub2/grub.cfg directly, since that file is the canonical source the others are generated from
- Run grub2-mkconfig -o /boot/grub2/grub.cfg to rebuild grub.cfg from /etc/default/grub and /etc/grub.d
- Run update-grub2, which is the standard regeneration tool on RHEL-family systems
- Reinstall the kernel package, because grub.cfg can only be refreshed by a kernel installation
Correct answer: Run grub2-mkconfig -o /boot/grub2/grub.cfg to rebuild grub.cfg from /etc/default/grub and /etc/grub.d
Running grub2-mkconfig -o /boot/grub2/grub.cfg is the step that works, because grub2-mkconfig reads the settings in /etc/default/grub and the scripts in /etc/grub.d and writes the resulting grub.cfg that GRUB2 actually reads at boot. Hand-editing grub.cfg is discouraged and gets overwritten on the next regeneration or kernel install, so it is not the source of truth. update-grub2 is the Debian/Ubuntu wrapper, not the RHEL-family command. A kernel reinstall does trigger regeneration as a side effect but is not the intended way to apply these edits.
- A server boots straight into a graphical login, but an administrator wants it to come up in a text-only multi-user mode by default on every future boot, using systemd. Which command sets this persistently?
- Systemctl enable multi-user.target
- Systemctl set-default runlevel3
- Systemctl set-default multi-user.target
- Systemctl isolate multi-user.target
Correct answer: Systemctl set-default multi-user.target
systemctl set-default multi-user.target is correct because it repoints the default.target symlink so the system boots into the text multi-user target on every subsequent boot. systemctl isolate switches the running system to that target right now but does not change the default for future boots. systemctl enable is used to enable units to start automatically, not to choose the boot target, and 'runlevel3' is not a valid systemd target name (the systemd unit is multi-user.target).
- An administrator created a timer unit named backup.timer with an OnCalendar entry and ran 'systemctl enable --now backup.timer', but the backup never runs. Investigation shows no backup.service file exists. Why does the timer fail to trigger any work?
- A .timer unit activates a matching .service unit of the same name, so backup.service must exist for the timer to have anything to run
- A .timer unit runs the embedded ExecStart line directly, so the failure means the ExecStart syntax is wrong
- Timers require cron to be installed because systemd delegates all scheduling to the cron daemon
- Timer units cannot use OnCalendar; only OnBootSec is valid, so the schedule is silently ignored
Correct answer: A .timer unit activates a matching .service unit of the same name, so backup.service must exist for the timer to have anything to run
The root cause is that a .timer unit does not do work itself; it activates a service unit, and by default that is a .service with the same base name, so backup.timer needs a backup.service to exist (or an explicit Unit= directive pointing elsewhere). OnCalendar is a fully valid timer directive, so that is not the issue. A timer has no ExecStart of its own, that line belongs in the service. systemd timers are independent of cron and do not require the cron daemon at all.
- After a package upgrade with 'dnf upgrade' broke an application, an administrator wants to reverse that specific transaction and restore the previous package versions on a RHEL-family system. Which approach does this most directly?
- Run 'dnf downgrade --all' since dnf has no record of past transactions to reverse
- Find the transaction with 'dnf history' and reverse it with 'dnf history undo <id>'
- Delete /var/cache/dnf, which automatically rolls every package back to its prior version
- Run 'dnf upgrade --rollback', the built-in flag that reverses the most recent upgrade
Correct answer: Find the transaction with 'dnf history' and reverse it with 'dnf history undo <id>'
The direct method is to look up the transaction id with dnf history and then run dnf history undo <id>, which reverses exactly that transaction by reinstalling the previous versions and undoing the changes it made. dnf keeps a full transaction history, so the claim that it has no record is false. Clearing /var/cache/dnf only removes downloaded package caches and does not roll anything back. There is no 'dnf upgrade --rollback' flag; rollback is handled through the history subcommand.
- On a Debian-based system an administrator knows a config file lives somewhere on disk and wants to find out which installed package owns that file path. Using only dpkg, which command answers this?
- Dpkg -l /etc/ssh/sshd_config
- Dpkg -L /etc/ssh/sshd_config
- Dpkg -c /etc/ssh/sshd_config
- Dpkg -S /etc/ssh/sshd_config
Correct answer: Dpkg -S /etc/ssh/sshd_config
dpkg -S /etc/ssh/sshd_config searches dpkg's database for the package that owns the given file path, which is exactly the reverse lookup needed. dpkg -L does the opposite direction, listing the files a named package installed, and it expects a package name rather than a path. dpkg -l lists installed packages matching a name pattern, not file ownership. dpkg -c lists the contents of a .deb archive file, not an installed path.
- Before applying risky configuration changes to a mounted ext4 logical volume named lv_db in volume group vg01, an administrator wants a point-in-time copy that can be reverted later. Which command creates an LVM snapshot of that logical volume?
- Pvcreate --snapshot -L 5G /dev/vg01/lv_db
- Lvcreate -s -L 5G -n lv_db_snap /dev/vg01/lv_db
- Lvextend -s -L 5G /dev/vg01/lv_db
- Vgcreate -s -L 5G lv_db_snap /dev/vg01/lv_db
Correct answer: Lvcreate -s -L 5G -n lv_db_snap /dev/vg01/lv_db
lvcreate -s -L 5G -n lv_db_snap /dev/vg01/lv_db creates a snapshot logical volume, where -s requests a snapshot, -L sizes the copy-on-write area, -n names it, and the origin volume is given as the source. lvextend grows an existing volume and has no snapshot role. vgcreate makes a new volume group from physical volumes, not a snapshot. pvcreate initializes a disk as a physical volume and has no snapshot capability.
- A newly imaged server reports the wrong time zone and is logging timestamps several hours off. An administrator wants to set the system time zone to America/Chicago using the standard systemd utility. Which command does this?
- Localectl set-timezone America/Chicago
- Timedatectl set-timezone America/Chicago
- Hostnamectl set-timezone America/Chicago
- Timedatectl set-locale America/Chicago
Correct answer: Timedatectl set-timezone America/Chicago
timedatectl set-timezone America/Chicago is correct because timedatectl manages the system clock and time zone, and set-timezone updates /etc/localtime accordingly. localectl handles locale and keyboard layout settings, not the time zone. hostnamectl manages the system hostname and related metadata, not time. set-locale is a localectl-style action for language settings and does not take a time zone value, so pairing it with timedatectl and a zone name is invalid.
- An administrator notices a process shown in 'ps' output with a state code of Z and a parent that is still running. What does this indicate and what is the appropriate remediation?
- It is a process in uninterruptible sleep waiting on I/O, and sending SIGKILL will immediately free it
- It is a zombie (defunct) process whose exit status the parent has not reaped; signaling or fixing the parent so it calls wait is the way to clear it
- It is a stopped process suspended by a signal, and running 'fg' will always terminate it
- It is a high-priority real-time process, and lowering its nice value will move it out of state Z
Correct answer: It is a zombie (defunct) process whose exit status the parent has not reaped; signaling or fixing the parent so it calls wait is the way to clear it
A state code of Z marks a zombie, or defunct, process that has finished executing but whose entry lingers because the parent has not yet read its exit status with wait; the fix is to get the parent to reap it (often by signaling the parent, or if the parent dies the child is reparented to init/systemd and cleaned up). Uninterruptible sleep is state D, not Z, and SIGKILL cannot remove an already-dead zombie. A stopped process is state T, not Z. State Z has nothing to do with real-time scheduling or nice values.
- An administrator writes a provisioning script that must run identically across Debian, RHEL, and Alpine systems without prompting for input. Which user-creation utility should the script call to ensure consistent, non-interactive behavior on every distribution?
- Useradd, because it is a low-level binary present on virtually every distribution
- Newusers, because it only works in batch mode
- Adduser, because it asks for the password and home directory interactively
- Gpasswd, because it provisions accounts and groups together
Correct answer: Useradd, because it is a low-level binary present on virtually every distribution
useradd is the right choice because it is a low-level binary utility present on virtually every Linux distribution and runs non-interactively, making it reliable in cross-distro scripts. adduser behaves differently per distro: on Debian and Ubuntu it is an interactive Perl/shell wrapper that prompts for input, while on RHEL it is simply a symlink to useradd, and on Alpine it is a different busybox built-in — relying on adduser therefore gives inconsistent behavior across the three named distros. newusers reads batch files of full account records rather than creating a single account, and gpasswd administers group membership, not account creation.
- A help-desk technician is told to create a standard user named jbauer on a RHEL server, including a home directory and a default shell of /bin/bash, in a single non-interactive command. Which command accomplishes this?
- Useradd -M -s /sbin/nologin jbauer
- Usermod -m -s /bin/bash jbauer
- Passwd -m jbauer
- Useradd -m -s /bin/bash jbauer
Correct answer: Useradd -m -s /bin/bash jbauer
useradd -m -s /bin/bash jbauer is correct: -m forces creation of the home directory regardless of the system-wide CREATE_HOME setting, and -s sets the login shell to /bin/bash. useradd -M explicitly suppresses home-directory creation and /sbin/nologin would prevent interactive login. usermod modifies an existing account rather than creating a new one, and passwd only sets or changes a password.
- After running useradd to create a new account, an administrator notices the user cannot log in even though the account exists in /etc/passwd. What is the most likely cause?
- The account has no password set, so the password field is locked
- The user was not added to the wheel group
- SELinux is in enforcing mode
- The home directory permissions are 755 instead of 700
Correct answer: The account has no password set, so the password field is locked
The account has no password set is the most likely cause: useradd does not set a password by default, leaving the account in a locked state (the /etc/shadow password field contains ! or *) that blocks password authentication until the administrator runs passwd for that user. Wheel-group membership only affects sudo/su privilege, not basic login. Home-directory permission differences and SELinux enforcing mode do not by themselves prevent a freshly created account from logging in.
- A security auditor asks where encrypted user password hashes and password-aging fields are stored on a modern Linux system. Which file holds this information?
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/gshadow
Correct answer: /etc/shadow
/etc/shadow is correct because it stores each user's hashed password along with password-aging fields such as last change date, minimum and maximum age, warning period, and expiration. It is readable only by root, unlike the world-readable /etc/passwd, which historically held password hashes but now shows only an x placeholder in the password field. /etc/group and /etc/gshadow store group membership and group passwords, not user password hashes.
- A junior admin opens /etc/passwd and sees the line: deploy:x:1005:1005:Deploy User:/home/deploy:/bin/bash. What does the x in the second field indicate?
- The password hash is stored in /etc/shadow instead of this file
- The user has no password and can log in freely
- The account is locked and cannot be used
- The field is reserved for the encryption algorithm identifier
Correct answer: The password hash is stored in /etc/shadow instead of this file
The x indicates the password hash is stored in /etc/shadow rather than in /etc/passwd. On modern systems the actual hash was moved out of the world-readable /etc/passwd into the root-only /etc/shadow, and the x is simply a placeholder pointing there. An x does not mean the account is locked (a locked password is shown by ! or * in /etc/shadow), nor does it mean the user has no password, and it is not an algorithm identifier.
- An administrator needs to add the existing user sarah to the secondary group developers without removing her from any of her current groups. Which command does this correctly?
- Groupadd -a sarah developers
- Usermod -G developers sarah
- Usermod -g developers sarah
- Usermod -aG developers sarah
Correct answer: Usermod -aG developers sarah
usermod -aG developers sarah is correct: -G specifies supplementary (secondary) groups and the -a (append) flag ensures sarah is added to developers without being removed from her other supplementary groups. Using usermod -G without -a replaces her entire supplementary group list, dropping all groups not listed. usermod -g changes the primary group instead of adding a secondary one, and groupadd creates a group rather than managing membership.
- An administrator wants to add the user mike to the docker group, but only the -a/-G usermod approach feels error-prone. Which dedicated command adds a single user to a group as a focused operation?
- Newgrp docker mike
- Groupmod -a mike docker
- Gpasswd -a mike docker
- Chgrp mike docker
Correct answer: Gpasswd -a mike docker
gpasswd -a mike docker is correct because gpasswd is the dedicated group-administration tool and -a adds a single user to the named group safely without affecting other memberships. groupmod modifies group attributes such as name or GID, not membership. newgrp changes the caller's active group for the current session, and chgrp changes the group ownership of files, not group membership.
- A new administrator asks when to use sudo versus su for routine administrative tasks on a multi-admin server. Which statement best describes the recommended distinction?
- Su requires entries in /etc/sudoers while sudo does not
- Sudo runs specific authorized commands using the invoker's own password and logs them; su switches to another user's full shell using that target user's password
- Sudo and su are identical except sudo is only available on Debian systems
- Su runs a single command as another user; sudo opens a full root login shell
Correct answer: Sudo runs specific authorized commands using the invoker's own password and logs them; su switches to another user's full shell using that target user's password
The correct distinction is that sudo runs specific authorized commands using the invoker's own password and logs each invocation, while su switches to another user's full shell and requires that target user's (often root's) password. sudo enables least-privilege, per-command delegation and accountability through logging; su grants a full interactive shell with the target identity. The /etc/sudoers file governs sudo, not su, and both tools exist across distributions.
- On a hardened server the root account password is locked and direct root login is disabled, yet administrators must still perform privileged tasks. Which approach is consistent with this configuration?
- Edit /etc/passwd to give each admin UID 0
- Use su - to obtain a root shell with the root password
- Use newgrp root to elevate to root privileges
- Use sudo with each admin's own credentials for authorized commands
Correct answer: Use sudo with each admin's own credentials for authorized commands
Using sudo with each admin's own credentials is correct because sudo authenticates with the invoking user's password and consults /etc/sudoers for authorization, so it works even when the root password is locked. su - would fail since it requires the root password, which is locked. newgrp only changes the active group, not the user identity, and editing /etc/passwd to assign UID 0 to multiple users is a dangerous misconfiguration that destroys accountability rather than a sanctioned elevation method.
- An administrator must grant the user ops permission to run only /usr/bin/systemctl restart nginx as root, without a password prompt, and nothing else. Which /etc/sudoers entry is correct?
- Ops ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx
- %ops ALL=(ALL) /usr/bin/systemctl
- Ops ALL=NOPASSWD: ALL
- Ops ALL=(ALL) ALL
Correct answer: Ops ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx
ops ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx is correct: it limits ops to running exactly that one command as root on any host with no password prompt, following least privilege. ops ALL=(ALL) ALL and ops ALL=NOPASSWD: ALL both grant unrestricted root command access. The %ops form targets a group named ops (the leading % denotes a group) and would allow all systemctl subcommands, which is broader than required.
- An administrator wants public-key SSH authentication to a server. They run ssh-keygen and then must install the public half on the server. Which file on the server stores the user's authorized public keys?
- ~/.ssh/known_hosts
- ~/.ssh/id_ed25519
- ~/.ssh/authorized_keys
- /etc/ssh/sshd_config
Correct answer: ~/.ssh/authorized_keys
~/.ssh/authorized_keys is correct because the SSH server checks each connecting user's public key against the keys listed in that user's authorized_keys file to grant key-based login. ~/.ssh/id_ed25519 is the user's private key kept on the client, and ~/.ssh/known_hosts records host keys of servers the client has connected to. /etc/ssh/sshd_config is the daemon configuration file, not a key store.
- A developer is asked to explain the roles of the SSH key pair. Which statement correctly describes the relationship between the public and private keys?
- The public key signs data and the private key is used to verify it
- The public key is freely distributed to servers, while the private key must remain secret on the client
- Both keys must be copied to the server's authorized_keys file
- The private key is shared with servers and the public key is kept secret on the client
Correct answer: The public key is freely distributed to servers, while the private key must remain secret on the client
The correct statement is that the public key is freely distributed to servers while the private key must remain secret on the client. During authentication the server uses the stored public key to challenge the client, which proves possession of the matching private key without ever transmitting it. Reversing the roles, copying the private key to the server, or claiming the public key signs while the private verifies all misstate asymmetric cryptography, where the private key signs/decrypts and the public key verifies/encrypts.
- An administrator on a Linux workstation needs to generate a modern, secure SSH key pair using the Ed25519 algorithm. Which command does this?
- Ssh-copy-id -t ed25519 admin@host
- Ssh-add -t ed25519
- Ssh-keygen -R ed25519
- Ssh-keygen -t ed25519 -C "admin@host"
Correct answer: Ssh-keygen -t ed25519 -C "admin@host"
ssh-keygen -t ed25519 -C "admin@host" is correct: -t selects the key type (Ed25519, a modern elliptic-curve algorithm), and -C adds a comment label. ssh-add loads existing private keys into the agent rather than generating keys, and ssh-copy-id installs an existing public key onto a remote server. ssh-keygen -R removes a host from known_hosts and does not create a key pair.
- After generating an SSH key pair, an administrator wants to copy the public key to a remote host so password-less login works. Which command is the simplest correct method?
- Scp ~/.ssh/id_rsa user@host:~/.ssh/
- Rsync ~/.ssh/id_rsa.pub user@host
- Ssh-keygen -p user@host
- Ssh-copy-id user@host
Correct answer: Ssh-copy-id user@host
ssh-copy-id user@host is correct because it appends the local public key to the remote user's ~/.ssh/authorized_keys file and sets appropriate permissions automatically. Copying id_rsa (the private key) to the server with scp would expose the secret key and would not enable key authentication. ssh-keygen -p changes the passphrase on a local key, and the rsync example specifies no destination path and would not install the key into authorized_keys.
- An administrator must permanently start the nginx service now and ensure it also launches automatically at every boot. Which command sequence accomplishes both goals?
- Systemctl restart nginx then systemctl mask nginx
- Service nginx start then chkconfig nginx reset
- Systemctl start nginx then systemctl enable nginx
- Systemctl enable nginx then systemctl reload nginx
Correct answer: Systemctl start nginx then systemctl enable nginx
systemctl start nginx then systemctl enable nginx is correct: start activates the service immediately for the current session, and enable creates the symlinks so systemd launches it at boot. enable alone does not start the service now, and reload only re-reads a running service's configuration. mask actively prevents a unit from being started, which is the opposite of the goal.
- A service named appd fails to start, and the administrator needs to see its current status, recent log lines, and whether it is enabled at boot in one command. Which command provides this?
- Service appd info
- Systemctl list-units appd
- Journalctl appd
- Systemctl status appd
Correct answer: Systemctl status appd
systemctl status appd is correct because it reports the unit's active/failed state, whether it is enabled for boot, the main PID, and the most recent journal log lines for that service in a single output. systemctl list-units lists loaded units but not the enabled-at-boot setting or recent logs for one service, journalctl needs a -u flag to filter by unit, and service appd info is not a valid status command on systemd hosts.
- After editing /etc/systemd/system/myapp.service, an administrator restarts the service but the changes are ignored. What step was missed?
- Run systemctl mask myapp before restarting
- Run systemctl daemon-reload to make systemd re-read unit files
- Run systemctl reset-failed myapp
- Reboot is the only way to apply unit-file changes
Correct answer: Run systemctl daemon-reload to make systemd re-read unit files
Running systemctl daemon-reload is the missed step: after a unit file is edited, systemd must reload its configuration into memory before the new definition takes effect, so a restart without daemon-reload uses the stale unit. Masking would block the service entirely, a full reboot is unnecessary and excessive, and reset-failed only clears a unit's failed state without re-reading the modified unit file.
- An administrator wants to inspect the systemd journal for only the sshd service since the last boot, showing the newest entries. Which command does this?
- Journalctl -u sshd -b
- Journalctl -f sshd
- Journalctl -p sshd -k
- Journalctl --since sshd
Correct answer: Journalctl -u sshd -b
journalctl -u sshd -b is correct: -u filters the journal to the sshd unit and -b restricts output to the current boot. journalctl -f follows new entries in real time but without -u it treats sshd as a path argument rather than a unit filter, --since expects a time specification not a unit name, and -p filters by priority while -k limits to kernel messages, neither of which targets a specific service.
- On an RHEL 9 host, an administrator must install the package httpd and automatically resolve its dependencies. Which command is appropriate?
- Apt install httpd
- Dnf install httpd
- Rpm -i httpd
- Dnf localinstall httpd
Correct answer: Dnf install httpd
dnf install httpd is correct because dnf is the standard package manager on modern RHEL-family systems and it downloads httpd from configured repositories while resolving and installing all dependencies. rpm -i installs a local .rpm file but does not resolve repository dependencies. apt is the Debian/Ubuntu tool and is not present by default on RHEL, and dnf localinstall is a deprecated alias intended for installing a local .rpm file path rather than a repository package name.
- An administrator must change the primary group of the user webadmin to the existing group www-data. Which command does this correctly?
- Usermod -G www-data webadmin
- Chgrp www-data webadmin
- Usermod -g www-data webadmin
- Gpasswd -a webadmin www-data
Correct answer: Usermod -g www-data webadmin
usermod -g www-data webadmin is correct because the lowercase -g flag sets the user's primary (login) group. The uppercase -G flag manages supplementary groups instead, gpasswd -a adds a supplementary group membership rather than changing the primary group, and chgrp changes the group ownership of files, not a user account's primary group.
- An administrator needs to lock the account of a departing employee named contractor so it can no longer authenticate by password, without deleting the account or its files. Which command is appropriate?
- Usermod -L contractor
- Usermod -U contractor
- Userdel contractor
- Passwd -d contractor
Correct answer: Usermod -L contractor
usermod -L contractor is correct: -L locks the account by prepending an exclamation mark to the password hash in /etc/shadow, preventing password authentication while preserving the account and data. userdel removes the account entirely, passwd -d deletes the password making the account passwordless rather than locked, and usermod -U unlocks an account, which is the opposite of the intent.
- A scheduled report must run as the user analytics every weekday at 6:00 AM. Which crontab entry placed in that user's crontab is correct?
- 0 6 1-5 * * /opt/scripts/report.sh
- * 6 * * 1-5 /opt/scripts/report.sh
- 6 0 * * 1-5 /opt/scripts/report.sh
- 0 6 * * 1-5 /opt/scripts/report.sh
Correct answer: 0 6 * * 1-5 /opt/scripts/report.sh
0 6 * * 1-5 /opt/scripts/report.sh is correct: cron fields are minute, hour, day-of-month, month, day-of-week, so 0 6 means 6:00 AM and 1-5 in the day-of-week field means Monday through Friday. Writing 6 0 would run at 12:06 AM, placing 1-5 in the day-of-month field would restrict it to the first five days of each month, and a * in the minute field would run it every minute of the 6 AM hour.
- An administrator wants a maintenance task to run once daily but does not care about the exact time and wants it to run even if the machine was powered off at the scheduled moment. Which facility is most appropriate?
- Anacron via /etc/cron.daily
- An at job
- A cron entry in /etc/cron.d
- A systemd socket unit
Correct answer: Anacron via /etc/cron.daily
anacron via /etc/cron.daily is correct because anacron is designed for systems that are not running continuously; it tracks when jobs last ran and executes missed daily, weekly, or monthly jobs after the machine powers on, without requiring an exact time. Standard cron simply skips jobs that were scheduled while the system was off. An at job runs one time at a specific moment, and a systemd socket unit handles socket activation, not periodic scheduling.
- A user needs to temporarily switch their effective group to render in the current shell session so that newly created files inherit that group ownership, without logging out. Which command does this?
- Usermod -g render $USER
- Chgrp render
- Gpasswd render
- Newgrp render
Correct answer: Newgrp render
newgrp render is correct because it starts a new shell with render as the active primary group for the current session, so files created afterward inherit that group, and the change ends when the shell exits. usermod -g permanently changes the account's primary group and requires privileges, chgrp changes the group of existing files rather than the session's active group, and gpasswd without options administers the group password rather than switching the session group.
- An administrator is configuring a container service and chooses Podman over Docker on a RHEL host because of a specific architectural advantage tested on the exam. What is that advantage?
- Podman requires a central background daemon running as root
- Podman cannot use Dockerfiles or OCI images
- Podman only manages Kubernetes pods, not standalone containers
- Podman is daemonless and can run rootless containers as an unprivileged user
Correct answer: Podman is daemonless and can run rootless containers as an unprivileged user
The correct advantage is that Podman is daemonless and can run rootless containers as an unprivileged user, improving security by avoiding a persistent root-owned daemon. Docker traditionally relies on a central daemon, so the claim that Podman requires one is wrong. Podman is OCI-compliant and can build from Dockerfiles and run Docker-format images, and while it can manage pods it also runs standalone containers.
- An administrator wants to run an nginx container in the background, mapping host port 8080 to container port 80, using Docker. Which command is correct?
- Docker start -p 8080:80 nginx
- Docker run -it -p 80:8080 nginx
- Docker run -d -v 8080:80 nginx
- Docker run -d -p 8080:80 nginx
Correct answer: Docker run -d -p 8080:80 nginx
docker run -d -p 8080:80 nginx is correct: -d runs the container detached in the background and -p 8080:80 publishes host port 8080 to the container's port 80 (host:container order). The -p 80:8080 example reverses the mapping, -v is for volume mounts rather than port publishing, and docker start resumes an existing stopped container and does not accept run-time port mapping.
- An administrator must view the standard output logs of a running container named webapp managed by Podman. Which command shows those logs?
- Journalctl -u webapp
- Podman top webapp
- Podman logs webapp
- Podman inspect webapp
Correct answer: Podman logs webapp
podman logs webapp is correct because it displays the stdout and stderr streams captured from the container named webapp. podman inspect returns low-level JSON metadata about the container, podman top shows the running processes inside the container rather than its log output, and journalctl -u targets a systemd unit, which is not how a standalone container's application logs are retrieved.
- An administrator notices a runaway process owned by the user batch consuming excessive CPU and needs to lower its scheduling priority while it continues to run. Which command adjusts the priority of the already-running process with PID 4096?
- Nohup -n 10 4096
- Kill -STOP 4096
- Nice -n 10 4096
- Renice -n 10 -p 4096
Correct answer: Renice -n 10 -p 4096
renice -n 10 -p 4096 is correct because renice changes the nice value (scheduling priority) of an already-running process identified by its PID; a higher nice value means lower scheduling priority. nice sets the priority of a command at launch, not for an existing PID. kill -STOP suspends the process rather than reprioritizing it, and nohup runs a command immune to hangups and does not adjust priority of a running PID.
- A daemon must be reloaded so it re-reads its configuration file without dropping current client connections. Which systemctl subcommand is designed for this?
- Systemctl stop sshd
- Systemctl restart sshd
- Systemctl kill sshd
- Systemctl reload sshd
Correct answer: Systemctl reload sshd
systemctl reload sshd is correct because reload signals the service to re-read its configuration in place (typically via SIGHUP) without a full restart, preserving existing connections where the service supports it. restart fully stops and starts the service, dropping current sessions; stop simply terminates it; and kill sends a signal to the service's processes, which is not the intended graceful configuration reload.
- An administrator needs to verify which secondary groups the user devops currently belongs to. Which command displays the user's group memberships?
- Getent passwd devops
- Groups devops
- Groupadd devops
- Id -u devops
Correct answer: Groups devops
groups devops is correct because it lists all groups (primary and supplementary) that the user devops belongs to. groupadd creates a new group rather than reporting membership, getent passwd shows the account's passwd entry without an explicit group list, and id -u prints only the numeric user ID, not group memberships (id alone, or id devops, would show groups but the -u flag restricts output to the UID).
- An administrator must completely remove the user tempworker along with that user's home directory and mail spool in a single command. Which command does this?
- Userdel tempworker
- Usermod -r tempworker
- Deluser --keep tempworker
- Userdel -r tempworker
Correct answer: Userdel -r tempworker
userdel -r tempworker is correct because the -r flag removes the account and also deletes the user's home directory and mail spool. userdel without -r removes only the account entry, leaving the home directory behind. usermod -r is not a valid removal operation, and deluser --keep would explicitly preserve files rather than delete the home directory.
- An administrator wants to set password aging on the account jwilson so the password expires (must be changed) every 90 days. Which command sets the maximum password age?
- Passwd -x 90 jwilson
- Chage -m 90 jwilson
- Chage -M 90 jwilson
- Usermod -e 90 jwilson
Correct answer: Chage -M 90 jwilson
chage -M 90 jwilson is correct: the uppercase -M sets the maximum number of days a password remains valid, after which the user must change it. chage is the dedicated password-aging tool and -M is the canonical flag for maximum age. The lowercase -m in the distractor sets the minimum days between changes, not the expiry interval. usermod -e sets an account expiration date and expects a calendar date string, not a day count. passwd -x can also set the maximum age but it is the secondary tool for aging management, and the exam favors chage for this task.
- On a systemd host an administrator wants to prevent the bluetooth service from ever being started, even as a dependency of another unit. Which command enforces this?
- Systemctl disable bluetooth
- Systemctl stop bluetooth
- Systemctl reset-failed bluetooth
- Systemctl mask bluetooth
Correct answer: Systemctl mask bluetooth
systemctl mask bluetooth is correct because masking links the unit to /dev/null so it cannot be started manually or pulled in as a dependency by another unit. disable only removes the boot-time autostart symlinks, so the service can still be started on demand or by a dependency. stop merely halts it for the current session, and reset-failed just clears the failed state without preventing future starts.
- A new administrator asks what SELinux actually is and how it differs from standard Linux file permissions. Which description best characterizes SELinux?
- A Mandatory Access Control (MAC) system built into the kernel that confines processes to security policies using labels, going beyond the owner-based Discretionary Access Control of standard permissions
- A host-based intrusion detection daemon that scans the filesystem for rootkits and reports modified system binaries
- A package signature verification framework that checks GPG keys before installing RPMs
- A user-space firewall front end that translates simple zone names into netfilter rules
Correct answer: A Mandatory Access Control (MAC) system built into the kernel that confines processes to security policies using labels, going beyond the owner-based Discretionary Access Control of standard permissions
SELinux (Security-Enhanced Linux) is a Mandatory Access Control (MAC) system implemented in the Linux kernel that confines processes according to security policies based on labels (security contexts) such as user:role:type. This is fundamentally different from standard Linux permissions, which use Discretionary Access Control (DAC) where the file owner decides access. Even root-owned processes are constrained by SELinux policy. The rootkit-scanning description fits tools like rkhunter, and signature verification fits GPG/rpm, not SELinux.
- An administrator runs getenforce on a RHEL 9 server and it returns Permissive. The security team wants SELinux to actively block policy violations rather than just log them, but only temporarily until the next reboot for testing. Which command accomplishes this?
- Semanage permissive -a httpd_t
- Setenforce 1
- Setenforce 0
- Sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/selinux/config
Correct answer: Setenforce 1
Running setenforce 1 (equivalent to setenforce Enforcing) switches SELinux from permissive to enforcing mode immediately and temporarily, without surviving a reboot, which is exactly what is needed for a test. In enforcing mode, accesses not allowed by policy are denied and logged; in permissive mode they are only logged. setenforce 0 would do the opposite (set permissive). Editing /etc/selinux/config changes the persistent boot default and cannot toggle disabled at runtime, and semanage permissive adds a single domain to permissive rather than switching the global mode.
- During a security review, a colleague asks how SELinux and AppArmor differ in the way they identify and confine resources. Which statement correctly distinguishes them?
- Both rely exclusively on filesystem pathnames and differ only in which distributions ship them
- SELinux applies policy based on security labels (contexts) attached to files and processes, while AppArmor applies policy based on filesystem pathnames in per-application profiles
- SELinux is a Discretionary Access Control system while AppArmor is a Mandatory Access Control system
- SELinux uses pathname-based profiles while AppArmor uses inode security labels stored in extended attributes
Correct answer: SELinux applies policy based on security labels (contexts) attached to files and processes, while AppArmor applies policy based on filesystem pathnames in per-application profiles
SELinux enforces Mandatory Access Control using security labels (contexts) stored in extended attributes and attached to processes and objects, whereas AppArmor enforces MAC using pathname-based profiles that name the files and capabilities each application may use. This is the core architectural difference: label-based versus path-based confinement. AppArmor (common on Ubuntu/SUSE) is generally considered easier to configure, while SELinux (common on RHEL/Fedora) is more granular. Both are MAC systems, so calling either DAC is incorrect.
- An administrator on a RHEL 9 server wants to know what firewalld is and how it organizes rules. Which description is accurate?
- A dynamically managed firewall daemon that groups network interfaces and sources into zones (such as public, home, and dmz) with different trust levels, using nftables as its backend by default
- A static rule editor that writes ordered chains directly and requires a service restart to drop and reload every rule on each change
- A kernel module that replaces netfilter to provide stateful packet inspection independent of iptables and nftables
- An Ubuntu-only simplified wrapper that exposes only allow and deny verbs without any concept of zones
Correct answer: A dynamically managed firewall daemon that groups network interfaces and sources into zones (such as public, home, and dmz) with different trust levels, using nftables as its backend by default
firewalld is a dynamically managed firewall daemon that organizes rules into zones such as public, home, work, internal, dmz, and trusted, each representing a trust level that interfaces or source addresses are assigned to. On RHEL 8+, Fedora 32+, and recent Debian/Ubuntu, firewalld uses nftables as its backend (older releases used iptables). Because it is dynamic, rule changes apply without flushing and reloading the entire ruleset. The Ubuntu-only zoneless wrapper description fits ufw, not firewalld.
- On an Ubuntu 24.04 server an administrator needs to allow inbound SSH quickly and asks whether to use ufw or raw iptables. Which statement best describes the relationship between ufw and iptables?
- Iptables is the high-level zone manager and ufw is the low-level rule syntax it compiles to
- Ufw and iptables are competing kernel modules, so only one can be loaded into netfilter at a time
- Ufw can only manage outbound rules while iptables is required for any inbound filtering
- Ufw is a simplified front end that generates rules for the kernel's netfilter engine (invoking iptables, which on modern Ubuntu uses the nftables kernel backend via iptables-nft), letting an admin run a command like ufw allow 22/tcp instead of writing the equivalent low-level iptables rule
Correct answer: Ufw is a simplified front end that generates rules for the kernel's netfilter engine (invoking iptables, which on modern Ubuntu uses the nftables kernel backend via iptables-nft), letting an admin run a command like ufw allow 22/tcp instead of writing the equivalent low-level iptables rule
ufw (Uncomplicated Firewall) is a user-friendly front end that translates simple commands such as ufw allow 22/tcp into the lower-level rules enforced by the kernel's netfilter framework. ufw works by invoking the iptables and ip6tables command-line tools; on modern Ubuntu (since 20.10) those iptables commands use the nftables kernel backend via iptables-nft, but ufw itself does not bypass iptables and call nftables directly. Both ufw and iptables are management interfaces to the same kernel engine, not competing kernel modules, and ufw handles inbound and outbound rules. The claim that iptables is a high-level zone manager describes firewalld instead.
- An administrator wants a backup script to run every 5 minutes. Which crontab entry accomplishes this?
- */5 * * * * /opt/scripts/backup.sh
- * */5 * * * /opt/scripts/backup.sh
- 0/5 0 0 0 0 /opt/scripts/backup.sh
- 5 * * * * /opt/scripts/backup.sh
Correct answer: */5 * * * * /opt/scripts/backup.sh
The correct entry is */5 * * * * /opt/scripts/backup.sh. A crontab line has five time fields (minute, hour, day-of-month, month, day-of-week) followed by the command; the */5 in the minute field is a step value meaning 'every fifth minute' (0, 5, 10, ... 55), so the job runs at clock-aligned 5-minute marks. The entry 5 * * * * would run only once per hour at minute 5, and * */5 * * * places the step in the hour field, running once per minute during every fifth hour rather than every 5 minutes.
- A new technician asks what a cron job is and where its schedule is stored. Which description is correct?
- A cron job is a one-time command queued for the next reboot via /etc/rc.local
- A cron job is a task the cron daemon runs automatically on a recurring schedule, defined in a crontab file
- A cron job is a background service started by systemctl that restarts failed daemons
- A cron job is a kernel thread that manages CPU scheduling for user processes
Correct answer: A cron job is a task the cron daemon runs automatically on a recurring schedule, defined in a crontab file
A cron job is a task the cron daemon runs automatically on a recurring schedule, defined in a crontab file. The crond service reads crontab files (user crontabs edited with crontab -e, plus system files like /etc/crontab and /etc/cron.d/) and executes the listed commands at the specified times. It is not a systemd service manager, not a kernel CPU scheduler, and a recurring schedule is unrelated to /etc/rc.local, which runs commands once at boot.
- An administrator must extract only the username (first colon-delimited field) from every line of /etc/passwd and also, in a separate task, replace all occurrences of 'tcp' with 'udp' in a config file. Which pairing of tools is the best fit?
- Grep for both tasks using capture groups
- Sed for the field extraction and awk for the substitution
- Awk for the field extraction and sed for the in-stream substitution
- Cut for the substitution and tr for the field extraction
Correct answer: Awk for the field extraction and sed for the in-stream substitution
The best fit is awk for the field extraction and sed for the substitution. awk is a field-aware processing language that splits each line on a delimiter, so awk -F: '{print $1}' /etc/passwd cleanly prints the first field; sed is a stream editor optimized for line-based find-and-replace, so sed 's/tcp/udp/g' performs the substitution. The reverse pairing is backwards, and grep only matches and filters lines rather than transforming or extracting fields.
- An administrator needs to find every line in /var/log/syssetup.log that contains the word 'error' while ignoring case, and also display the line number of each match. Which grep command does this?
- Grep -vc error /var/log/syssetup.log
- Grep -o --color error /var/log/syssetup.log
- Grep -lr error /var/log/syssetup.log
- Grep -in error /var/log/syssetup.log
Correct answer: Grep -in error /var/log/syssetup.log
The correct command is grep -in error /var/log/syssetup.log. The -i flag makes the match case-insensitive (matching error, Error, ERROR) and -n prefixes each matching line with its line number in the file. The -v flag inverts the match (showing non-matching lines) and -c only counts them, -l lists filenames rather than lines, and -o prints only the matched text without line numbers.
- An administrator writes a Bash loop to ping three hosts listed in a variable. Which for loop syntax correctly iterates over the list?
- For (host in web01 web02 web03) { ping -c 1 $host }
- Foreach host (web01 web02 web03); do ping -c 1 $host; done
- For host in web01 web02 web03; do ping -c 1 $host; done
- For host = web01 web02 web03 do ping -c 1 $host loop
Correct answer: For host in web01 web02 web03; do ping -c 1 $host; done
The correct syntax is for host in web01 web02 web03; do ping -c 1 $host; done. A Bash for loop uses the form 'for VAR in LIST; do COMMANDS; done', assigning each list item to VAR in turn and running the body. The brace-and-parentheses form is not valid Bash, foreach is a csh/tcsh construct rather than Bash, and the '=' assignment form with 'loop' is not Bash syntax.
- A script runs a command and the administrator checks $? immediately afterward, finding it holds the value 1. What does this most likely indicate?
- The command is still running as background job number 1
- The command succeeded but produced exactly one line of output
- The command was terminated by signal 1 (SIGHUP)
- The command failed; an exit code of 0 means success while any non-zero value (such as 1) signals an error
Correct answer: The command failed; an exit code of 0 means success while any non-zero value (such as 1) signals an error
An exit code of 1 most likely indicates the command failed. The special variable $? holds the exit status of the most recently executed command; by convention an exit code of 0 means success and any non-zero value indicates an error or failure, with 1 being the generic 'general error' code. It does not count output lines or job numbers, and signal-based termination is reported as 128 plus the signal number (a SIGHUP-killed process exits with 129), not 1.
- In a Bash script, which construct repeatedly executes a block of commands as long as a tested condition remains true?
- A case statement
- A select menu
- A trap handler
- A while loop
Correct answer: A while loop
A while loop repeatedly executes its body for as long as the tested condition returns a true (zero) exit status, re-evaluating the condition before each pass. A case statement chooses a single branch by pattern-matching a value rather than looping. select builds an interactive numbered menu, and trap registers handlers for signals; neither performs condition-based repetition.
- An administrator wants a Bash loop that keeps running until a service finally responds, stopping as soon as the condition becomes true. Which loop type is the most natural fit?
- A case loop that matches the service name
- A for loop iterating over a fixed numeric range
- A while loop with no condition at all
- An until loop, which runs while its condition is false and stops once it becomes true
Correct answer: An until loop, which runs while its condition is false and stops once it becomes true
An until loop is the natural fit because it executes its body as long as the condition is false and exits the moment the condition becomes true, which matches 'keep trying until the service responds.' A for loop over a fixed range cannot react to a runtime condition, an unconditioned while is not valid for this need, and case is a branch selector, not a loop.
- A script must take different actions depending on whether a variable named MODE equals start, stop, or restart, with a catch-all for anything else. Which Bash construct expresses this most cleanly?
- A case statement matching $MODE against patterns with a *) default branch
- A nested series of for loops
- A here-document redirected into the variable
- A single test command with the -e operator
Correct answer: A case statement matching $MODE against patterns with a *) default branch
A case statement is cleanest here because it matches the value of $MODE against listed patterns (start, stop, restart) and uses *) as the catch-all default branch, avoiding long if/elif chains. Nested for loops iterate rather than branch, the -e test checks file existence, and a here-document supplies multi-line input to a command rather than selecting actions.
- Inside an if statement, an administrator needs to check whether a regular file named /etc/app.conf exists before reading it. Which test expression is correct?
- If [ -d /etc/app.conf ]; then
- If [ -z /etc/app.conf ]; then
- If [ /etc/app.conf -eq 1 ]; then
- If [ -f /etc/app.conf ]; then
Correct answer: If [ -f /etc/app.conf ]; then
The expression [ -f /etc/app.conf ] is correct because the -f operator tests whether the path exists and is a regular file. The -d operator tests for a directory rather than a file, -z tests whether a string has zero length (it would treat the path as text, not check existence), and -eq is a numeric comparison that is invalid against a filename.
- A Bash script assigns COUNT=5 and then runs total=$((COUNT * 3)). What value does total hold afterward?
- An error, because Bash cannot multiply without bc
- The literal string COUNT * 3, because Bash does not multiply
- 5, because only the first operand is read
- 15, because $(( )) performs integer arithmetic expansion
Correct answer: 15, because $(( )) performs integer arithmetic expansion
total holds 15 because $(( )) is arithmetic expansion, which evaluates the enclosed integer expression and substitutes the numeric result, so 5 * 3 yields 15. Bash performs integer math natively through $(( )) without needing bc, and the expression is computed rather than left as a literal string or truncated to a single operand.
- A script references ${NAME:-guest}. What does this parameter expansion do?
- Substitutes the value of NAME, or the word guest if NAME is unset or empty, without changing NAME
- Permanently assigns guest to NAME and then substitutes it
- Removes the suffix guest from the value of NAME
- Treats NAME as an array and returns its guest element
Correct answer: Substitutes the value of NAME, or the word guest if NAME is unset or empty, without changing NAME
The ${NAME:-guest} form substitutes NAME's value when it is set and non-empty, or the default word guest when NAME is unset or empty, while leaving NAME itself unchanged. The := form (not :- ) would assign the default to the variable; suffix removal uses the % operator, and array element access uses bracket subscripts, neither of which applies here.
- In a script, an administrator writes today=$(date +%F) to capture the current date into a variable. What is this technique called?
- Brace expansion, which generates a list of strings
- Process substitution, which feeds output through a temporary file descriptor
- Tilde expansion, which resolves a home directory
- Command substitution, which captures a command's standard output into a variable
Correct answer: Command substitution, which captures a command's standard output into a variable
Writing variable=$(command) is command substitution: Bash runs the command, captures its standard output, strips trailing newlines, and assigns the result to the variable. Process substitution uses the <(...) or >(...) syntax to present output as a file, brace expansion generates string sequences like {a,b,c}, and tilde expansion resolves ~ to a home directory.
- A Bash script needs to know how many arguments were passed on its command line. Which special parameter provides that count?
Correct answer: $#
The special parameter $# holds the number of positional arguments passed to the script or function. $@ expands to the list of all the arguments themselves, $0 is the name the script was invoked as, and $! holds the process ID of the most recently backgrounded job, none of which report the argument count.
- A script defines a function and inside it declares a variable with local count=0. Why use local here?
- It exports the variable to all child processes
- It limits the variable's scope to the function so it does not overwrite a same-named variable in the caller
- It makes the variable read-only for the rest of the script
- It stores the variable on disk so it persists between runs
Correct answer: It limits the variable's scope to the function so it does not overwrite a same-named variable in the caller
Declaring local count=0 confines the variable to the function's scope, so assignments inside the function do not clobber any same-named variable used by the caller. Making a variable unchangeable requires readonly, exporting to child processes uses export, and Bash variables are never automatically persisted to disk.
- An administrator runs the pipeline: awk -F: '$3 >= 1000 {print $1}' /etc/passwd. What does this command output?
- The third colon-separated field of the first line only
- Every line of the file that contains the number 1000
- The total count of accounts in the file
- The login name of every account whose UID is 1000 or greater
Correct answer: The login name of every account whose UID is 1000 or greater
This prints the login name of every account whose UID is at least 1000, because -F: sets the field separator to a colon, $3 is the UID field, the pattern $3 >= 1000 selects matching lines, and {print $1} outputs the first field (the username). It is not a plain text match for 1000, does not stop at the first line, and does not count records.
- In an awk program, what is the purpose of a BEGIN block?
- It defines the field separator only for the final record
- It runs once before any input lines are read, often to initialize variables or print a header
- It runs for every input line that matches a pattern
- It runs once after the last input line is processed
Correct answer: It runs once before any input lines are read, often to initialize variables or print a header
A BEGIN block executes a single time before awk reads any input, making it the natural place to initialize counters or print a header row. The block that runs once after all input is consumed is END, per-line processing happens in pattern/action rules between them, and the field separator is normally set in BEGIN or via -F for the whole run, not just the last record.
- An administrator needs to delete every line containing the word DEBUG from a log before archiving it, printing the cleaned result to standard output. Which sed command does this?
- Sed 's/DEBUG//g' app.log
- Sed '/DEBUG/d' app.log
- Sed '1d' app.log
- Sed -n '/DEBUG/p' app.log
Correct answer: Sed '/DEBUG/d' app.log
sed '/DEBUG/d' selects every line matching the DEBUG pattern and applies the d (delete) command, so those lines are removed from the output stream while all others pass through. The s///g form would only blank the word DEBUG but keep the lines, -n with /DEBUG/p prints only the matching lines (the opposite), and 1d deletes just the first line regardless of content.
- A pattern must match either error or warning (whole alternatives) in a single grep invocation using extended regular expressions. Which command is correct?
- Grep -v 'error|warning' app.log
- Grep -F 'error|warning' app.log
- Grep -c 'error\|warning' app.log -o
- Grep -E 'error|warning' app.log
Correct answer: Grep -E 'error|warning' app.log
grep -E 'error|warning' is correct because -E enables extended regular expressions, where the unescaped pipe means alternation, matching lines containing either error or warning. The -F flag treats the pattern as a fixed literal string (so the pipe would not act as alternation), -v inverts the match to show non-matching lines, and the -c option only counts matches rather than displaying them.
- A developer runs git clone https://example.com/app.git. What does this command accomplish?
- It creates an empty new repository with no connection to any remote
- It uploads the current local commits to the remote server
- It copies the entire remote repository, including its history, into a new local directory and sets up a remote named origin
- It merges the remote's default branch into the current local branch
Correct answer: It copies the entire remote repository, including its history, into a new local directory and sets up a remote named origin
git clone downloads a full copy of the remote repository (all files plus the complete commit history) into a new local working directory and automatically configures a remote named origin pointing back to the source URL. Uploading local commits is git push, creating an empty repo is git init, and integrating a remote branch into the current one is git merge or git pull.
- After committing work on a feature branch, a developer wants to integrate those commits into main. Which sequence is correct?
- Git branch main, then git revert feature
- Git checkout main, then git merge feature
- Git stash main, then git push feature
- Git clone main, then git commit feature
Correct answer: Git checkout main, then git merge feature
The correct sequence is git checkout main to switch onto the receiving branch, then git merge feature to combine the feature branch's commits into main. git branch only creates a branch and git revert undoes commits; git clone copies a whole repository rather than switching branches; and git stash shelves uncommitted changes rather than integrating a branch.
- A bad commit was already pushed and shared with the team. The developer wants to undo its changes by creating a new commit that reverses them, preserving history. Which command is appropriate?
- Git reset --hard <commit>
- Git revert <commit>
- Git rebase -i <commit>
- Git checkout <commit>
Correct answer: Git revert <commit>
git revert <commit> creates a brand-new commit that applies the inverse of the targeted commit's changes, undoing its effect while leaving the existing history intact, which is the safe choice for commits already shared with others. git reset --hard rewrites history by discarding commits, git rebase -i also rewrites history, and git checkout merely moves the working tree to a commit without undoing anything.
- To avoid committing an API key, a developer should add the credentials file to which Git mechanism, and what is a key caveat?
- Run git secret, a built-in command that hides values
- Add it to .gitignore, but note that .gitignore only prevents tracking files not already committed
- Add it to the .git/config file, which excludes it from clones
- Add it to .gitattributes, which encrypts the file automatically
Correct answer: Add it to .gitignore, but note that .gitignore only prevents tracking files not already committed
Listing the credentials file in .gitignore tells Git not to track it, but the important caveat is that .gitignore has no effect on a file already tracked or committed, so a leaked secret must be removed from history separately. .gitattributes controls line endings and merge behavior rather than encryption, there is no built-in git secret command in core Git, and .git/config holds repository settings, not ignore rules.
- An administrator runs: docker run -d --name web -p 8080:80 nginx. What does the 8080:80 portion do?
- It maps host port 8080 to the container's port 80, so traffic to the host on 8080 reaches the container's web server
- It mounts host directory 8080 into container path 80
- It limits the container to 8080 megabytes of memory and 80 CPU shares
- It tells Docker to pull image version 8080.80
Correct answer: It maps host port 8080 to the container's port 80, so traffic to the host on 8080 reaches the container's web server
In docker run, -p 8080:80 publishes a port by mapping host port 8080 to container port 80, so requests arriving at the host on 8080 are forwarded to the service listening on port 80 inside the container. Memory limits use --memory, image versions are specified with a tag after a colon on the image name, and host directories are mounted with -v, not -p.
- Which docker run flag starts a container in the background (detached) so the shell prompt returns immediately?
Correct answer: -d
The -d (detach) flag runs the container in the background and returns the prompt right away, printing the container ID. The -it combination attaches an interactive terminal (the opposite of detaching), --rm automatically deletes the container when it stops, and -e sets an environment variable, none of which control foreground versus background execution.
- A team wants to persist a database container's data so it survives container removal, using storage that Docker fully manages rather than a specific host path. Which option should they use?
- An environment variable pointing at the data
- A named volume, created and managed by Docker (for example -v dbdata:/var/lib/mysql)
- The container's writable layer alone
- A bind mount tying the data to an arbitrary host directory
Correct answer: A named volume, created and managed by Docker (for example -v dbdata:/var/lib/mysql)
A named volume is the right choice because Docker creates and manages the storage location independently of the container, so the data persists even after the container is removed and is referenced by name rather than a host path. A bind mount maps a specific host directory (which the question rules out), the writable layer is discarded with the container, and an environment variable cannot store data.
- In a Dockerfile, what is the difference between the build context and the Dockerfile itself?
- They are identical; the build context is just another name for the Dockerfile
- The Dockerfile is sent to the registry while the build context stays local
- The Dockerfile lists the build instructions, while the build context is the set of files sent to the daemon that COPY and ADD can pull from
- The build context is the running container, and the Dockerfile is its log
Correct answer: The Dockerfile lists the build instructions, while the build context is the set of files sent to the daemon that COPY and ADD can pull from
The Dockerfile contains the ordered instructions (FROM, RUN, COPY, and so on), while the build context is the directory tree sent to the Docker daemon at build time, providing the files that COPY and ADD instructions can reference. They are not the same thing, the context is not a running container or a log, and images (not the Dockerfile) are what get pushed to a registry.
- An administrator on RHEL runs containers with Podman as a non-root user. What is a defining advantage of this rootless model over the traditional Docker daemon?
- It requires a long-running root daemon to schedule every container
- It stores all images in the kernel rather than on disk
- Containers run under the user's own UID without a central privileged daemon, reducing the attack surface
- It can only run a single container at a time
Correct answer: Containers run under the user's own UID without a central privileged daemon, reducing the attack surface
Podman's rootless model lets an unprivileged user run containers under their own UID with no central root-owned daemon, which shrinks the attack surface because a compromised container does not inherit daemon-level root. Podman is daemonless rather than requiring a privileged daemon, it can manage many containers and pods, and images are stored on disk in the user's storage area.
- Two containers on the same host must communicate by name (for example app reaching db). What is the recommended Docker approach?
- Map both containers to the same published host port
- Attach both containers to the same user-defined bridge network, which provides automatic DNS resolution by container name
- Run both in host network mode and use localhost exclusively
- Place both on the default bridge and rely on linking by IP only
Correct answer: Attach both containers to the same user-defined bridge network, which provides automatic DNS resolution by container name
Connecting both containers to a shared user-defined bridge network is recommended because Docker provides built-in DNS on such networks, letting one container reach another by its container name. Two containers cannot publish to the same host port simultaneously, the default bridge lacks automatic name resolution (the deprecated --link was needed), and host network mode removes isolation and does not give per-container names.
- In container terminology, what is a registry?
- The kernel namespace that isolates a container's processes
- A service that stores and distributes container images, such as Docker Hub or a private Quay instance
- A file inside the container that records environment variables
- The in-memory list of currently running containers on a host
Correct answer: A service that stores and distributes container images, such as Docker Hub or a private Quay instance
A registry is a service that stores and distributes container images, allowing clients to push images to it and pull them from it; Docker Hub and Quay are common examples, and organizations often run private registries. The list of running containers is shown by commands like docker ps, environment variables are not a registry, and process isolation is provided by kernel namespaces, a separate concept.
- A multi-container application needs the web tier scaled to three identical replicas with automatic restart if one dies. Which orchestration concept describes maintaining that desired number of running instances?
- Building a new image each time an instance crashes
- Maintaining a desired state with a defined replica count, which the orchestrator continuously reconciles
- Mounting a shared volume to duplicate the process
- Issuing a single docker run command and manually restarting failures
Correct answer: Maintaining a desired state with a defined replica count, which the orchestrator continuously reconciles
Orchestrators work on a desired-state model: you declare how many replicas should run, and the orchestrator continuously reconciles actual state to that target, automatically replacing instances that fail so the count stays correct. A single docker run with manual restarts is not orchestration, rebuilding the image does not restore a crashed instance, and sharing a volume does not duplicate or supervise processes.
- A colleague describes Ansible as idempotent. In the context of configuration management, what does idempotency mean?
- The playbook can only be executed once before it must be deleted
- Each run undoes the changes made by the previous run
- Every task always reports changed even when nothing was modified
- Running the same playbook repeatedly produces the same end state without making changes when the system already matches it
Correct answer: Running the same playbook repeatedly produces the same end state without making changes when the system already matches it
Idempotency means that applying the same configuration repeatedly converges on the same end state, so once the system matches the desired configuration, re-running the playbook makes no further changes and reports ok rather than changed. It does not reverse prior runs, is not limited to a single execution, and a well-written idempotent task reports changed only when it actually modifies something.
- Ansible is frequently called agentless and described as using a push model. What does that imply about how it reaches managed nodes?
- The control node connects out to managed hosts (typically over SSH) to push configuration, with no permanent agent installed on them
- Configuration is applied only by physically logging into each node
- A daemon must be installed on every managed node to pull configuration on a schedule
- Managed nodes poll a central server for changes every few minutes
Correct answer: The control node connects out to managed hosts (typically over SSH) to push configuration, with no permanent agent installed on them
Ansible's agentless push model means the control node initiates connections out to managed hosts (usually over SSH) and pushes the configuration when a playbook runs, so no persistent agent or daemon needs to be installed on the targets. Requiring a per-node daemon that polls a server describes a pull model like Puppet's, not Ansible, and the process is automated rather than manual.
- In an Ansible project, what is the role of the inventory file?
- It stores encrypted secrets used during a run
- It contains the ordered tasks and modules that configure the hosts
- It records the output and change status of the most recent run
- It lists the managed hosts and groups them so plays can target specific sets of machines
Correct answer: It lists the managed hosts and groups them so plays can target specific sets of machines
The inventory file defines the managed hosts and organizes them into groups, so a play can target a named group or pattern rather than individual addresses. The ordered tasks and modules live in a playbook, encrypted secrets are handled by Ansible Vault, and run results are shown in the command output rather than stored in the inventory.
- A CI/CD pipeline is configured so that every push to the main branch automatically builds the code, runs the test suite, and only proceeds to packaging if the tests pass. Which principle does the automatic build-and-test-on-every-push step embody?
- Container orchestration, where replicas are scaled to match demand
- Manual release gating, where a human approves each commit before any build
- Continuous integration, where code changes are merged and automatically validated frequently to catch problems early
- Infrastructure as code, where servers are provisioned from version-controlled definitions
Correct answer: Continuous integration, where code changes are merged and automatically validated frequently to catch problems early
Automatically building and testing on every push embodies continuous integration, the practice of merging changes frequently and validating each one through an automated build and test run so integration problems surface early. Infrastructure as code concerns provisioning servers from versioned definitions, manual gating is the opposite of this automation, and orchestration deals with scaling running containers rather than validating code commits.
- An administrator runs free -h on a server and sees that the used column is high but the available column also shows several gigabytes. The buff/cache column is large. What does the available value represent in this output?
- An estimate of memory that can be given to new applications without swapping, including reclaimable buffers and cache
- The total amount of swap space currently in use by the kernel
- The amount of memory that has never been touched by any process since boot
- The memory permanently locked by the kernel and unavailable to user processes
Correct answer: An estimate of memory that can be given to new applications without swapping, including reclaimable buffers and cache
The available column is an estimate of how much memory new applications can use without swapping, and it includes reclaimable memory from buffers and page cache. This is why a system can show a large buff/cache figure while still being healthy: the kernel uses spare RAM to cache disk data, but it releases that memory on demand. The free column (memory never used at all) is a poor health indicator because Linux deliberately fills unused RAM with cache.
- An administrator wants a quick, point-in-time summary of total, used, and available physical and swap memory in human-readable units, without watching it update continuously. Which command is the most direct choice?
- Free -h
- Uptime
- Du -sh /proc/meminfo
- Swapon --summary
Correct answer: Free -h
free -h prints a one-shot, human-readable summary of total, used, free, shared, buff/cache, and available memory for both RAM and swap. It reads the same kernel statistics found in /proc/meminfo but formats them into a concise table with units like Gi and Mi. uptime reports load averages rather than memory, and swapon --summary covers only swap devices, not total system RAM.
- On a server with a full root filesystem, df -h reports the partition is 100% used, but du -sh on every directory in that partition adds up to far less than the reported usage. What is the most likely cause?
- Df is reporting the wrong partition because of a stale /etc/mtab entry
- The du command is double-counting hard-linked files
- The filesystem journal has grown to consume the missing space permanently
- A process is still holding a deleted file open, so its blocks remain allocated
Correct answer: A process is still holding a deleted file open, so its blocks remain allocated
A process holding a deleted file open is the classic reason df and du disagree. When a file is removed with rm while still open, its directory entry vanishes so du no longer counts it, but the inode and data blocks stay allocated until the process closes the descriptor, so df still sees them as used. Running lsof +L1 or lsof | grep deleted identifies the offending process, and restarting it (or truncating the descriptor under /proc) frees the space.
- An administrator needs to find which subdirectories under /var are consuming the most disk space, sorted so the largest appears clearly. Which command is best suited to this task?
- Ls -lh /var
- Stat -f /var
- Df -h /var
- Du -h --max-depth=1 /var | sort -h
Correct answer: Du -h --max-depth=1 /var | sort -h
du -h --max-depth=1 /var produces a per-directory size summary one level deep, and piping it through sort -h orders those human-readable sizes numerically so the biggest consumers stand out. du measures actual space used by files and directories, which is exactly what disk-usage investigation needs. df -h reports free space for whole filesystems, not per-directory totals, and ls -lh shows individual file sizes without summing directory trees.
- After a newly attached USB storage controller fails to appear as a usable device, an administrator wants to review the kernel's hardware and driver messages, including those generated since the system booted. Which command displays the kernel ring buffer with human-readable timestamps?
- Tail /etc/rsyslog.conf
- Dmesg -T
- Lsblk -f
- Last -x
Correct answer: Dmesg -T
dmesg -T prints the kernel ring buffer with human-readable wall-clock timestamps instead of the default seconds-since-boot format, which is ideal for correlating hardware and driver events with the time a device was plugged in. The ring buffer is where the kernel records device probing, driver loading, and I/O errors. last reports user login history, and lsblk lists block devices but does not surface kernel driver messages.
- An administrator runs ps aux to investigate a runaway service. Which statement correctly describes what the columns in ps aux output show?
- It displays a continuously refreshing view of the top CPU consumers
- It shows all processes for all users with owner, PID, %CPU, %MEM, and the command
- It reports only processes attached to the controlling terminal of the current session
- It lists only the current shell's child processes with their nice values
Correct answer: It shows all processes for all users with owner, PID, %CPU, %MEM, and the command
ps aux shows a snapshot of all processes for all users (a selects all with a terminal, x adds those without one, u gives the user-oriented format), including the USER, PID, %CPU, %MEM, VSZ, RSS, STAT, and COMMAND columns. Because it is a one-time snapshot rather than a live display, it is well suited to scripting and grepping. A refreshing view of top consumers is what top provides instead.
- An administrator wants to find the single process consuming the most CPU at this moment and capture it for a script, without an interactive display. Which command accomplishes this?
- Kill -9 $(pgrep -n cpu)
- Renice +10 -p 1
- Ps -eo pid,pcpu,comm --sort=-pcpu | head
- Nice -n -20 top
Correct answer: Ps -eo pid,pcpu,comm --sort=-pcpu | head
ps -eo pid,pcpu,comm --sort=-pcpu lists every process with its PID, CPU percentage, and command, sorted in descending CPU order, so head returns the heaviest consumers in plain, scriptable text. The -e flag selects all processes and -o defines custom output columns. top is interactive and not scriptable in this form, while kill and renice act on processes rather than identifying the top CPU user.
- An administrator prefers an interactive process monitor that supports color, mouse scrolling, tree view, and killing a process by selecting it from the list. Compared with top, which tool provides these features and how does it relate to top?
- Atop, which replaces top automatically once the system is rebooted
- Htop, a more user-friendly interactive process viewer that is typically not installed by default
- Glances, which is the standard name that top is symlinked to on modern distributions
- Nmon, which only records performance data to a file and cannot kill processes
Correct answer: Htop, a more user-friendly interactive process viewer that is typically not installed by default
htop is an enhanced, interactive alternative to top offering color output, horizontal and vertical scrolling, mouse support, a tree view, and the ability to select and signal processes without typing a PID. The key practical distinction is that top is part of the procps package and is present on virtually every Linux system, whereas htop usually must be installed separately. Both read live process data, but htop's interface is considered more approachable.
- An administrator on a systemd-based server needs to review logs for a specific failed unit, filter to only the current boot, and show entries since one hour ago. What is journalctl and which invocation matches this need?
- Journalctl is a kernel module loader; journalctl --load nginx.service
- Journalctl is the query tool for the systemd journal; journalctl -u nginx.service -b --since "1 hour ago"
- Journalctl is a log-rotation utility; journalctl --rotate nginx.service
- Journalctl is a cron replacement; journalctl --schedule nginx.service -b
Correct answer: Journalctl is the query tool for the systemd journal; journalctl -u nginx.service -b --since "1 hour ago"
journalctl is the command used to query and display logs collected by systemd's journald service, which stores structured, indexed log data. The invocation journalctl -u nginx.service -b --since "1 hour ago" filters by unit (-u), restricts output to the current boot (-b), and limits entries to the last hour (--since), exactly matching the troubleshooting need. journalctl does not rotate logs, schedule jobs, or load kernel modules.
- A database server feels sluggish. An administrator runs vmstat 2 5 and notices the 'si' and 'so' columns consistently show large nonzero values while the 'wa' column is also high. What does this combination most strongly indicate?
- The CPU is spending most of its time in user-space computation with no I/O involved
- The system is heavily swapping pages between RAM and disk, and the resulting disk activity is causing processes to wait on I/O
- The filesystem is read-only and rejecting all write attempts
- The network interface is dropping packets faster than the kernel can buffer them
Correct answer: The system is heavily swapping pages between RAM and disk, and the resulting disk activity is causing processes to wait on I/O
Large nonzero si (swap-in) and so (swap-out) values mean the system is actively paging memory to and from the swap device, and the high wa (I/O wait) reflects CPU time stalled waiting for that disk activity to finish. Together they point to memory pressure forcing the kernel to use swap, which is far slower than RAM and drags down overall responsiveness. The us and sy columns track CPU computation rather than paging, and vmstat does not report network packet drops or read-only filesystem state.
- While diagnosing slow writes on a server with several disks, an administrator wants per-device statistics showing utilization percentage and average wait time, refreshing every two seconds. Which command provides this?
- Iostat -x 2
- Uptime -p
- Du -x 2 /
- Df -i 2
Correct answer: Iostat -x 2
iostat -x 2 reports extended per-device I/O statistics, including the %util column (how busy each device is) and await (average time requests wait), refreshing every two seconds when given an interval. The extended (-x) output is what reveals whether a specific disk is saturated. df -i reports inode counts rather than throughput, du measures directory space, and uptime only shows load averages, none of which expose per-device service times.
- An administrator needs to list all listening TCP ports along with the owning process name and PID, without performing slow DNS lookups. Which command is the correct modern choice?
- Arp -a
- Route -n
- Ss -tlnp
- Host -t ns localhost
Correct answer: Ss -tlnp
ss -tlnp lists listening (-l) TCP (-t) sockets with numeric addresses and ports (-n, which also avoids DNS resolution) and the process (-p) holding each socket. ss is the modern replacement for the older netstat and reads kernel socket data quickly. arp -a shows the ARP cache, route -n shows the routing table, and host queries DNS records, none of which map listening ports to processes.
- Users report that a website loads when accessed by IP address but fails when accessed by hostname. An administrator suspects name resolution. Which command best tests whether a specific DNS record resolves and shows which server answered?
- Ss -s
- Mtr www.example.com
- Dig www.example.com
- Ethtool eth0
Correct answer: Dig www.example.com
dig www.example.com queries DNS and prints the answer section with the resolved records plus a SERVER line identifying which resolver responded, making it the right tool to confirm a hostname resolves correctly. Because the site works by IP but not by name, the problem is almost certainly DNS, which dig isolates directly. mtr traces network paths, ethtool shows link-layer NIC settings, and ss -s summarizes socket statistics, none of which reveal DNS answers.
- An administrator must capture only DNS traffic (UDP port 53) arriving on interface eth0 and write it to a file for later analysis. Which tcpdump invocation is correct?
- Tcpdump -i eth0 -r dns.pcap port 80
- Tcpdump --rotate eth0 53
- Tcpdump -i eth0 -c all tcp 53
- Tcpdump -i eth0 udp port 53 -w dns.pcap
Correct answer: Tcpdump -i eth0 udp port 53 -w dns.pcap
tcpdump -i eth0 udp port 53 -w dns.pcap captures packets on eth0 (-i), filters to UDP traffic on port 53 using the capture-filter expression, and writes raw packets to a file with -w for later analysis. The -r flag reads an existing capture rather than writing one, so it cannot create the file, and the other options use flags and syntax that tcpdump does not accept.
- A network interface shows an IP address with ip addr but cannot reach any host on its subnet. Running ip link reveals the line 'state DOWN' for that interface. What is the most appropriate next action?
- Reformat the filesystem to clear corrupted network configuration
- Flush the DNS cache because resolution is failing
- Increase the system swappiness value to free network buffers
- Bring the interface up administratively with ip link set <iface> up
Correct answer: Bring the interface up administratively with ip link set <iface> up
Bringing the interface up with ip link set <iface> up is correct because state DOWN means the link is administratively disabled, so no traffic can flow even though an address is assigned. Enabling the link is the direct fix for that condition. The symptom is a link-state problem, not name resolution, so flushing DNS does nothing, and reformatting a filesystem or changing swappiness are unrelated to interface state.
- After editing /etc/fstab to add a new data partition, a server fails to finish booting and drops to an emergency shell. What is the most likely cause and the safest first diagnostic step?
- The root password expired, so the account must be unlocked from another machine
- The CPU governor switched to powersave, halting the boot sequence
- The kernel was deleted from /boot, so reinstalling the entire distribution is required
- A bad or unmountable /etc/fstab entry blocked the boot; review the entry and the journal, then remount the root filesystem read-write to correct it
Correct answer: A bad or unmountable /etc/fstab entry blocked the boot; review the entry and the journal, then remount the root filesystem read-write to correct it
A bad /etc/fstab entry is the classic cause of an emergency-shell boot after editing that file, because systemd cannot satisfy the mount and fails the boot. The safe first step is to inspect the offending line and the journal, then remount root read-write (mount -o remount,rw /) so the file can be corrected. A missing kernel produces a bootloader-level failure rather than an fstab mount error, and password expiry or CPU governor settings do not stop the boot at the mount stage.
- A systemd service refuses to start. Running systemctl status myapp.service shows 'Active: failed' and a 'Result: exit-code' line. Which command gives the most detailed application log output to determine why it exited?
- Sysctl -a
- Crontab -l
- Journalctl -u myapp.service -e
- Lsblk -f
Correct answer: Journalctl -u myapp.service -e
journalctl -u myapp.service -e shows the full journal entries for that specific unit and jumps to the end (-e) where the most recent failure messages and the service's own stderr output appear, which is where the exit reason is recorded. systemctl status only shows the last few lines, so journalctl reveals the complete context. crontab lists scheduled jobs, lsblk lists block devices, and sysctl prints kernel parameters, none of which contain the service's failure log.
- A user reports that running a script returns 'Permission denied' even though they own the file and it contains valid commands. ls -l shows -rw-r--r-- for the script. What is the most likely cause?
- SELinux is disabled, which blocks all script execution
- The execute bit is not set, so the file must be made executable or run through the interpreter explicitly
- The file is owned by root and cannot be read by anyone else
- The disk is full, preventing the script from loading
Correct answer: The execute bit is not set, so the file must be made executable or run through the interpreter explicitly
The missing execute bit is the cause: -rw-r--r-- grants read and write to the owner and read to others but no execute permission for anyone, so the kernel refuses to run it directly. Adding execute with chmod +x, or invoking it as bash script.sh, resolves the error. The owner can already read the file, a full disk produces different errors, and SELinux being disabled would not block ordinary execution; in fact enforcing mode is what adds restrictions.
- A web server process cannot write to /var/www/html even though standard file permissions appear correct, and the audit log shows 'avc: denied' messages. SELinux is in enforcing mode. Which command identifies whether the file's SELinux type is the cause?
- Ls -Z /var/www/html
- Stat --format=%a /var/www/html
- Getfacl /var/www/html
- Mount | grep www
Correct answer: Ls -Z /var/www/html
ls -Z /var/www/html displays the SELinux security context, including the type label, which is exactly what determines whether the web server domain is allowed to write there; an 'avc: denied' message points to an SELinux type mismatch rather than a classic permission problem. getfacl shows POSIX access control lists, stat shows the octal mode bits, and mount shows mount options, none of which reveal the SELinux context that is being denied.
- On a busy server, an administrator runs uptime and sees load averages of 24.0, 18.5, 6.2 on a machine with 8 CPU cores. How should these numbers be interpreted?
- The system is heavily overloaded, with far more runnable or uninterruptible processes than cores, and the high recent figure shows the pressure is increasing
- The numbers are memory usage percentages, indicating the server has plenty of free RAM
- Load average measures network throughput in megabits per second
- The system is idle because all three numbers are below the 100 percent threshold
Correct answer: The system is heavily overloaded, with far more runnable or uninterruptible processes than cores, and the high recent figure shows the pressure is increasing
On an 8-core machine, a one-minute load average of 24.0 means roughly three times as many processes are competing for or waiting on CPU and I/O as there are cores, so the system is heavily overloaded. The descending sequence (24.0 most recent, 6.2 fifteen-minute) shows the load is climbing, not easing. Load average counts runnable plus uninterruptible processes, not a 0-100 percentage, memory usage, or network throughput.
- A service that worked yesterday now fails immediately on start. The administrator wants to see only error-priority and worse messages from the journal for the current boot. Which command filters by message priority correctly?
- Journalctl --severe -b
- Journalctl -b --grep=error-only
- Journalctl -p high -b
- Journalctl -b -p err
Correct answer: Journalctl -b -p err
journalctl -b -p err restricts output to the current boot (-b) and to messages at the 'err' priority level and higher (-p err includes err, crit, alert, and emerg), which is the standard way to surface only serious failures. The journal uses syslog priority keywords, so 'err' is valid while 'high' and 'severe' are not recognized priority names, and there is no --grep=error-only filter of that form.
- An administrator tries to mount a newly created ext4 partition and receives 'mount: wrong fs type, bad option, bad superblock'. The device exists and is healthy. Which command best confirms the actual filesystem type so the correct type can be specified or repaired?
- Nproc
- Blkid /dev/sdb1
- Free -m
- Hostnamectl
Correct answer: Blkid /dev/sdb1
blkid /dev/sdb1 reads the device's metadata and reports its filesystem type and UUID, which is the quickest way to confirm whether the partition really holds ext4 or something else that the mount command misidentified. Knowing the true type lets the administrator pass the right -t value or run the matching fsck tool. free reports memory, nproc reports CPU count, and hostnamectl reports system identity, none of which inspect filesystem metadata.
- A system boots but hangs for about 90 seconds before reaching the login prompt. The administrator suspects a slow-starting unit and wants to see how long each unit took to initialize. Which command provides a per-unit startup time breakdown?
- Systemd-analyze blame
- Systemctl daemon-reload
- Dmesg --clear
- Journalctl --vacuum-time=1d
Correct answer: Systemd-analyze blame
systemd-analyze blame lists every unit that ran during boot ordered by the time it took to initialize, which directly exposes a unit responsible for a long delay. This is the standard tool for diagnosing slow boots under systemd. systemctl daemon-reload only re-reads unit files, dmesg --clear empties the kernel ring buffer, and journalctl --vacuum-time prunes old logs, none of which report per-unit boot timing.
- A server randomly kills a large in-memory process during traffic spikes. Reviewing dmesg, the administrator finds lines containing 'Out of memory: Killed process'. Beyond adding RAM, which kernel-level adjustment can protect a critical process from being chosen as the victim?
- Lower the process's OOM score by writing a negative value to /proc/<pid>/oom_score_adj
- Set the process nice value to +19 with renice
- Run the process under nohup so it ignores the kill
- Disable the swap partition with swapoff to give the process priority
Correct answer: Lower the process's OOM score by writing a negative value to /proc/<pid>/oom_score_adj
Writing a negative value to /proc/<pid>/oom_score_adj lowers the process's out-of-memory score so the kernel's OOM killer is less likely to select it when memory is exhausted, which is the supported way to shield a critical service. Nice values affect CPU scheduling, not OOM selection; disabling swap actually makes memory exhaustion more likely; and nohup only ignores SIGHUP on terminal hangup, not the SIGKILL the OOM killer sends.
- An administrator needs to verify two-way connectivity and identify exactly which hop along the path to a remote server is introducing high latency, combining a continuous traceroute with live ping statistics. Which tool is purpose-built for this?
- Nslookup remote.example.com
- Mtr remote.example.com
- Cat /proc/loadavg
- Tune2fs -l /dev/sda1
Correct answer: Mtr remote.example.com
mtr remote.example.com combines traceroute and ping into a continuously updating display that shows each hop along the route together with packet loss and latency per hop, making it ideal for pinpointing where latency is introduced. nslookup only resolves names, /proc/loadavg reports system load, and tune2fs shows ext filesystem parameters, none of which measure per-hop network latency.
- A disk-related error appears in the logs and the administrator wants to check the drive's SMART health attributes, such as reallocated sector count, to decide whether the disk is failing. Which command queries this data?
- Smartctl -a /dev/sda
- Fdisk -l /dev/sda
- Sync
- Echo 3 > /proc/sys/vm/drop_caches
Correct answer: Smartctl -a /dev/sda
smartctl -a /dev/sda reads the drive's SMART self-monitoring attributes, including reallocated sector count and overall health assessment, which is exactly the data needed to judge whether a disk is failing. fdisk -l only lists the partition table, sync flushes write buffers, and writing to drop_caches clears the page cache, none of which report hardware health indicators.
- An administrator changed a setting in /etc/systemd/system/myapp.service but restarting the service still uses the old configuration. What step was most likely skipped?
- Clearing the kernel ring buffer with dmesg -C
- Rebooting into single-user mode to apply the change
- Running fsck on the root filesystem to commit the file edit
- Reloading the systemd manager configuration with systemctl daemon-reload so the edited unit file is re-read
Correct answer: Reloading the systemd manager configuration with systemctl daemon-reload so the edited unit file is re-read
systemctl daemon-reload was the skipped step: systemd caches unit definitions in memory, so after editing a .service file the manager must reload its configuration before a restart picks up the new content. Without it, restarting the service reuses the stale cached definition. A reboot would also reload units but is unnecessary, while fsck and clearing the ring buffer have nothing to do with systemd re-reading unit files.