Red Hat Certified System Administrator (RHCSA, EX200-style) Practice Exam

What the Red Hat Certified System Administrator (RHCSA, EX200-style) exam covers

• Operate Running Systems336 questions
• Local Storage and File Systems310 questions
• Users and Groups312 questions
• Deploy and Manage Software302 questions
• Manage Security235 questions

Free Red Hat Certified System Administrator (RHCSA, EX200-style) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 1,495.

1. Question 1Operate Running Systems

   Which command shows the systemd boot target / default target on RHEL?

   • Asystemctl get-defaultCorrect
   • Bchmod default
   • Cls /default
   • Dping default
   ✓ Correct answer: A

   The systemctl get-default command displays the currently configured default target (boot goal) in systemd, which controls what services and facilities the system initializes during startup. This is the standard RHEL method for viewing the persistent default target setting across reboots.

   Why the other options are wrong

   • Bchmod default is incorrect because chmod modifies file permissions, not systemd targets.
   • Cls /default is incorrect because /default is not a valid directory or systemd interface; systemd targets are defined in /etc/systemd/system/ and /lib/systemd/system/.
   • Dping default is incorrect because ping is a network connectivity diagnostic tool unrelated to systemd target management.
2. Question 2Manage Security

   To meet a hardening requirement, an automation account must authenticate over SSH using only a key whose private half is encrypted, and the public key must be restricted to running a single forced command. Where do you specify that forced command for the key on the server?

   • AIn ForceCommand globally in /etc/ssh/sshd_config for all users
   • Bas a command="..." option prefixing the key entry in ~/.ssh/authorized_keysCorrect
   • CBy setting PermitUserEnvironment yes
   • DIn the client's ~/.ssh/config under Host
   ✓ Correct answer: B

   The command option in authorized_keys restricts the key to executing a single forced command. This is set on the server side in the authorized_keys file.

   Why the other options are wrong

   • Ain ForceCommand globally in /etc/ssh/sshd_config for all users is incorrect because this applies globally, not per-key.
   • CBy setting PermitUserEnvironment yes is incorrect because this allows user environment configuration.
   • Din the client's ~/.ssh/config under Host is incorrect because the client config does not restrict commands.
3. Question 3Deploy and Manage Software

   You need to install the Apache HTTP Server package on RHEL 9 along with all of its dependencies. Which command accomplishes this?

   • Adnf install httpdCorrect
   • Brpm -i httpd
   • Cdnf download httpd
   • Ddnf reinstall httpd
   ✓ Correct answer: A

   The dnf install command queries the configured repositories, resolves the full dependency tree for httpd, downloads the package plus every required dependency, and installs them in the correct order. DNF automatically pulls dependencies from enabled repos, which is the standard RHEL 9 method for installing software. The package is committed to the RPM database so it can later be queried, updated, or removed cleanly.

   Why the other options are wrong

   • Brpm -i httpd is incorrect because rpm operates on local .rpm files only and does not resolve or fetch dependencies; passing a bare name like 'httpd' fails since rpm expects a file path and would report no such file.
   • Cdnf download httpd is incorrect because the download plugin only retrieves the .rpm file to the current directory without installing it or its dependencies.
   • Ddnf reinstall httpd is incorrect because reinstall requires the package to already be installed and simply re-applies the same version, failing if httpd is not present.
4. Question 4Operate Running Systems

   A colleague claims you can recover the root password by booting with 'systemd.unit=emergency.target'. Why is this NOT a viable way to reset a forgotten root password on a default RHEL 9 system?

   • Aemergency.target runs sulogin, which requires the existing root password before granting a shell.Correct
   • Bemergency.target refuses to mount the root filesystem, so passwd cannot run.
   • Cemergency.target only works on UEFI systems and ignores BIOS hosts.
   • Demergency.target automatically relabels SELinux and locks the shadow file.
   ✓ Correct answer: A

   Like rescue.target, emergency.target starts sulogin as its maintenance shell handler, and sulogin prompts for the current root password before it will provide a root shell. Since you do not know the root password, you cannot get the shell, making emergency mode useless for password recovery. The rd.break or init=/bin/bash methods work precisely because they bypass sulogin.

   Why the other options are wrong

   • Bemergency.target refuses to mount the root filesystem, so passwd cannot run is incorrect because emergency.target does mount the root filesystem read-only; the blocker is sulogin's password prompt, not the mount.
   • Cemergency.target only works on UEFI systems and ignores BIOS hosts is incorrect because emergency.target functions identically on BIOS and UEFI systems.
   • Demergency.target automatically relabels SELinux and locks the shadow file is incorrect because emergency mode neither relabels SELinux nor locks /etc/shadow.
5. Question 5Operate Running Systems

   You want rsync to show progress for each file and perform a trial run that reports what WOULD be transferred without actually copying anything. Which option provides the dry-run behavior?

   • A--dry-run (or -n)Correct
   • B--progress-only
   • C--simulate
   • D--no-transfer
   ✓ Correct answer: A

   The rsync --dry-run option, abbreviated -n, makes rsync perform all the comparison and decision logic and report exactly which files would be transferred, created, or deleted, without writing any data to the destination. It is the standard way to preview a sync (especially when --delete is involved) before committing to the real transfer. Combining it with -v or --progress shows the intended actions.

   Why the other options are wrong

   • B--progress-only is incorrect because rsync has no --progress-only option; --progress shows transfer progress but does not suppress the actual copy.
   • C--simulate is incorrect because --simulate is not a valid rsync option name.
   • D--no-transfer is incorrect because rsync does not recognize --no-transfer; a preview is done with --dry-run/-n.
6. Question 6Local Storage and File Systems

   You extended /dev/vg0/lv0 and then ran resize2fs /dev/vg0/lv0, but it printed "resize2fs: Bad magic number in super-block while trying to open /dev/vg0/lv0". The volume holds a working filesystem. What is the most likely cause?

   • AThe filesystem is XFS, so resize2fs cannot read its superblock and xfs_growfs must be used insteadCorrect
   • BThe LV path is wrong and should be /dev/mapper/vg0/lv0
   • Cresize2fs requires the filesystem to be unmounted to read the superblock
   • DThe volume group must be deactivated before resize2fs can run
   ✓ Correct answer: A

   resize2fs only understands ext2/3/4 superblocks; when pointed at an XFS volume it cannot find a valid ext superblock and reports a bad magic number. The correct tool for an XFS filesystem is xfs_growfs against the mount point. Confirming the type with blkid or lsblk -f reveals it is XFS.

   Why the other options are wrong

   • BThe LV path is wrong and should be /dev/mapper/vg0/lv0 is incorrect because the canonical device-mapper path is /dev/mapper/vg0-lv0 (with a hyphen) and the /dev/vg0/lv0 symlink is valid; the error is about filesystem type, not the path.
   • Cresize2fs requires the filesystem to be unmounted to read the superblock is incorrect because resize2fs can read and grow a mounted ext filesystem; mounting state does not cause a bad-magic error.
   • DThe volume group must be deactivated before resize2fs can run is incorrect because deactivating the VG would unmount and disable the device entirely, and is never required to resize a filesystem.
7. Question 7Users and Groups

   You must create the system account 'prometheus' (UID below 1000, no aging, normally no home directory) used to run a monitoring daemon. Which command best follows RHEL conventions?

   • Auseradd -r -s /sbin/nologin prometheusCorrect
   • Buseradd -m -s /bin/bash prometheus
   • Cuseradd -u 0 prometheus
   • Duseradd -k -s /sbin/nologin prometheus
   ✓ Correct answer: A

   The -r (or --system) option creates a system account whose UID is drawn from the system range (typically below 1000, governed by SYS_UID_MIN/SYS_UID_MAX in /etc/login.defs), disables password aging, and does not create a home directory by default. Combining it with -s /sbin/nologin ensures the daemon account cannot be used for interactive login. This is the conventional pattern for service accounts on RHEL.

   Why the other options are wrong

   • Buseradd -m -s /bin/bash prometheus is incorrect because it creates a regular UID with a home directory and an interactive Bash shell, which is inappropriate for an unattended service account.
   • Cuseradd -u 0 prometheus is incorrect because UID 0 is reserved for root; assigning it to another account creates a second superuser, a serious security problem.
   • Duseradd -k -s /sbin/nologin prometheus is incorrect because -k only selects a skeleton directory and is meaningless without -m; it does not produce a system account.
8. Question 8Users and Groups

   A new regular file should NOT inherit any execute permission by default even when umask permits it. Why does a file created with 'touch' never receive execute permission from the umask alone?

   • AFiles are created from a base mode of 666, so no execute bits exist to be masked offCorrect
   • BThe umask always forces execute bits to zero on files
   • Ctouch explicitly strips execute bits after creating the file
   • DSELinux removes execute permission from all new files
   ✓ Correct answer: A

   When a process creates a regular file, the kernel uses a base (maximum) mode of 0666, which already excludes execute permission for all classes. The umask can only remove bits that are present in the base mode, so since execute is absent from 666, no umask value can grant it.

   Why the other options are wrong

   • BThe umask always forces execute bits to zero on files is incorrect because the umask does not 'force' bits to zero; it simply cannot add bits that the 0666 base mode never contained.
   • Ctouch explicitly strips execute bits after creating the file is incorrect because touch does not modify permissions after creation; the absence of execute comes from the 0666 base mode used by the system call. SELinux removes execute permission from all new files is incorrect because SELinux applies security contexts and type enforcement, not standard rwx permission bits, and is unrelated to this behavior.
   • DDirectories differ because they use a base of 0777, which is why directories can receive execute (search) permission while files cannot via creation.
9. Question 9Deploy and Manage Software

   A RHEL 9 host has the nginx module disabled. Before you can enable or install any nginx stream, you must clear the disabled state so that the default stream becomes selectable again. Which command resets the module to its initial undefined state?

   • Adnf module reset nginxCorrect
   • Bdnf module enable nginx
   • Cdnf module remove nginx
   • Ddnf module purge nginx
   ✓ Correct answer: A

   The 'dnf module reset' subcommand returns a module to its initial, unspecified state, clearing any prior enable or disable decision so the default stream is once again eligible for selection.

   Why the other options are wrong

   • BThis is the correct first step when a module was previously disabled and you now want to enable or install one of its streams. Reset does not install or remove any packages; it only erases the recorded stream/enabled state in the module metadata. dnf module enable nginx is incorrect because enabling a module that is currently disabled will fail or require a stream, and reset is the documented way to clear a disabled state first.
   • Cdnf module remove nginx is incorrect because remove uninstalls a module's profile packages and does not clear a disabled state.
   • Ddnf module purge nginx is incorrect because 'purge' is not a valid dnf module subcommand.
10. Question 10Deploy and Manage Software

    You must display detailed metadata for a single installed flatpak application, including its application ID, runtime, branch, commit, and installed size. Which command shows this for org.libreoffice.LibreOffice?

    • Aflatpak info org.libreoffice.LibreOfficeCorrect
    • Bflatpak list org.libreoffice.LibreOffice
    • Cflatpak show org.libreoffice.LibreOffice
    • Dflatpak status org.libreoffice.LibreOffice
    ✓ Correct answer: A

    The info subcommand displays detailed metadata for one installed reference, including the application ID, the runtime it uses, the branch, the deployed commit hash, the origin remote, and the installed size. This is the correct way to inspect the specifics of a single installed flatpak. By contrast, list gives a summary table across all installed references.

    Why the other options are wrong

    • Bflatpak list org.libreoffice.LibreOffice is incorrect because list produces a summary of installed references and is not intended to show full per-application metadata for one ID.
    • Cflatpak show org.libreoffice.LibreOffice is incorrect because flatpak has no show subcommand.
    • Dflatpak status org.libreoffice.LibreOffice is incorrect because flatpak has no status subcommand.

Red Hat Certified System Administrator (RHCSA, EX200-style) practice exam FAQ