Linux Study Guide

Linux Foundation Certified System Administrator (LFCS) Study Guide

The Linux Foundation Certified System Administrator (LFCS) is a hands-on, performance-based exam that validates the day-to-day skills of an entry- to mid-level Linux administrator: managing users and permissions, configuring networking and storage, operating running systems with systemd, and using essential shell commands. You work in a live terminal for 120 minutes, need 660/1000 to pass, and the tasks are practical (configure this service, fix this mount, grant that access) rather than multiple-choice. It suits sysadmins, DevOps engineers, and support staff who manage Linux servers.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice Linux Foundation Certified System Administrator (LFCS) questions free Create free account

Domain 1: Essential Commands

Key concepts you must know · 271 practice questions

Permission mode 754 means owner rwx, group r-x, others r--; chmod accepts octal (chmod 755 file) or symbolic notation (chmod u=rwx,go=rx file or chmod g+s dir).
chown changes the user owner (and group with user:group syntax); only root can give a file to another user, while a regular owner may only change a file's group to one they belong to.
The setuid bit (chmod u+s, shown as 's' in the owner execute position) makes an executable run with the file owner's privileges, which is how unprivileged users run tools like passwd.
The setgid bit on a directory (chmod g+s or chmod 2770) makes new files inside inherit the directory's group rather than the creator's primary group, which is key for shared project directories.
The sticky bit on a directory (chmod 1770 or +t, as on /tmp) lets users delete only their own files, preventing one user from removing another's files in a shared writable directory.
setfacl -m u:bob:rw file grants user bob read/write via POSIX ACLs beyond standard owner/group/other bits; getfacl displays them and the mode string shows a trailing '+' when ACLs are present.
find supports rich tests and actions: find /var -type f -size +100M finds large files, and find . -type f -print0 | xargs -0 ... safely handles filenames with spaces using null delimiters.
ln -s target linkname creates a symbolic link that can point across filesystems and to directories; hard links (ln without -s) share the same inode and cannot cross filesystems.
tar bundles directories and chooses compression: tar -czf for gzip, -cJf for xz, or tar --use-compress-program='xz -9' for maximum xz compression; tar -tf lists contents without extracting.
sed -i 's/foo/bar/g' file edits in place replacing all occurrences per line; awk '{print $3}' prints the third whitespace-separated field and supports BEGIN/END blocks for counters.
Run a command with elevated privileges via sudo according to /etc/sudoers; sudo logs each invocation and avoids sharing the root password, supporting least-privilege administration.
time <command> reports real (wall-clock), user (CPU in user space), and sys (CPU in kernel) time, helping characterize whether a job is CPU- or wait-bound.
For long jobs that must survive logout, start them in tmux/screen or with nohup cmd & and use nice -n 19 to lower CPU scheduling priority (renice adjusts a running process).
rsync -a preserves permissions/ownership/timestamps recursively; --partial resumes interrupted transfers and rsync uses a delta algorithm over SSH to send only changed blocks.

Domain 2: Operation of Running Systems

Key concepts you must know · 295 practice questions

systemctl enable --now <unit> both enables a service at boot and starts it immediately; enable and start are otherwise independent (a unit can run now, be enabled for boot, or both).
After editing or adding a unit file you must run systemctl daemon-reload so systemd rereads configuration; without it systemd keeps using the cached old definition.
Prefer systemctl edit <unit> to create a drop-in override under /etc/systemd/system/<unit>.d/ rather than editing the vendor unit file, so changes survive package upgrades.
systemctl set-default multi-user.target sets the boot target to non-graphical multi-user; systemctl isolate rescue.target switches to single-user rescue mode for maintenance.
journalctl reads the systemd journal; cap its size by setting SystemMaxUse= (e.g., 500M) in /etc/systemd/journald.conf and reclaim space immediately with journalctl --vacuum-size=500M.
df -h shows free space per filesystem and df -i shows inode usage; du -sh * summarizes which directories consume the most space, complementing df's per-filesystem view.
In LVM, Physical Volumes (PVs) join into a Volume Group (VG) from which Logical Volumes (LVs) are carved as resizable virtual block devices, decoupling filesystem layout from physical disks.
mkfs (e.g., mkfs.ext4 /dev/sdb1) creates a filesystem by writing the superblock and inode tables and destroys any existing data on the target device.
Limit a service's RAM with MemoryMax= in the unit's [Service] section so its cgroup is OOM-killed when exceeded; pair with Restart=on-failure to bring it back automatically.
Cron entries use five time fields (minute hour day-of-month month day-of-week); cron runs with a minimal PATH, so use absolute paths to binaries and quote variable expansions.
For ordering against the network, use After=network-online.target with Wants=network-online.target; After alone does not pull the target into the transaction.
systemd timers replace many cron jobs: Persistent=true catches up missed runs after downtime, and OnCalendar/OnActiveSec schedule by wall-clock or relative time with output captured in the journal.
Sandbox services with ProtectSystem=strict (read-only system dirs), ReadWritePaths=/var/lib/app for allowed writes, and NoNewPrivileges=true to block privilege escalation.
Diagnose memory and I/O pressure with free -m, cat /proc/meminfo, and vmstat 1 (watch si/so for swapping); processes stuck in state D are blocked on disk I/O, indicating a storage bottleneck.

Domain 3: User and Group Management

Key concepts you must know · 258 practice questions

useradd is the low-level account tool (often needing -m to create a home and -s for shell) while adduser is an interactive higher-level wrapper on Debian/Ubuntu; both write to /etc/passwd and /etc/shadow.
useradd -r -s /usr/sbin/nologin -M svcacct creates a system (service) account with no login shell and no home directory, the standard pattern for daemons.
usermod -aG <group> <user> adds a supplementary group without removing existing ones; omitting -a (usermod -G) replaces all supplementary groups, a common accidental-removal gotcha.
usermod -g <group> <user> changes the primary group; gpasswd -a <user> <group> also adds to a supplementary group and gpasswd manages group administrators.
Supplementary group changes take effect only in new login sessions or after running newgrp; existing shells keep their old group membership.
Files placed in /etc/skel are copied into each new user's home directory at creation; /etc/default/useradd sets the default shell, home base, and skel location.
chage manages password aging: chage -E 2026-12-31 user sets an account expiration date, and chage -l user lists current aging settings.
PASS_MAX_DAYS in /etc/login.defs sets the default maximum password age for new accounts; umask defaults (e.g., umask 027) are set in /etc/profile or login configs to control new-file permissions.
passwd -l alice locks an account (disabling password login by prefixing the hash with !), and passwd -u unlocks it; locking the password does not disable SSH key login by itself.
Edit sudo policy only with visudo (which syntax-checks before saving), and prefer dropping rules into /etc/sudoers.d/ so package and manual changes stay separate.
A narrowly scoped sudoers rule like 'alice ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx' lets alice run exactly that command without a password while granting nothing else.
Enforce resource limits with nproc and other settings in /etc/security/limits.conf (or limits.d), and use filesystem quotas via edquota/setquota after mounting with usrquota/grpquota.
For a shared group directory, chgrp devs /code then chmod 2770 /code gives the group full access, blocks others, and forces group inheritance via the setgid bit.
At scale, prefer per-user SSH public keys over shared passwords and integrate hosts with a central directory such as LDAP or Active Directory via SSSD.

Domain 4: Networking

Key concepts you must know · 265 practice questions

The iproute2 ip command is the modern tool: ip addr shows interface addresses, ip route shows the routing table, and ip link manages interfaces, replacing the deprecated ifconfig.
ip addr add 192.168.1.50/24 dev eth0 and ip route add default via 10.0.0.1 configure addressing at runtime, but these changes are not persistent across reboots.
Persistent network config comes from declarative files: systemd-networkd .network files or NetworkManager keyfiles (nmcli/nmtui), not from raw ip commands.
hostnamectl set-hostname app-server01 sets the static hostname persistently; hostname -I and ip -4 addr show display the system's current IPv4 addresses.
/etc/resolv.conf lists nameserver and search directives for DNS, but it is often a managed symlink regenerated by systemd-resolved or NetworkManager, so edit the manager's config instead.
/etc/hosts provides static name-to-IP mappings, and /etc/nsswitch.conf's hosts line typically checks 'files' before 'dns', letting local entries override DNS.
Add a specific (non-default) route with ip route add 10.20.0.0/16 via 10.0.0.1 dev eth1 to direct a subnet through a particular gateway and interface.
firewalld (firewall-cmd) is the default front-end on RHEL-family systems and organizes rules into zones; --permanent rules require firewall-cmd --reload to apply, and rules without --permanent are lost on reload or reboot.
A secure firewall baseline is default-deny inbound, then explicitly allow only needed ports such as tcp/22 (SSH) and tcp/443 (HTTPS).
Harden SSH by setting PermitRootLogin no and PasswordAuthentication no in sshd_config, requiring public-key (or certificate) auth and a regular account with sudo.
ss is the modern netstat replacement: ss -tlnp lists TCP listening sockets with numeric ports and the owning process, revealing what is bound where.
Troubleshoot DNS with dig example.com (detailed A/MX/NS records) or the simpler host and nslookup; ping tests basic reachability via ICMP echo.
Measure throughput with iperf3 (server on one host, client on the other), and limit transfer rate with rsync --bwlimit=20000 to cap bandwidth in KB/s.
NIC bonding mode=1 (active-backup) provides failover with one active link; in nftables the prerouting hook with nat type is where DNAT/redirect rules are applied.

Domain 5: Storage Management

Key concepts you must know · 209 practice questions

Debian/Ubuntu use APT over dpkg for .deb packages (apt update refreshes the index from /etc/apt/sources.list*, apt install resolves dependencies); RHEL/Fedora use DNF (successor to YUM) for RPMs.
dpkg -S /path/file reports which installed package owns a file on Debian systems, and apt-file can search package contents not yet installed; rpm -qf is the RPM-side equivalent.
Grow an LVM logical volume online with lvextend -L +5G /dev/vg/lv, then resize the filesystem: resize2fs for ext4 or xfs_growfs (mounted) for XFS; XFS cannot be shrunk.
If a deleted file still consumes space, a running process is holding it open; find the holder with lsof and restart or signal it to truly free the space.
When a partition reports full but has free bytes, it may have exhausted inodes; check df -i, then delete large numbers of tiny unneeded files to free inodes.
Reference devices in /etc/fstab by UUID or LABEL rather than /dev/sdX names, since kernel device naming can change between boots.
A broken /etc/fstab line drops the boot into emergency mode; remount root read-write (mount -o remount,rw /), fix or comment the bad line, then continue booting.
Reduce SSD write wear and improve speed with mount options noatime (or relatime) and either discard or periodic fstrim to reclaim freed blocks.
LVM snapshots let you back up a consistent point-in-time image: create a snapshot LV, back up the snapshot, then remove it, avoiding inconsistency from live changes.
Add swap with fallocate (or dd) to create a file, chmod 600 it, mkswap to format, then swapon to activate; add it to /etc/fstab for persistence.
RAID 10 (mirrored pairs that are then striped) gives both redundancy and performance; XFS excels at very large files and high parallel I/O and grows online with xfs_growfs.
Save space with sparse files: cp --sparse=always or rsync -S preserves holes, and Btrfs/ZFS offer transparent compression for compressible data.
Use block-level deduplication (ZFS dedup or VDO beneath the filesystem) to reclaim space across duplicate data blocks, at the cost of extra memory/CPU.
An LVM dm-cache configuration places a fast device (e.g., NVMe) as a cache pool in front of a slow LV to accelerate frequently accessed data.

Linux Foundation Certified System Administrator (LFCS) exam tips

The exam is performance-based in a live terminal, so practice typing real commands fast; bookmark man pages and use --help, since documentation is available during the test but slow lookups cost time.
After any unit-file or fstab change, immediately run systemctl daemon-reload (and verify with systemctl status or mount -a in a safe way) so your change actually takes effect before moving on.
Make configuration persistent, not just runtime: ip addr/route, sysctl, and firewall-cmd without --permanent all revert, so confirm changes survive a reboot when the task implies permanence.
Always reference storage by UUID/LABEL in fstab and test a new fstab entry with mount -a before relying on it, since a typo can leave the system unbootable.
Read each task for whether it wants the change 'now', 'at boot', or 'both', and use enable --now or separate enable/start accordingly; partial credit is given per objective, so finish easy tasks first.

Study guide FAQ

Is the LFCS exam multiple-choice?

No. It is entirely performance-based: you are dropped into a live Linux terminal and must complete real administration tasks (configure services, fix mounts, set permissions). There are no multiple-choice questions, so hands-on practice is essential.

What score do I need to pass and how long is the exam?

You need 660 out of 1000 to pass, within a 120-minute time limit. Tasks are weighted, and you earn partial credit per completed objective, so it is wise to bank the quick wins first and return to harder items.

Which Linux distributions does the exam use?

Candidates choose their distribution at exam start (commonly an Ubuntu LTS or a RHEL-family option). Because tooling differs (APT vs DNF, NetworkManager vs systemd-networkd), be fluent in the package manager and network config of your chosen distro.

Do I need to memorize command flags or can I use man pages?

Local documentation (man pages, --help) is available during the exam, but the clock keeps running. You should know the core commands and common flags by heart and reserve man pages for confirming syntax, not learning a tool for the first time.

Test yourself: 1,298 Linux Foundation Certified System Administrator (LFCS) practice questions