Highlights
- Performance-based, not multiple-choice: The LFCS exam presents 17–20 hands-on tasks in a live terminal environment. You have two hours to solve real-world Linux administration challenges, and the passing score is 67%.
- Five weighted domains: Operations Deployment (25%), Networking (25%), Storage (20%), Essential Commands (20%), and Users and Groups (10%). Operations Deployment and Networking together account for half the exam.
- Persistence is critical: Nearly every exam task expects configurations to survive a reboot. Use configuration files (
/etc/sysctl.d/,/etc/fstab,/etc/systemd/system/) rather than runtime-only commands, and verify with status commands. - Man pages are your only reference: External resources, notes, and browsers are not allowed during the exam. Practice navigating
manpages and usingman -k keywordto search across all manual entries efficiently. - Both Debian and RHEL families are fair game: The exam may test APT (Debian/Ubuntu) or DNF (RHEL/Rocky/AlmaLinux) package management, so you need fluency in both distribution families.
- 24-month validity: Certifications earned after April 2024 remain valid for 24 months.
The Linux Foundation Certified System Administrator (LFCS) exam is a performance-based certification that validates practical Linux administration skills through real-world tasks. Unlike multiple-choice exams, candidates solve 17-20 hands-on challenges in a live terminal environment within two hours. This guide comprehensively covers all five exam domains - Operations Deployment (25%), Networking (25%), Storage (20%), Essential Commands (20%), and Users and Groups (10%), with practical command examples and configuration techniques. The passing score is 67%, and certifications earned after April 2024 remain valid for 24 months. During the exam, you may access man pages and system documentation but not external resources, making command-line proficiency essential.
Operations Deployment fundamentals form the exam's largest domain
The Operations Deployment domain carries 25% of the total exam weight and covers the core responsibilities of Linux system administration: managing kernel parameters, services, processes, scheduled jobs, packages, virtual machines, containers, and mandatory access control through SELinux.
Kernel parameter configuration spans temporary and persistent changes
Linux kernel behavior can be modified at runtime through the sysctl interface. Non-persistent changes take effect immediately but are lost after reboot:
sysctl -a # View all kernel parameters
sysctl net.ipv4.ip_forward # Read specific parameter
sysctl -w net.ipv4.ip_forward=1 # Set parameter temporarily
echo 1 > /proc/sys/net/ipv4/ip_forward # Alternative method via /procPersistent changes survive reboots when written to configuration files. The recommended approach uses the drop-in directory rather than editing the main configuration file:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-custom.conf
sysctl -p /etc/sysctl.d/99-custom.conf # Apply specific file
sysctl --system # Apply all system filesCommon parameters you should know include net.ipv4.ip_forward=1 for routing, vm.swappiness=10 to reduce swap usage, fs.file-max=65535 for file descriptor limits, and net.ipv6.conf.all.disable_ipv6=1 to disable IPv6.
Systemd service management requires mastering systemctl and journalctl
Modern Linux distributions use systemd for service management. The systemctl command controls service lifecycle, boot behavior, and unit configuration:
systemctl start nginx.service # Start service
systemctl stop nginx.service # Stop service
systemctl restart nginx.service # Restart service
systemctl reload nginx.service # Reload config without restart
systemctl enable --now nginx.service # Enable at boot and start immediately
systemctl status nginx.service # View detailed status
systemctl mask nginx.service # Prevent service from starting
systemctl daemon-reload # Reload after unit file changesThe journalctl command accesses the systemd journal for log analysis and troubleshooting:
journalctl -u nginx.service # Logs for specific service
journalctl -u nginx.service -f # Follow logs in real-time
journalctl -b # Logs since current boot
journalctl --since "1 hour ago" # Time-based filtering
journalctl -p err # Filter by priority level
journalctl -o json-pretty # JSON output format
journalctl --vacuum-size=500M # Reduce journal sizeProcess management complements service administration. The ps command provides process snapshots while top and htop offer real-time monitoring. Process signals control behavior: kill -15 PID sends SIGTERM for graceful shutdown, kill -9 PID sends SIGKILL for forced termination, and kill -HUP PID triggers configuration reload.
Job scheduling uses cron syntax and systemd timers
Cron remains the traditional method for scheduling recurring tasks. The crontab format specifies minute (0-59), hour (0-23), day of month (1-31), month (1-12), and day of week (0-6):
crontab -e # Edit user crontab
crontab -l # List entries
# Crontab examples:
*/5 * * * * /path/to/script.sh # Every 5 minutes
0 3 * * * /path/to/backup.sh # Daily at 3 AM
30 17 * * 1 /path/to/weekly.sh # Monday at 5:30 PM
@reboot /path/to/startup.sh # At system bootSystemd timers provide an alternative with improved logging and dependency management. A timer unit file pairs with a service unit file:
# /etc/systemd/system/backup.timer
[Unit]
Description=Run backup daily
[Timer]
OnCalendar=*-*-* 03:00:00
Persistent=true
RandomizedDelaySec=30min
[Install]
WantedBy=timers.targetThe at command handles one-time scheduled execution: at 10:00 AM or at now + 1 hour opens an interactive prompt for commands, while atq lists pending jobs and atrm removes them.
Package management differs between distribution families
Debian-based systems (Ubuntu, Debian) use APT:
apt update # Update package lists
apt install nginx # Install package
apt remove nginx # Remove package
apt purge nginx # Remove with config files
apt search nginx # Search packages
apt autoremove # Remove unused dependenciesRHEL-based systems (Rocky Linux, AlmaLinux, Fedora) use DNF:
dnf check-update # Check for updates
dnf install httpd # Install package
dnf remove httpd # Remove package
dnf search httpd # Search packages
dnf provides /usr/bin/vim # Find package owning file
dnf history # View transaction history
dnf history undo 10 # Rollback transactionRepository configuration files reside in /etc/apt/sources.list.d/ for APT systems and /etc/yum.repos.d/ for DNF systems.
System recovery techniques handle boot failures and filesystem corruption
When systems fail to boot, GRUB provides recovery options. At the GRUB menu, press e to edit the boot entry, then append systemd.unit=rescue.target for rescue mode or systemd.unit=emergency.target for minimal emergency mode to the kernel line.
Rescue mode mounts filesystems read-write and starts minimal services, useful for most recovery tasks. Emergency mode provides a bare environment with the root filesystem read-only, necessary when filesystems themselves are corrupted.
Filesystem repair commands must run on unmounted filesystems:
# ext4 filesystem repair
fsck -y /dev/sda1 # Auto-fix errors
e2fsck -fvy /dev/sda1 # Force check with verbose output
# XFS filesystem repair (cannot shrink, only grow)
xfs_repair /dev/sda1 # Repair filesystem
xfs_repair -n /dev/sda1 # Dry-run check onlyVirtual machine management uses libvirt and virsh
The virsh command-line interface manages KVM/QEMU virtual machines through libvirt:
virsh list --all # List all VMs
virsh start vm-name # Start VM
virsh shutdown vm-name # Graceful shutdown
virsh destroy vm-name # Force power off
virsh autostart vm-name # Enable autostart at boot
virsh edit vm-name # Edit VM configuration XML
virsh console vm-name # Access VM consoleCreating new VMs uses virt-install:
virt-install \
--name centos8 \
--ram 2048 \
--vcpus 2 \
--disk path=/var/lib/libvirt/images/centos8.qcow2,size=20 \
--os-variant centos8 \
--network bridge=virbr0 \
--location /path/to/isoStorage pools and volumes support flexible VM disk management through virsh pool-* and virsh vol-* commands.
Container management spans Docker and Podman
Both Docker and Podman share compatible command syntax for container operations:
docker pull nginx:latest # Download image
docker run -d --name web -p 8080:80 nginx # Run container
docker ps -a # List all containers
docker logs -f web # Follow container logs
docker exec -it web /bin/bash # Execute command in container
docker stop web # Stop container
docker rm web # Remove containerPodman offers rootless container execution and pod management:
podman pod create --name mypod -p 8080:80 # Create pod
podman run -d --pod mypod nginx # Run container in podDockerfile instructions define container images:
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y nginx
COPY ./html /var/www/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]SELinux enforces mandatory access control
SELinux operates in three modes: Enforcing (active protection), Permissive (logging only), and Disabled. Check and change modes with:
getenforce # Check current mode
setenforce 1 # Set enforcing (temporary)
setenforce 0 # Set permissive (temporary)Persistent mode changes require editing /etc/selinux/config and rebooting.
Context management ensures files have correct SELinux labels:
semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
restorecon -Rv /srv/www # Apply context changesPort labeling allows services to bind to non-standard ports:
semanage port -a -t http_port_t -p tcp 8080Boolean settings enable optional SELinux features:
getsebool -a | grep httpd # List httpd booleans
setsebool -P httpd_can_network_connect on # Persistent boolean changeTroubleshooting SELinux denials uses audit tools:
ausearch -m avc -ts recent | audit2why # Analyze recent denialsNetworking configuration enables system connectivity and security
The Networking domain represents 25% of the exam and covers IP configuration, DNS resolution, time synchronization, SSH hardening, firewalls, routing, and advanced network interfaces.
IPv4 and IPv6 configuration uses ip and nmcli commands
The ip command provides low-level network interface control:
ip addr show # Display all addresses
ip addr add 192.168.1.100/24 dev eth0 # Add IP address
ip addr del 192.168.1.100/24 dev eth0 # Remove IP address
ip link set dev eth0 up # Bring interface up
ip link set dev eth0 down # Bring interface down
ip route show # Display routing table
ip route add default via 192.168.1.1 # Set default gatewayNetworkManager's nmcli handles persistent network configuration:
nmcli connection show # List connections
nmcli device status # Show device status
nmcli con add type ethernet con-name "static" ifname eth0 \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns "8.8.8.8,8.8.4.4" \
ipv4.method manual
nmcli con up "static" # Activate connectionKey network configuration files include /etc/hosts for static hostname mappings, /etc/resolv.conf for DNS servers, and /etc/nsswitch.conf for name resolution order.
Hostname configuration and DNS testing validate connectivity
The hostnamectl command manages system hostname:
hostnamectl # Display hostname info
hostnamectl set-hostname server1.example.comDNS troubleshooting commands verify name resolution:
dig example.com # Query A record
dig +short example.com # Short output
dig @8.8.8.8 example.com # Query specific server
dig -x 192.168.1.1 # Reverse lookup
nslookup example.com # Alternative lookup tool
host example.com # Simple lookupTime synchronization keeps systems accurate
Chrony provides modern NTP client and server functionality. The configuration file /etc/chrony.conf specifies time servers:
server 0.pool.ntp.org iburst
pool ntp.ubuntu.com iburst
makestep 1.0 3
driftfile /var/lib/chrony/drift
rtcsyncManagement commands verify synchronization status:
chronyc sources # Show time sources
chronyc tracking # Show tracking info
chronyc makestep # Force immediate sync
timedatectl # Display time settings
timedatectl set-timezone America/New_York # Set timezone
timedatectl set-ntp true # Enable NTPNetwork troubleshooting identifies connectivity issues
The ss command (replacing netstat) displays socket statistics:
ss -tuln # TCP/UDP listening ports
ss -tulnp # Include process names
ss -t state established # Established connections
ss -tln sport = :22 # Filter by portConnectivity testing uses standard diagnostic tools:
ping -c 5 google.com # ICMP connectivity test
traceroute google.com # Trace route path
mtr google.com # Combined ping/traceroutePacket capture with tcpdump enables deep analysis:
tcpdump -i eth0 -nn port 80 # Capture HTTP traffic
tcpdump -i eth0 host 192.168.1.1 # Filter by host
tcpdump -w capture.pcap # Save to fileOpenSSH hardening secures remote access
The SSH server configuration file /etc/ssh/sshd_config supports numerous security options:
PermitRootLogin no # Disable root login
PasswordAuthentication no # Require key authentication
PubkeyAuthentication yes # Enable key authentication
MaxAuthTries 3 # Limit login attempts
ClientAliveInterval 300 # Idle timeout
AllowUsers admin deploy # Restrict allowed users
X11Forwarding no # Disable X11Match blocks provide conditional configuration based on user, group, or address:
Match User sftpuser
ForceCommand internal-sftp
ChrootDirectory /home/sftpuser
AllowTcpForwarding no
Match Address 192.168.1.0/24
PasswordAuthentication yesKey-based authentication setup:
ssh-keygen -t ed25519 -C "user@host" # Generate key pair
ssh-copy-id user@server # Copy public key to serverSSH port forwarding creates secure tunnels:
ssh -L 8080:localhost:80 user@server # Local port forwarding
ssh -R 8080:localhost:80 user@server # Remote port forwarding
ssh -D 1080 user@server # SOCKS proxyFirewall configuration uses firewalld or iptables
Firewalld provides zone-based firewall management:
firewall-cmd --state # Check status
firewall-cmd --get-active-zones # Show active zones
firewall-cmd --zone=public --list-all # List zone rules
firewall-cmd --permanent --add-service=http # Allow HTTP service
firewall-cmd --permanent --add-port=8080/tcp # Allow specific port
firewall-cmd --reload # Apply changes
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" \
source address="192.168.1.0/24" service name="ssh" accept'iptables provides direct packet filtering:
iptables -L -n -v # List all rules
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP # Default deny
# NAT/Masquerading for routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEStatic routing directs traffic to specific networks
Route management commands:
ip route add 10.0.0.0/8 via 192.168.1.254 # Add static route
ip route add default via 192.168.1.1 # Default gateway
ip route del 10.0.0.0/8 # Delete routePersistent routes via NetworkManager:
nmcli con mod "connection" +ipv4.routes "10.0.0.0/8 192.168.1.254"
nmcli con up "connection"Bridge and bonding create advanced network configurations
Network bridges connect multiple interfaces:
nmcli con add type bridge con-name br0 ifname br0
nmcli con add type bridge-slave con-name br0-slave ifname eth0 master br0
nmcli con mod br0 ipv4.addresses "192.168.1.100/24" ipv4.method manual
nmcli con up br0Network bonding aggregates interfaces for redundancy or throughput:
nmcli con add type bond con-name bond0 ifname bond0 \
bond.options "mode=active-backup,miimon=100"
nmcli con add type ethernet con-name bond0-slave1 ifname eth0 master bond0
nmcli con add type ethernet con-name bond0-slave2 ifname eth1 master bond0Bond modes include active-backup (failover), balance-rr (round-robin), and 802.3ad (LACP aggregation).
Reverse proxies and load balancers distribute traffic
HAProxy configuration defines frontends and backends:
frontend http_front
bind *:80
default_backend web_servers
backend web_servers
balance roundrobin
option httpchk GET /health
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 checknginx reverse proxy configuration:
upstream backend_servers {
least_conn;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
server {
listen 80;
location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Load balancing algorithms include roundrobin (equal distribution), leastconn (fewest connections), and source (session persistence via IP hash).
Storage management handles LVM, filesystems, and remote storage
The Storage domain covers 20% of the exam and encompasses LVM configuration, filesystem creation and repair, remote storage mounting, swap management, and automounting.
LVM provides flexible logical volume management
LVM uses three layers: Physical Volumes (PVs) from disks or partitions, Volume Groups (VGs) pooling PVs together, and Logical Volumes (LVs) carved from VGs.
Physical volume operations:
pvcreate /dev/sdb /dev/sdc # Create PVs
pvdisplay # Display PV details
pvs # Summary viewVolume group operations:
vgcreate vg00 /dev/sdb /dev/sdc # Create VG
vgextend vg00 /dev/sdd # Add PV to VG
vgdisplay # Display VG details
vgs # Summary viewLogical volume operations:
lvcreate -L 10G -n lv_data vg00 # Create 10GB LV
lvcreate -l 100%FREE -n lv_data vg00 # Use all free space
lvextend -L +5G /dev/vg00/lv_data # Add 5GB
lvextend -r -L +5G /dev/vg00/lv_data # Extend LV and resize filesystem
lvdisplay # Display LV detailsFilesystem resizing differs by type:
# ext4: can grow online or shrink offline
resize2fs /dev/vg00/lv_data # Resize to fill LV
# XFS: can only grow, never shrink, must be mounted
xfs_growfs /mount/point # Grow to fill LVLVM snapshots enable point-in-time copies:
lvcreate -L 1G -s -n snap /dev/vg00/lv_data # Create snapshot
lvconvert --merge /dev/vg00/snap # Restore from snapshotFilesystem creation and management uses mkfs and mount
Creating filesystems:
mkfs.ext4 /dev/sdb1 # Create ext4
mkfs.ext4 -L "DATA" /dev/sdb1 # With label
mkfs.xfs /dev/sdb1 # Create XFS
mkfs.xfs -f /dev/sdb1 # Force overwriteMounting filesystems:
mount /dev/sdb1 /mnt/data # Mount device
mount -o rw,noatime /dev/sdb1 /mnt/data # With options
mount UUID=abc123 /mnt/data # Mount by UUIDThe /etc/fstab file defines persistent mounts:
device mount_point type options dump pass
UUID=abc123-def456 /data ext4 defaults 0 2
/dev/vgdata/lvdata /mnt/data ext4 defaults 0 2
server:/export /mnt/nfs nfs defaults,_netdev 0 0
/swapfile none swap defaults 0 0Filesystem repair requires unmounting first:
fsck -y /dev/sdb1 # ext4 auto-repair
xfs_repair /dev/sdb1 # XFS repairIdentify devices by UUID or label:
blkid # Show all UUIDs/labels
lsblk -f # Include filesystem info
e2label /dev/sdb1 "MYDATA" # Set ext4 label
xfs_admin -L "MYDATA" /dev/sdb1 # Set XFS labelRemote filesystems connect to network storage
NFS server configuration exports directories via /etc/exports:
/srv/nfs/share 192.168.1.0/24(rw,sync,no_subtree_check)
/srv/nfs/public *(ro,sync)Apply exports with exportfs -ra and start the server with systemctl enable --now nfs-server.
NFS client mounting:
showmount -e server_ip # Discover exports
mount -t nfs server:/export /mnt/nfs # Mount NFS shareiSCSI initiator configuration connects to block storage:
iscsiadm -m discovery -t sendtargets -p target_ip:3260
iscsiadm -m node -T target_iqn -p target_ip --login
iscsiadm -m session -P 3 # Show active sessionsSwap space provides virtual memory overflow
Creating swap partition:
mkswap /dev/sdb2 # Initialize swap area
swapon /dev/sdb2 # Enable swapCreating swap file:
dd if=/dev/zero of=/swapfile bs=1M count=2048
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfileSwap management:
swapon --show # Display swap usage
swapon -a # Enable all fstab swap
swapoff /swapfile # Disable specific swapSwap priority in /etc/fstab:
/dev/sda2 none swap defaults,pri=100 0 0
/swapfile none swap defaults,pri=10 0 0Autofs mounts filesystems on demand
The master map /etc/auto.master defines automount points:
/misc /etc/auto.misc --timeout=60
/nfs /etc/auto.nfs --timeout=120
/- /etc/auto.directIndirect map example /etc/auto.nfs:
share1 -rw,soft,intr 192.168.1.10:/export/share1
backup -ro 192.168.1.10:/export/backup
* -rw 192.168.1.10:/home/&Direct map example /etc/auto.direct:
/mnt/nfs/data -rw,soft server:/export/dataStart autofs with systemctl enable --now autofs.
Storage performance monitoring tracks I/O metrics
The iostat command shows disk I/O statistics:
iostat -x 1 # Extended stats every second
# Key metrics: await (latency), %util (saturation)The iotop command shows per-process I/O:
iotop -o # Only processes with I/OStandard tools for storage analysis:
df -h # Filesystem space usage
df -i # Inode usage
du -sh /var # Directory size
lsblk -f # Block devices with filesystemsEssential Commands encompass Git, services, and troubleshooting
This 20% domain covers Git version control, systemd service creation, performance monitoring, disk space management, and SSL certificate operations.
Git workflow commands manage version control
Repository initialization and cloning:
git init # Create new repository
git clone https://github.com/user/repo.git # Clone existingStaging and committing:
git status # Check working tree
git add filename # Stage specific file
git add . # Stage all changes
git commit -m "Descriptive message" # Commit changes
git commit --amend # Modify last commitHistory and differences:
git log --oneline # Compact history
git log --graph --oneline --all # Visual branch history
git diff # Unstaged changes
git diff --staged # Staged changesRemote operations:
git remote add origin URL # Add remote
git fetch origin # Download without merge
git pull origin main # Fetch and merge
git push -u origin main # Push and set upstreamBranch management:
git branch # List branches
git branch feature-x # Create branch
git checkout feature-x # Switch to branch
git checkout -b feature-x # Create and switch
git merge feature-x # Merge into current
git branch -d feature-x # Delete branchCustom systemd service creation requires proper unit file structure
Service unit files in /etc/systemd/system/ follow a three-section format:
[Unit]
Description=My Custom Application
After=network.target
Requires=postgresql.service
[Service]
Type=simple
User=appuser
WorkingDirectory=/opt/myapp
ExecStart=/opt/myapp/bin/myapp --config /etc/myapp.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
Environment="NODE_ENV=production"
[Install]
WantedBy=multi-user.targetService types determine startup behavior: simple (default, immediate), forking (parent exits, child continues), oneshot (runs and exits), and notify (signals readiness).
After creating or modifying unit files:
systemctl daemon-reload # Reload unit files
systemctl enable --now myapp.service # Enable and startPerformance monitoring identifies system bottlenecks
Real-time monitoring with top and htop:
top # Process monitor
# Key: M (sort memory), P (sort CPU), k (kill)
htop # Enhanced interfaceMemory and CPU statistics with vmstat:
vmstat 1 5 # Update every second, 5 times
# Columns: r (run queue), b (blocked), si/so (swap), wa (I/O wait)Memory usage with free:
free -h # Human-readable format
# Key: available shows memory for new applicationsSystem load with uptime:
uptime
# Load average interpretation: values below CPU count indicate healthy systemApplication troubleshooting uses strace, lsof, and journalctl
System call tracing:
strace command # Trace system calls
strace -p PID # Attach to running process
strace -e open,access command # Filter specific calls
strace -c command # Summary statisticsOpen file tracking:
lsof -u username # Files by user
lsof -p PID # Files by process
lsof -i :80 # Processes using port
lsof +L1 # Deleted files still openService troubleshooting:
journalctl -u service.service -xe # Service logs with context
systemctl status service.service # Status and recent logsDisk space troubleshooting resolves storage exhaustion
Space usage analysis:
df -h # Filesystem space
df -i # Inode usage (often overlooked)
du -sh /var/* # Directory sizes
du -h --max-depth=1 / | sort -hr # Largest directoriesFinding large files:
find / -type f -size +100M 2>/dev/null # Files over 100MB
find /var -type f -size +50M -mtime +30 # Large old filesInteractive disk usage with ncdu:
ncdu / # Scan from root
# Navigation: d (delete), n (sort name), s (sort size)Cleanup operations:
apt clean # Clear APT cache
dnf clean all # Clear DNF cache
journalctl --vacuum-size=500M # Reduce journal sizeSSL certificate inspection verifies validity and chain
Certificate examination:
openssl x509 -in cert.crt -text -noout # Full certificate details
openssl x509 -in cert.crt -noout -dates # Validity dates
openssl x509 -in cert.crt -noout -subject # Subject
openssl x509 -in cert.crt -noout -issuer # IssuerRemote certificate checking:
echo | openssl s_client -servername domain.com -connect domain.com:443 2>/dev/null \
| openssl x509 -noout -datesCertificate generation:
openssl genrsa -out private.key 2048 # Generate private key
openssl req -new -key private.key -out request.csr # Generate CSR
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout key.pem -out cert.pem # Self-signed certificateCertificate verification:
openssl verify -CAfile ca.crt server.crt # Verify chain
# Verify key/cert match (MD5 hashes should be identical):
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5Users and Groups management controls access and identity
This 10% domain covers local account management, environment profiles, resource limits, ACLs, and LDAP integration.
User account management uses useradd, usermod, and passwd
Creating users with common options:
useradd -m -s /bin/bash -c "John Smith" -G wheel,developers john
# -m: create home -s: shell -c: comment -G: supplementary groupsModifying existing users:
usermod -aG sudo john # Add to group (append)
usermod -L john # Lock account
usermod -U john # Unlock account
usermod -s /bin/zsh john # Change shellPassword management:
passwd john # Set password
passwd -l john # Lock account
passwd -e john # Force change at login
chage -l john # View aging info
chage -M 90 -W 14 john # Max 90 days, warn 14Group management:
groupadd developers # Create group
groupmod -n newname oldname # Rename group
groupdel groupname # Delete groupKey files include /etc/passwd (user accounts), /etc/shadow (encrypted passwords), and /etc/group (group memberships).
Environment profiles customize shell behavior
System-wide files apply to all users:
/etc/profile- Executed for login shells/etc/profile.d/*.sh- Modular environment scripts/etc/bash.bashrcor/etc/bashrc- Interactive non-login shells
User-specific files customize individual environments:
~/.bash_profileor~/.profile- Login shells~/.bashrc- Interactive non-login shells
Login shells (SSH, console login, su -) read /etc/profile then ~/.bash_profile. Non-login shells (terminal emulator, running bash) read /etc/bash.bashrc then ~/.bashrc.
Environment variable management:
export MYVAR="value" # Set and export variable
env # List all variables
unset MYVAR # Remove variableResource limits restrict user consumption
The /etc/security/limits.conf file defines resource constraints:
# Format: <domain> <type> <item> <value>
* soft nofile 4096
* hard nofile 65535
@developers hard nproc 4096
john hard as 4000000Domain specifies users (username), groups (@groupname), or all (*). Type can be soft (default, user-adjustable), hard (maximum), or - (both).
Common limit items include nofile (file descriptors), nproc (processes), memlock (locked memory), and as (address space).
The ulimit command views and sets session limits:
ulimit -a # View all limits
ulimit -n # Open files limit
ulimit -n 8192 # Set open files (session)
ulimit -Hn # View hard limitAccess Control Lists provide granular file permissions
Setting ACLs with setfacl:
setfacl -m u:john:rw file # User permission
setfacl -m g:developers:rx file # Group permission
setfacl -m m::rx file # Set mask
setfacl -R -m u:john:rx /directory # Recursive
setfacl -d -m u:john:rwx /directory # Default ACL (inheritance)
setfacl -x u:john file # Remove entry
setfacl -b file # Remove all ACLsViewing ACLs with getfacl:
getfacl file # Display ACLs
# Plus sign (+) in ls -l indicates ACL presenceDefault ACLs on directories apply to newly created files within them, enabling inherited permissions.
The mask entry limits effective permissions for named users, named groups, and the owning group, it acts as a permission ceiling.
LDAP client configuration integrates directory services
SSSD provides LDAP authentication. The configuration file /etc/sssd/sssd.conf (must be mode 0600):
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
cache_credentials = trueModern systems use authselect for authentication configuration:
authselect select sssd with-mkhomedir # Select SSSD profile
authselect current # Show configurationNSS integration in /etc/nsswitch.conf:
passwd: sss files
group: sss files
shadow: files sssTesting LDAP connectivity:
ldapsearch -x -H ldap://server -b "dc=example,dc=com" "(uid=john)"
getent passwd john # Verify NSS lookup
id john # Check user info
sssctl user-show john # SSSD-specific queryPractical preparation strategies maximize exam readiness
Build a lab environment using virtual machines or containers to practice all commands without risk. Install multiple Linux distributions to become comfortable with both Debian and RHEL family systems.
Master the man pages since they're available during the exam. Practice finding information with man -k keyword to search across all manual pages, and familiarize yourself with key references like systemctl(1), sshd_config(5), fstab(5), ip(8), and firewall-cmd(1).
Practice time management by setting 2-hour practice sessions where you complete as many tasks as possible. The exam presents 17-20 tasks, so aim to complete each task in under 6 minutes on average.
Focus on persistence for all configurations. Exam tasks typically require changes to survive reboots, use configuration files rather than runtime commands, and verify with appropriate status commands.
Develop systematic troubleshooting approaches. When services fail, always check systemctl status, review logs with journalctl -xe, verify configuration syntax, and confirm dependencies are satisfied.
The LFCS exam tests practical skills you'll use daily as a Linux administrator. Focus on understanding concepts and command relationships rather than memorizing syntax, the man pages provide syntax details when needed. Regular hands-on practice across all five domains builds the muscle memory and problem-solving intuition that leads to certification success.
Good luck!
Quick reference command summary by domain
| Task | Command |
|---|---|
| Operations | |
| Set kernel parameter (persistent) | echo "param=value" >> /etc/sysctl.d/99-custom.conf && sysctl -p |
| Manage service | systemctl start/stop/enable/status service |
| View service logs | journalctl -u service -f |
| Schedule cron job | crontab -e |
| Check SELinux mode | getenforce |
| Fix SELinux context | restorecon -Rv /path |
| Networking | |
| Configure static IP | nmcli con mod "conn" ipv4.addresses "IP/CIDR" ipv4.method manual |
| Add firewall rule | firewall-cmd --permanent --add-service=http && firewall-cmd --reload |
| Add static route | ip route add 10.0.0.0/8 via gateway |
| Test SSH config | sshd -t |
| Storage | |
| Create LVM volume | pvcreate, vgcreate, lvcreate -L size -n name vg |
| Extend LV with filesystem | lvextend -r -L +size /dev/vg/lv |
| Mount persistently | Add entry to /etc/fstab |
| Create swap | mkswap /dev/sdX && swapon /dev/sdX |
| Essential Commands | |
| Git commit workflow | git add . && git commit -m "message" && git push |
| Create systemd service | Write unit file to /etc/systemd/system/ then daemon-reload |
| Check certificate expiry | openssl x509 -enddate -noout -in cert.crt |
| Find large files | find / -type f -size +100M |
| Users & Groups | |
| Create user with groups | useradd -m -G wheel,dev username |
| Set ACL | setfacl -m u:user:rwx file |
| View limits | ulimit -a |
| Test LDAP user | getent passwd ldapuser |
FAQs
Q1: What is the LFCS exam format and how long do I have to complete it?
The LFCS is a performance-based exam conducted entirely in a live Linux terminal environment. You receive 17–20 hands-on tasks and have two hours to complete them. There are no multiple-choice questions, every task requires you to execute commands, configure services, or modify system files on a real Linux system. The passing score is 67%. You can access man pages and installed system documentation during the exam, but external resources, web browsers, and personal notes are not permitted.
Q2: Which Linux distribution should I practice on for the LFCS exam?
The exam can be delivered on Ubuntu or CentOS/Rocky Linux-based environments, and tasks may involve either Debian-family (APT) or RHEL-family (DNF) package management. You should be comfortable with both distribution families. Build a lab environment with at least one Debian-based and one RHEL-based virtual machine so you can practice package management, service configuration, and filesystem operations across both ecosystems. The core concepts, systemd, LVM, networking with ip/nmcli, and user management, remain consistent across distributions.
Q3: How are the five LFCS exam domains weighted, and which should I prioritize?
Operations Deployment and Networking each carry 25% of the exam weight, making them the two highest-priority domains. Together they account for half your score and cover systemd services, kernel parameters, SELinux, cron/timers, containers, IP configuration, SSH hardening, firewall rules, and routing. Storage (20%) and Essential Commands (20%) follow, covering LVM, filesystem management, Git, custom systemd services, and SSL certificates. Users and Groups carries 10% and covers account management, ACLs, resource limits, and LDAP integration. Focus your preparation time proportionally to these weights, but don't neglect the 10% domain, it can be the difference between passing and failing at the 67% threshold.
Q4: Can I use the internet or personal notes during the LFCS exam?
No. The LFCS exam runs in a proctored, locked-down browser environment. You cannot access the internet, open additional browser tabs, or reference personal notes. The only documentation available to you is what's installed on the exam system itself, primarily man pages, info pages, and files in /usr/share/doc/. This makes practicing with man pages essential. Get comfortable using man -k keyword to search for relevant commands, and learn to quickly navigate man page sections for syntax and options rather than relying on web searches during your preparation.
Q5: How long is the LFCS certification valid, and what happens when it expires?
Certifications earned after April 2024 are valid for 24 months from the date you pass the exam. Once expired, you must retake and pass the current version of the exam to recertify, there is no renewal pathway or continuing education option. The Linux Foundation periodically updates the exam objectives to reflect current industry practices, so the exam version you retake may include updated or new topics. Keeping your hands-on skills current through daily Linux administration work or lab practice is the most effective way to stay prepared for recertification.
Q6: What's the best way to prepare for the hands-on LFCS exam format?
Build a dedicated lab environment using virtual machines and practice every command and configuration covered in the exam domains. Set 2-hour timed practice sessions where you work through tasks without referencing external documentation, only man pages. Focus on making all configurations persistent across reboots, since the exam expects this. Develop a systematic troubleshooting approach: check systemctl status, review logs with journalctl -xe, verify configuration syntax, and confirm dependencies. The LFCS tests practical muscle memory and problem-solving under time pressure, not theoretical knowledge.
Discussion