Search Pass4Sure

technical-interviews

Linux and SysAdmin Interview Questions: The Commands and Concepts You Need

Study guide for Linux and sysadmin technical interviews: filesystem hierarchy, process management, systemd, permissions, log troubleshooting, and shell scripting questions.

Kalenux Team·January 13, 2026
7 min read·1097 views
Linux and SysAdmin Interview Questions: The Commands and Concepts You Need

Linux system administration interviews test both conceptual understanding and operational fluency. Interviewers want to know that you can reason about what the system is doing, not just that you have memorized commands. This article covers the questions and topics that come up consistently in Linux and sysadmin technical interviews, with the depth and framing that separates competent candidates from strong ones.

Filesystem and Disk Questions

Filesystem Hierarchy and Disk Usage Commands

"Explain the Linux filesystem hierarchy. What goes in /etc, /var, /proc, and /tmp?"

A common opening question. Key directories:

Directory Contents
/etc System-wide configuration files
/var Variable data: logs, mail, spool, package databases
/proc Virtual filesystem exposing kernel state
/tmp Temporary files cleared on reboot (typically)
/usr User-space binaries and libraries
/home User home directories
/boot Kernel and bootloader files
/dev Device files

The follow-up often asks about /proc specifically. /proc is not a real filesystem on disk—it is generated by the kernel at runtime and provides visibility into running processes, hardware, and kernel parameters. Files like /proc/cpuinfo, /proc/meminfo, and /proc/net/dev expose live system state.

"How do you check disk usage and find large files?"

# Overall disk usage by filesystem
df -h

# Disk usage of a directory, summarized
du -sh /var/log/

# Find the largest directories under /
du -h --max-depth=1 / | sort -rh | head -20

# Find files larger than 100MB
find / -type f -size +100M 2>/dev/null

# Find files modified in the last 24 hours
find /var/log -type f -mtime -1

Interviewers often ask the follow-up: "You notice df -h shows a disk is 95% full but du -sh / shows less total usage. What could explain the discrepancy?" The answer: deleted files that are still held open by running processes. The file's disk blocks are not freed until the last file descriptor is closed. lsof | grep deleted identifies these.

Process and Memory Management

Signals, CPU Profiling, and Virtual Memory

"How do you find and kill a process consuming excessive CPU?"

# Real-time view, sort by CPU
top
# or with better formatting:
htop

# Find the process ID
ps aux --sort=-%cpu | head -10

# Kill by PID
kill -15 <PID>   # SIGTERM - graceful shutdown
kill -9 <PID>    # SIGKILL - immediate termination

# Kill by process name
pkill -f "process_name"

Understanding signal semantics matters. SIGTERM (15) requests graceful shutdown and allows the process to clean up. SIGKILL (9) cannot be caught or ignored by the process and forces immediate termination—use it only when SIGTERM fails. SIGHUP (1) historically caused daemons to reload their configuration.

"Explain virtual memory and swap. When is swap usage a problem?"

Virtual memory allows processes to use more memory than physically available by mapping some pages to disk (swap). When physical RAM is exhausted, the kernel moves less-recently-used pages to swap (swapping out) to make room for active pages.

Swap usage becomes a problem when it causes frequent swap-in/swap-out cycles (thrashing), which causes severe performance degradation. Monitoring tools to watch: /proc/meminfo fields SwapTotal and SwapFree, vmstat for swap activity (si and so columns), and sar -W for swap statistics over time.

Boot Process and Systemd

Boot Sequence and Service Management

"Understanding systemd is not optional for a sysadmin interview in 2024. Every major Linux distribution has moved to it, and the questions have followed. Candidates who still describe init scripts as the primary mechanism signal that their operational knowledge has not kept pace." — Michael Kerrisk, author of The Linux Programming Interface (No Starch Press)

"Walk me through the Linux boot process."

  1. BIOS/UEFI performs POST and identifies the boot device
  2. Bootloader (GRUB2) is loaded from MBR/ESP, loads the kernel and initramfs
  3. Kernel initializes hardware, mounts initramfs as temporary root filesystem
  4. initramfs loads drivers needed to mount the real root filesystem
  5. Real root filesystem is mounted, systemd (PID 1) starts
  6. systemd brings up targets (multi-user, graphical) by starting units in dependency order

"How do you manage services with systemd?"

# Start, stop, restart a service
systemctl start nginx
systemctl stop nginx
systemctl restart nginx

# Enable/disable service at boot
systemctl enable nginx
systemctl disable nginx

# View service status and recent logs
systemctl status nginx

# View service logs
journalctl -u nginx -f          # follow
journalctl -u nginx --since "1 hour ago"

# List failed services
systemctl --failed

Understanding the difference between restart (stop then start) and reload (signal to reload config without stopping) is a common follow-up. reload is preferable for production services like nginx that support it, because it avoids a brief downtime.

Permissions and Security

File Permissions, sudo, and the Sticky Bit

"Explain Linux file permissions. What does chmod 755 mean?"

Linux permissions consist of three sets of three bits for owner, group, and others. Each set contains read (4), write (2), and execute (1) bits. chmod 755 sets:

  • Owner: 7 (4+2+1 = read, write, execute)
  • Group: 5 (4+0+1 = read, execute)
  • Others: 5 (read, execute)

The symbolic equivalent: chmod u=rwx,go=rx.

"What is the sticky bit and when would you use it?"

The sticky bit on a directory prevents users from deleting files they do not own, even if the directory is world-writable. The canonical example is /tmp: it is 1777 (world-writable with sticky bit), so any user can create files there but cannot delete files owned by other users.

"What is sudo and how does /etc/sudoers work?"

sudo allows permitted users to run commands as root or another specified user. /etc/sudoers (edited with visudo to prevent syntax errors) defines which users and groups may run which commands. A typical entry:

# Format: who where = (as_whom) command
john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
%ops ALL=(root) /bin/journalctl, /bin/systemctl status *

Granting ALL=(ALL) ALL with NOPASSWD is a common anti-pattern that grants effective root access without an audit trail.

Log Management and Troubleshooting

Systematic Investigation and journalctl

"A user reports their application started throwing errors an hour ago. How do you investigate?"

A systematic approach is expected:

  1. Check application logs first: journalctl -u appservice --since "2 hours ago" or check /var/log/ for the application's log directory
  2. Check system logs for any relevant events: journalctl -p err --since "2 hours ago"
  3. Check resource constraints: df -h for disk space, free -h for memory, uptime for load
  4. Check for recent changes: rpm -qa --last | head (RPM-based) or grep " install\| upgrade" /var/log/dpkg.log | tail -20 (Debian-based)
  5. Check network connectivity if the application communicates externally

This structured approach—application logs, system logs, resources, recent changes—demonstrates operational maturity.

Networking from the Linux Shell

Port Inspection and Connectivity Testing

"How do you check what is listening on port 443?"

ss -tulnp | grep :443
# or
netstat -tlnp | grep :443
# or
lsof -i :443

"How do you test if a port is reachable from the command line?"

# Test TCP connectivity
nc -zv hostname 443
# or
telnet hostname 443

# Test with curl for HTTP/HTTPS
curl -v https://hostname:443/

# Trace the path
traceroute hostname
mtr hostname  # combined traceroute/ping with live statistics

Shell Scripting Questions

Writing Production-Quality Scripts

Basic shell scripting questions appear in most sysadmin interviews. Common topics:

#!/bin/bash
# Check if a service is running; restart if not
SERVICE="nginx"
if ! systemctl is-active --quiet "$SERVICE"; then
    echo "$(date): $SERVICE is not running, restarting" >> /var/log/service_check.log
    systemctl start "$SERVICE"
fi

Interviewers evaluate whether you use quoted variables, handle errors with proper exit codes, use set -e or explicit error handling, and write readable scripts. Common pitfalls they look for: unquoted variables, forgetting to check command exit codes, and not making scripts idempotent.

See also: Networking Interview Questions: What IT Roles Actually Ask

References

  1. Ward, B. (2021). How Linux Works: What Every Superuser Should Know (3rd ed.). No Starch Press. ISBN: 978-1718500402
  2. Newham, C., & Rosenblatt, B. (2005). Learning the bash Shell (3rd ed.). O'Reilly Media. ISBN: 978-0596009656
  3. Limoncelli, T., Hogan, C., & Chalup, S. (2016). The Practice of System and Network Administration (3rd ed.). Addison-Wesley. ISBN: 978-0321919168
  4. Shotts, W. (2019). The Linux Command Line (2nd ed.). No Starch Press. ISBN: 978-1593279523
  5. Hausenblas, M. (2022). Learning Modern Linux. O'Reilly Media. ISBN: 978-1098108939
  6. Red Hat. (2024). "Configuring and Managing Systemd." Red Hat Enterprise Linux 9 documentation. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_systemd/
  7. Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press. ISBN: 978-1593272203

Tags

Linux sysadmin technical interviews command line systemd shell scripting

Frequently Asked Questions

What Linux topics are most common in sysadmin interviews?

The most frequent topics are filesystem hierarchy and disk troubleshooting, process and signal management, systemd service management, file permissions and sudo configuration, log analysis with journalctl, and basic shell scripting. Understanding how to investigate a problem systematically is consistently tested.

Why might df show a disk is full when du shows available space?

Files that have been deleted but are still held open by running processes retain their disk blocks until the last file descriptor is closed. The df command reflects actual block usage while du reflects files in the directory tree. Running lsof | grep deleted identifies these zombie file handles.

What is the difference between kill -15 and kill -9?

SIGTERM (signal 15) requests graceful termination and allows the process to clean up open files, flush buffers, and perform shutdown tasks. SIGKILL (signal 9) forces immediate termination and cannot be caught or ignored by the process. Use SIGTERM first and only fall back to SIGKILL if the process does not respond.

How do you check what process is listening on a specific port in Linux?

Use ss -tulnp | grep : or lsof -i :. The ss command is the modern replacement for netstat. The -t flag shows TCP, -u shows UDP, -l shows listening sockets, -n shows numeric addresses, and -p shows the associated process.

What is the sticky bit on a directory?

The sticky bit (1 in the mode octet, shown as 't' in ls output) prevents users from deleting files in a directory that they do not own, even if the directory is world-writable. The /tmp directory uses this mode (1777) so any user can create files but cannot delete files owned by others.

Share this article

Continue Reading