What Linux topics are most common in sysadmin interviews?
The most frequent topics are filesystem hierarchy and disk troubleshooting, process and signal management, systemd service management, file permissions and sudo configuration, log analysis with journalctl, and basic shell scripting. Understanding how to investigate a problem systematically is consistently tested.
Linux system administration interviews test both conceptual understanding and operational fluency. Interviewers want to know that you can reason about what the system is doing, not just that you have memorized commands. This article covers the questions and topics that come up consistently in Linux and sysadmin technical interviews, with the depth and framing that separates competent candidates from strong ones.
Filesystem and Disk Questions
Filesystem Hierarchy and Disk Usage Commands
"Explain the Linux filesystem hierarchy. What goes in /etc, /var, /proc, and /tmp?"
A common opening question. Key directories:
| Directory | Contents |
|---|---|
| /etc | System-wide configuration files |
| /var | Variable data: logs, mail, spool, package databases |
| /proc | Virtual filesystem exposing kernel state |
| /tmp | Temporary files cleared on reboot (typically) |
| /usr | User-space binaries and libraries |
| /home | User home directories |
| /boot | Kernel and bootloader files |
| /dev | Device files |
The follow-up often asks about /proc specifically. /proc is not a real filesystem on disk—it is generated by the kernel at runtime and provides visibility into running processes, hardware, and kernel parameters. Files like /proc/cpuinfo, /proc/meminfo, and /proc/net/dev expose live system state.
"How do you check disk usage and find large files?"
# Overall disk usage by filesystem
df -h
# Disk usage of a directory, summarized
du -sh /var/log/
# Find the largest directories under /
du -h -max-depth=1 / | sort -rh | head -20
# Find files larger than 100MB
find / -type f -size +100M 2>/dev/null
# Find files modified in the last 24 hours
find /var/log -type f -mtime -1
Interviewers often ask the follow-up: "You notice df -h shows a disk is 95% full but du -sh / shows less total usage. What could explain the discrepancy?" The answer: deleted files that are still held open by running processes. The file's disk blocks are not freed until the last file descriptor is closed. lsof | grep deleted identifies these.
Process and Memory Management
Signals, CPU Profiling, and Virtual Memory
"How do you find and kill a process consuming excessive CPU?"
# Real-time view, sort by CPU
top
# or with better formatting:
htop
# Find the process ID
ps aux -sort=-%cpu | head -10
# Kill by PID
kill -15 <PID> # SIGTERM - graceful shutdown
kill -9 <PID> # SIGKILL - immediate termination
# Kill by process name
pkill -f "process_name"
Understanding signal semantics matters. SIGTERM (15) requests graceful shutdown and allows the process to clean up. SIGKILL (9) cannot be caught or ignored by the process and forces immediate termination—use it only when SIGTERM fails. SIGHUP (1) historically caused daemons to reload their configuration.
"Explain virtual memory and swap. When is swap usage a problem?"
Virtual memory allows processes to use more memory than physically available by mapping some pages to disk (swap). When physical RAM is exhausted, the kernel moves less-recently-used pages to swap (swapping out) to make room for active pages.
Swap usage becomes a problem when it causes frequent swap-in/swap-out cycles (thrashing), which causes severe performance degradation. Monitoring tools to watch: /proc/meminfo fields SwapTotal and SwapFree, vmstat for swap activity (si and so columns), and sar -W for swap statistics over time.
Boot Process and Systemd
Boot Sequence and Service Management
"Understanding systemd is not optional for a sysadmin interview in 2024. Every major Linux distribution has moved to it, and the questions have followed. Candidates who still describe init scripts as the primary mechanism signal that their operational knowledge has not kept pace." — Michael Kerrisk, author of The Linux Programming Interface (No Starch Press)
"Walk me through the Linux boot process."
BIOS/UEFI performs POST and identifies the boot device
Bootloader (GRUB2) is loaded from MBR/ESP, loads the kernel and initramfs
Kernel initializes hardware, mounts initramfs as temporary root filesystem
initramfs loads drivers needed to mount the real root filesystem
Real root filesystem is mounted, systemd (PID 1) starts
systemd brings up targets (multi-user, graphical) by starting units in dependency order
"How do you manage services with systemd?"
# Start, stop, restart a service
systemctl start nginx
systemctl stop nginx
systemctl restart nginx
# Enable/disable service at boot
systemctl enable nginx
systemctl disable nginx
# View service status and recent logs
systemctl status nginx
# View service logs
journalctl -u nginx -f # follow
journalctl -u nginx -since "1 hour ago"
# List failed services
systemctl -failed
Understanding the difference between restart (stop then start) and reload (signal to reload config without stopping) is a common follow-up. reload is preferable for production services like nginx that support it, because it avoids a brief downtime.
Permissions and Security
File Permissions, sudo, and the Sticky Bit
"Explain Linux file permissions. What does chmod 755 mean?"
Linux permissions consist of three sets of three bits for owner, group, and others. Each set contains read (4), write (2), and execute (1) bits. chmod 755 sets:
Owner: 7 (4+2+1 = read, write, execute)
Group: 5 (4+0+1 = read, execute)
Others: 5 (read, execute)
The symbolic equivalent: chmod u=rwx,go=rx.
"What is the sticky bit and when would you use it?"
The sticky bit on a directory prevents users from deleting files they do not own, even if the directory is world-writable. The canonical example is /tmp: it is 1777 (world-writable with sticky bit), so any user can create files there but cannot delete files owned by other users.
"What is sudo and how does /etc/sudoers work?"
sudo allows permitted users to run commands as root or another specified user. /etc/sudoers (edited with visudo to prevent syntax errors) defines which users and groups may run which commands. A typical entry:
# Format: who where = (as_whom) command
john ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
%ops ALL=(root) /bin/journalctl, /bin/systemctl status *
Granting ALL=(ALL) ALL with NOPASSWD is a common anti-pattern that grants effective root access without an audit trail.
Log Management and Troubleshooting
Systematic Investigation and journalctl
"A user reports their application started throwing errors an hour ago. How do you investigate?"
A systematic approach is expected:
Check application logs first:
journalctl -u appservice -since "2 hours ago"or check/var/log/for the application's log directoryCheck system logs for any relevant events:
journalctl -p err -since "2 hours ago"Check resource constraints:
df -hfor disk space,free -hfor memory,uptimefor loadCheck for recent changes:
rpm -qa -last | head(RPM-based) orgrep " install\| upgrade" /var/log/dpkg.log | tail -20(Debian-based)Check network connectivity if the application communicates externally
This structured approach—application logs, system logs, resources, recent changes—demonstrates operational maturity.
Networking from the Linux Shell
Port Inspection and Connectivity Testing
"How do you check what is listening on port 443?"
ss -tulnp | grep :443
# or
netstat -tlnp | grep :443
# or
lsof -i :443
"How do you test if a port is reachable from the command line?"
# Test TCP connectivity
nc -zv hostname 443
# or
telnet hostname 443
# Test with curl for HTTP/HTTPS
curl -v https://hostname:443/
# Trace the path
traceroute hostname
mtr hostname # combined traceroute/ping with live statistics
Shell Scripting Questions
Writing Production-Quality Scripts
Basic shell scripting questions appear in most sysadmin interviews. Common topics:
#!/bin/bash
# Check if a service is running; restart if not
SERVICE="nginx"
if ! systemctl is-active -quiet "$SERVICE"; then
echo "$(date): $SERVICE is not running, restarting" >> /var/log/service_check.log
systemctl start "$SERVICE"
fi
Interviewers evaluate whether you use quoted variables, handle errors with proper exit codes, use set -e or explicit error handling, and write readable scripts. Common pitfalls they look for: unquoted variables, forgetting to check command exit codes, and not making scripts idempotent.
See also: Networking Interview Questions: What IT Roles Actually Ask
Linux sysadmin salary and certification landscape
The Linux sysadmin role has evolved significantly in the past decade. Pure "sysadmin" titles are declining in favor of "Site Reliability Engineer", "Platform Engineer", or "Infrastructure Engineer" - but the underlying skills remain foundational. Current US 2024-2025 salary ranges, drawn from the Robert Half 2024 Technology Salary Guide [1].
| Role | Seniority | US salary range (2024-2025) | Typical cert mix |
|---|---|---|---|
| Linux Systems Administrator | Junior | $65,000-$95,000 | Linux+, LFCS, RHCSA |
| Linux Systems Administrator | Mid | $90,000-$130,000 | RHCSA, RHCE, CompTIA Linux+ |
| Senior Linux Engineer | Senior | $120,000-$170,000 | RHCE, LFCE, CKA |
| Platform Engineer | Senior | $150,000-$210,000 | RHCE, CKA, AWS DOP |
| Site Reliability Engineer | Senior | $160,000-$230,000 | CKA, CKS, AWS DOP |
| Infrastructure Architect | Senior | $170,000-$240,000 | RHCA, AWS SAP, CKA |
Certification signal for Linux-heavy roles
| Certification | Current exam code | Fee | Interview signal |
|---|---|---|---|
| CompTIA Linux+ | XK0-005 | $369 | Entry-level credibility |
| Linux Foundation LFCS | LFCS | $395 | Hands-on Linux admin signal |
| Linux Foundation LFCE | LFCE | $395 | Advanced Linux engineering signal |
| Red Hat RHCSA | EX200 | $500 | Widely respected; near-prerequisite for RHEL shops |
| Red Hat RHCE | EX294 | $500 | Automation + Ansible specialty |
| Red Hat RHCA | Various | $500 each | Specialty expert tier |
| CKA (Kubernetes Administrator) | CKA | $395 | Container orchestration signal |
| CKS (Kubernetes Security) | CKS | $395 | Security specialty; senior SRE signal |
"Red Hat certifications are almost uniquely hands-on in the industry. You will not pass the RHCSA or RHCE by memorizing flashcards. You must actually configure services, fix broken systems, and automate operations under timed conditions. The credential carries weight precisely because the only way to pass is to demonstrably possess the skills." - Sander van Vugt, Red Hat Certified Instructor and author of multiple RHCSA/RHCE preparation guides [2].
Deep-dive: memory, process, and I/O diagnostics
Senior Linux interviews often include questions about the tools you actually use when a system misbehaves in production. Candidates who can only name tools (top, vmstat, iostat) without explaining what output to look for typically signal surface-level familiarity.
top / htop - real-time CPU and memory; pay attention to the load average, task state distribution (R, S, D, Z), and memory buffers/cache interpretation.
vmstat 1 10 - virtual memory statistics sampled every second. Key columns: r (runnable processes), b (blocked), si/so (swap activity, should be near zero), wa (I/O wait time).
iostat -x 1 - extended per-device I/O statistics. Key columns: %util (device saturation), await (average I/O wait time in ms), r/s and w/s (operations per second).
sar - historical system activity data, invaluable for post-incident reconstruction. Most distributions enable sysstat with 10-minute sampling by default.
strace -c -p PID - traces and summarizes system calls for a running process. Identifies whether a hung process is stuck on I/O, network, or CPU-bound work.
perf top / perf record - kernel-level profiling. Used when a process is burning CPU and you need to identify which kernel function is consuming cycles.
bpftrace - modern eBPF-based observability; can answer questions previous generations of tools could not ("which PID is issuing the most disk reads by byte count?").
A candidate who says "I would use strace" without being able to explain what -f, -e, or -c flags do is demonstrating knowledge of the tool's existence, not its use. Interviewers differentiate based on the second layer.
Common Linux troubleshooting interview scenarios
Beyond command knowledge, senior Linux interviews test structured troubleshooting reasoning. Below are the most common scenario categories our cert research team has seen across 2023-2024 interview debriefs.
| Scenario | What interviewers evaluate |
|---|---|
| Disk fills up on production server | Systematic investigation; understanding of log rotation, inode exhaustion, hidden file accumulation |
| High load average with low CPU usage | Understanding load metrics; iowait, D-state processes, disk contention |
| Intermittent connectivity to a service | tcpdump fluency; conntrack table; systemd socket activation |
| Process consuming 100% CPU | strace/perf usage; thread-level investigation |
| Service fails to start after config change | journalctl investigation; SELinux troubleshooting; dependency ordering |
| Sudden service slowness with no error | Golden signals thinking (latency, traffic, errors, saturation) |
The best-performing candidates do not jump to commands. They articulate hypotheses first, then execute the command that tests each hypothesis. This is closer to the scientific method than it is to command recall, and it is what distinguishes senior candidates from mid-level candidates who know the same commands.
Container and orchestration transition
Modern Linux sysadmin interviews inevitably include container and Kubernetes questions. Candidates transitioning from traditional sysadmin backgrounds should cover at minimum:
- Docker fundamentals - image layers, dockerfile best practices, volume mounting, network modes
- Container runtimes - runc, containerd, CRI-O; the difference between Docker and containerd
- Kubernetes basics - Pods, Deployments, Services, ConfigMaps, Secrets, namespaces
- kubectl proficiency - describe, logs, exec, get, apply, port-forward
- Troubleshooting in K8s - CrashLoopBackOff causes, ImagePullBackOff debugging, OOMKilled interpretation
- Systemd + containers - podman-systemd, quadlet patterns for rootless containers
Candidates with strong traditional Linux backgrounds typically find the Kubernetes transition easier than candidates coming from application development, because the underlying concepts (process isolation, namespaces, cgroups, filesystems) are already familiar.
Security hardening topics
Security-adjacent interviews add a layer of hardening questions on top of basic sysadmin content.
- SELinux vs AppArmor - mandatory access control approaches and their trade-offs
- Firewall strategies - iptables vs nftables, firewalld, ufw
- SSH hardening - key-only authentication, port changes, fail2ban, client certificate authentication
- Audit logging - auditd configuration, log aggregation strategies
- Kernel security modules - eBPF-based tools (Falco, Tetragon), seccomp profiles, capability dropping
- Patch management - unattended-upgrades, dnf-automatic, staggered patching strategies
- CIS Benchmark compliance - understanding of the Center for Internet Security Linux benchmarks
"The most important skill for a Linux engineer in 2024 is not memorizing commands but building the habit of asking 'what happens if I am wrong?' before running anything in production. The candidates who last long in operational roles are the ones who always know what their rollback plan is before they execute a change." - the Kalenux Team, synthesizing post-mortem patterns across publicly documented outages [3].
References
[1] Robert Half. (2024). 2024 Technology Salary Guide. https://www.roberthalf.com/us/en/insights/salary-guide/technology
[2] van Vugt, S. (2022). Red Hat RHCSA 9 Cert Guide: EX200. Pearson IT Certification. ISBN: 978-0137931309
[3] Center for Internet Security. (2024). CIS Benchmarks for Linux Distributions. https://www.cisecurity.org/benchmark/red_hat_linux
Ward, B. (2021). How Linux Works: What Every Superuser Should Know (3rd ed.). No Starch Press. ISBN: 978-1718500402
Newham, C., & Rosenblatt, B. (2005). Learning the bash Shell (3rd ed.). O'Reilly Media. ISBN: 978-0596009656
Limoncelli, T., Hogan, C., & Chalup, S. (2016). The Practice of System and Network Administration (3rd ed.). Addison-Wesley. ISBN: 978-0321919168
Shotts, W. (2019). The Linux Command Line (2nd ed.). No Starch Press. ISBN: 978-1593279523
Hausenblas, M. (2022). Learning Modern Linux. O'Reilly Media. ISBN: 978-1098108939
Red Hat. (2024). "Configuring and Managing Systemd." Red Hat Enterprise Linux 9 documentation. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_systemd/
Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press. ISBN: 978-1593272203
Frequently Asked Questions
What Linux topics are most common in sysadmin interviews?
The most frequent topics are filesystem hierarchy and disk troubleshooting, process and signal management, systemd service management, file permissions and sudo configuration, log analysis with journalctl, and basic shell scripting. Understanding how to investigate a problem systematically is consistently tested.
Why might df show a disk is full when du shows available space?
Files that have been deleted but are still held open by running processes retain their disk blocks until the last file descriptor is closed. The df command reflects actual block usage while du reflects files in the directory tree. Running lsof | grep deleted identifies these zombie file handles.
What is the difference between kill -15 and kill -9?
SIGTERM (signal 15) requests graceful termination and allows the process to clean up open files, flush buffers, and perform shutdown tasks. SIGKILL (signal 9) forces immediate termination and cannot be caught or ignored by the process. Use SIGTERM first and only fall back to SIGKILL if the process does not respond.
How do you check what process is listening on a specific port in Linux?
Use ss -tulnp | grep :
What is the sticky bit on a directory?
The sticky bit (1 in the mode octet, shown as 't' in ls output) prevents users from deleting files in a directory that they do not own, even if the directory is world-writable. The /tmp directory uses this mode (1777) so any user can create files but cannot delete files owned by others.