Hands-On LabsLinux Administration

Standalone Verification Lab: Linux Systems Administration & Automation Mastery

Version: 2.0.0

Purpose: Canonical standalone hands-on lab structure verifying complete foundational mastery of Linux user/group governance, permission hardening, process monitoring, systemd service management, and Bash automation scripting.

Required Inputs: Associated lesson (MOD-LINUX-ADM), lab objective, environment details.

Outputs: Reproducible, independently testable hands-on lab markdown.

Lab Metadata

  • Lab ID: LAB-MOD-LINUX-ADM-01
  • Associated Lesson: Module 02 (MOD-LINUX-ADM: Linux Administration)
  • Objective: Create and secure a multi-user engineering environment, configure octal least-privilege permission locks, inspect active background processes, manage a systemd logging service, and write a production-ready system backup automation script.
  • Estimated Time: 35 minutes
  • Difficulty: Beginner

Prerequisites

  • Completion of MOD-LINUX-ADM-01 through MOD-LINUX-ADM-07.
  • A functional Linux terminal environment (WSL2, Desktop Virtual Machine, or Cloud Shell) with sudo access privileges.

Environment Setup

Before executing the core lab instructions, launch your Linux terminal sandbox, verify your active identity, and ensure you possess administrative sudo authorization.

# Teleport instantly to your user's home directory
cd ~
 
# Verify your active User ID (UID) and Group ID (GID) details
id
 
# Verify administrative sudo authorization by listing sudoers privileges
sudo -l

Step-by-Step Instructions

Step 1: Create an Engineering Group and Service User Account

As a professional Platform Engineer, you must establish clean multi-user governance by separating human operator groups from restricted service accounts.

# Create a brand-new administrative group named 'cloud-admins'
sudo groupadd cloud-admins
 
# Add your active user account to the 'cloud-admins' secondary group
sudo usermod -aG cloud-admins $(whoami)
 
# Create a highly restricted, non-login service account for an AI daemon
sudo useradd -r -s /usr/sbin/nologin ai-worker
 
# Verify the newly created service account's identification details
id ai-worker

Step 2: Configure Least-Privilege Permission Locks

Establish a highly secure configuration vault and practice applying strict octal permission modes to protect sensitive cloud secrets.

# Scaffold a secure project directory structure
mkdir -p platform-vault/secrets
cd platform-vault/secrets
 
# Create a sample sensitive cloud API key file
echo "AI_API_KEY=deepmind_gemini_2026_secure" > cloud_api.key
 
# Secure the file so only the owner can read/write it (Octal 600)
chmod 600 cloud_api.key
 
# Transfer ownership of the file to the root superuser and cloud-admins group
sudo chown root:cloud-admins cloud_api.key
 
# Verify the strict -rw------- permission string and updated ownership
ls -l cloud_api.key

Step 3: Inspect Active Processes and Network Sockets

Execute a dynamic system health audit by taking a snapshot of running background processes and inspecting open listening network ports.

# Jump back to the absolute home directory
cd ~
 
# Take a static snapshot of running systemd daemon processes
ps aux | grep "systemd" | grep -v "grep" | head -n 5
 
# Inspect all open listening TCP/UDP network sockets and numeric ports
sudo ss -tulpn

Step 4: Verify Systemd Service Health and Log Journals

Interact with the master systemd init engine to verify the active health of the central logging service and inspect recent log journals.

# Verify the active running status of the systemd journal service
systemctl status systemd-journald.service
 
# Inspect the 5 most recent log lines generated by the journal service
sudo journalctl -u systemd-journald.service -n 5

Step 5: Author and Execute a Production Backup Automation Script

Package your administrative commands into a permanent, reusable Bash automation script containing professional safety flags, variables, conditionals, and loops.

# Create a production-ready backup automation script using cat heredoc
cat << 'EOF' > backup_vault.sh
#!/bin/bash
set -euo pipefail
 
# Define system variables
SOURCE_DIR="$HOME/platform-vault"
BACKUP_DIR="$HOME/vault_archive"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TARGET_ARCHIVE="$BACKUP_DIR/vault_backup_$TIMESTAMP"
 
# Conditional check: Verify if backup archive directory exists
if [ ! -d "$BACKUP_DIR" ]; then
    echo "Backup directory missing. Creating $BACKUP_DIR..."
    mkdir -p "$BACKUP_DIR"
fi
 
# Create timestamped target archive directory
mkdir -p "$TARGET_ARCHIVE"
echo "Starting automated vault backup to $TARGET_ARCHIVE..."
 
# Conditional check: Verify if source vault exists before copying
if [ -d "$SOURCE_DIR" ]; then
    sudo cp -r "$SOURCE_DIR" "$TARGET_ARCHIVE/"
    echo "Successfully backed up $SOURCE_DIR"
else
    echo "Error: Source directory $SOURCE_DIR missing!"
    exit 1
fi
 
echo "Backup automation completed successfully! Exit code: $?"
EOF
 
# Unlock execute permissions (+x) for the newly created script
chmod +x backup_vault.sh
 
# Execute the automation script
./backup_vault.sh

Verification

To verify that you have successfully completed this standalone lab and mastered our Module 02 capability statement (“I can administer a Linux server, manage permissions, automate simple tasks, and troubleshoot common issues”), execute the following verification commands.

# Verify the presence of the backup archive directory and its contents
ls -la ~/vault_archive/
 
# Verify the exact exit code of your most recently executed command
echo "Master Exit Code: $?"

Expected Output:

total 12
drwxr-xr-x 3 aloysius aloysius 4096 Jun 28 09:40 .
drwxr-xr-x 6 aloysius aloysius 4096 Jun 28 09:39 ..
drwxr-xr-x 3 aloysius aloysius 4096 Jun 28 09:40 vault_backup_20260628_094000

Master Exit Code: 0

If your terminal displays the exact timestamped backup archive directory and successfully outputs Master Exit Code: 0, you have successfully completed the lab verification!

Troubleshooting

  • Symptom: ./backup_vault.sh returns bash: ./backup_vault.sh: Permission denied.

    • Cause: You forgot to execute chmod +x backup_vault.sh in Step 5 before attempting to run the file.
    • Solution: Execute chmod +x backup_vault.sh to unlock execute permissions (-rwxr-xr-x), and re-run the script.

  • Symptom: ./backup_vault.sh returns bash: ./backup_vault.sh: /bin/bash^M: bad interpreter: No such file or directory.

    • Cause: You authored or edited the script on a Windows machine, which silently injected invisible Windows carriage return characters (\r\n) into the shebang line.
    • Solution: Execute dos2unix backup_vault.sh (or sed -i -e 's/\r$//' backup_vault.sh) to strip away the Windows carriage returns and restore pristine Linux line endings.

  • Symptom: sudo useradd returns username is not in the sudoers file. This incident will be reported.

    • Cause: Your active user account does not have administrative privileges configured in /etc/sudoers.
    • Solution: If running in a local virtual machine, you must log in as root to add your user to the sudo (or wheel on RHEL) group.

Cleanup

To maintain a clean sandbox environment for future modules, execute the following safe cleanup commands to remove the demonstration user, group, script, and vault directories.

# Jump back to the home directory to ensure a safe starting location
cd ~
 
# Safely remove the demonstration user account and group
sudo userdel -r ai-worker 2>/dev/null || true
sudo groupdel cloud-admins 2>/dev/null || true
 
# Safely remove the demonstration script, vault, and backup archive directories
rm -f backup_vault.sh
sudo rm -rf platform-vault/ vault_archive/
Building a Complete CI/CD Pipeline with GitHub Actions and ArgoCDLinux Getting Started