Red Hat RHCSA EX200: The Linux Cert You Cannot Bluff

RHCSA is the exam other certifications quietly wish they were.

Every other major IT certification in 2026 is a multiple-choice exam. You can memorise distractors, eliminate obviously wrong answers, and pass at 70% without being able to perform a single task from the exam content on a live system. RHCSA EX200 closes that gap completely. You receive a live RHEL 9 virtual machine, a list of configuration tasks, and 150 minutes. There are no hints, no answer choices, and no partial credit for almost-correct configurations. The grading script checks the live state of the system when time expires. Either the task is done correctly or it is not.

This format makes RHCSA one of the hardest entry-level certifications to fake your way through, and one of the most respected signals to hiring managers who run Linux infrastructure. An administrator with RHCSA has demonstrably sat in front of a terminal and configured storage, networking, users, SELinux, and services under exam conditions. That is a meaningful credential in a market full of paper certifications.

The exam targets mid-level Linux system administrators — engineers responsible for deploying, configuring, and maintaining RHEL in production. It is not an entry-level certification in the CompTIA A+ sense. Candidates without prior Linux command-line experience will struggle significantly. The expected preparation time is 2–4 months of hands-on practice with an actual RHEL environment, not a few weeks of reading.

What RHCSA tests: the exam objectives

Red Hat publishes the full RHCSA exam objectives publicly. Every task on EX200 is drawn from these objectives. The exam does not test obscure edge cases — it tests whether you can perform the documented objectives fluently under time pressure. Candidates who have practiced every objective until the commands are muscle memory consistently report finishing with time to spare; candidates who understand concepts but have to look up command syntax tend to run out of time.

Essential Tools and Shell Scripting

The foundation of every RHCSA task. You must be able to locate, read, and manipulate files efficiently under time pressure.

File system navigation and manipulation: ls, find, cp, mv, rm, mkdir, ln (hard and symbolic links). The exam will ask you to find files meeting specific criteria — find / -name "pattern" -type f, find files modified within N days, find files owned by a specific user. Know find cold.
Text processing: grep with -i (case-insensitive), -r (recursive), -v (invert match), and -n (line numbers). cut, sort, uniq, wc. Basic sed substitution: sed -i 's/old/new/g' file. Output redirection (>, >>) and pipes.
Vim text editor: The exam environment provides vim. You must be comfortable entering insert mode, saving (:wq), quitting without saving (:q!), searching (/pattern), and basic navigation. Many candidates underestimate how much exam time is lost to unfamiliarity with the editor.
Archive and compression: tar with -czf (create gzip archive), -xzf (extract gzip archive), -cjf/-xjf (bzip2), and -cJf/-xJf (xz). Know the flags by memory — the exam will ask you to create or extract archives to specific locations.
Simple shell scripts: The exam includes a scripting objective. You are expected to write a basic bash script with conditionals (if/then/else/fi), loops (for, while), and command-line argument handling ($1, $2, $#). Scripts must be executable (chmod +x script.sh) and must use the correct shebang line (#!/bin/bash).

Operating Running Systems

Managing the lifecycle of a RHEL system — from boot behaviour to service state and scheduled tasks.

systemd service management: systemctl start, stop, restart, enable, disable, status. The difference between start (starts now) and enable (starts at boot) is reliably tested. Know how to check whether a service is running and enabled versus just running.
Boot targets: RHEL 9 uses systemd targets instead of runlevels. systemctl get-default and systemctl set-default. Know multi-user.target (text-only, equivalent to runlevel 3) and graphical.target (GUI, equivalent to runlevel 5). The exam may ask you to set a system to boot into text mode.
Boot process and rescue mode: How to interrupt the boot to edit kernel parameters (append rd.break or init=/bin/bash to the kernel line in GRUB2). This is required for the password reset objective. Practice the full sequence: interrupt GRUB, edit the kernel line, mount the file system read-write (mount -o remount,rw /sysroot), chroot, change the root password, touch /.autorelabel to trigger SELinux relabelling on next boot, and exit cleanly.
Process management: ps aux, top, kill -9 PID, killall processname. Adjusting process priority with nice and renice.
Scheduled tasks: User-level cron jobs with crontab -e. System-level jobs in /etc/cron.d/. The cron syntax (minute, hour, day-of-month, month, day-of-week). at for one-time future execution. Know that crond must be running and enabled for jobs to execute.
Package management with DNF: dnf install, dnf remove, dnf update, dnf list installed. Configuring a DNF repository: creating a .repo file in /etc/yum.repos.d/ with the [repoid], baseurl, enabled, and gpgcheck fields. The exam will provide a repository URL and expect you to configure it correctly and install a package from it.

Local Storage and File Systems

The storage domain trips up more candidates than any other. Partitioning, LVM, and file system creation require precise command execution — one wrong flag destroys the configuration.

Partitioning with fdisk and parted: Create MBR partitions with fdisk and GPT partitions with parted or gdisk. Know the interactive commands: n (new partition), p (print), w (write). After partitioning, run partprobe to inform the kernel of the new partition table without rebooting.
LVM: Physical Volumes, Volume Groups, and Logical Volumes: The full LVM workflow is a core exam objective. pvcreate /dev/sdb1 creates a physical volume. vgcreate vgname /dev/sdb1 creates a volume group. lvcreate -n lvname -L 2G vgname creates a 2 GB logical volume. Extend a volume group: vgextend vgname /dev/sdc1. Extend a logical volume and its filesystem in one step: lvextend -r -L +1G /dev/vgname/lvname (the -r flag resizes the filesystem automatically). Know pvdisplay, vgdisplay, lvdisplay for verification.
File system creation and mounting: mkfs.xfs /dev/vgname/lvname creates an XFS file system. mkfs.ext4 /dev/sdb1 creates ext4. Mount persistently by adding an entry to /etc/fstab: the device (UUID preferred — use blkid to find it), mount point, filesystem type, options, dump, and pass values. After editing fstab, run mount -a to mount all entries and verify no errors before rebooting. A broken fstab entry causes the system to fail to boot.
Swap space: Create a swap partition or LVM logical volume, format with mkswap, activate with swapon, and add to fstab for persistence. Know swapon -s to display active swap.
NFS and autofs: Mount an NFS share manually with mount -t nfs server:/path /mountpoint. Configure autofs for on-demand mounting: install autofs, create a master map entry in /etc/auto.master pointing to an indirect map file, define the indirect map with the mount point and NFS source, then start and enable the autofs service.
Access Control Lists (ACLs): setfacl -m u:username:rwx /path sets a user ACL. setfacl -m g:groupname:r /path sets a group ACL. getfacl /path displays ACLs. Ensure the filesystem is mounted with ACL support (XFS and ext4 both support ACLs by default in RHEL 9).

Networking

Network configuration on RHEL 9 uses NetworkManager exclusively. Direct edits to network config files without using nmcli or nmtui are not persistent and are not the expected exam approach.

Static IP address configuration with nmcli: The exam will ask you to assign a static IP to a network interface. The key commands: nmcli con mod "connection-name" ipv4.addresses 192.168.1.100/24, nmcli con mod "connection-name" ipv4.gateway 192.168.1.1, nmcli con mod "connection-name" ipv4.dns 192.168.1.1, nmcli con mod "connection-name" ipv4.method manual. After modifying, bring the connection down and up: nmcli con down "connection-name" && nmcli con up "connection-name". Verify with ip addr and ip route.
Hostname configuration: hostnamectl set-hostname newhostname. Verify with hostnamectl. Local hostname resolution in /etc/hosts: add entries in the format IP FQDN short-name.
SSH configuration: Configure SSH key-based authentication: ssh-keygen -t rsa to generate a key pair, ssh-copy-id user@host to copy the public key. Know the permissions on ~/.ssh/ (700) and ~/.ssh/authorized_keys (600) — wrong permissions silently break SSH key auth. The sshd_config directives that appear on exams: PermitRootLogin, PasswordAuthentication, Port. After editing sshd_config, restart sshd with systemctl restart sshd.
Time synchronisation with chronyd: Ensure chronyd is running and enabled. Configure NTP servers in /etc/chrony.conf with server ntp.server.address iburst. Verify with chronyc tracking and chronyc sources.

Users, Groups, and Permissions

User and group management tasks appear on every RHCSA exam. The commands are straightforward but precision matters — incorrect UID/GID assignments or wrong home directory permissions fail the grading check.

User and group creation: useradd -u 1500 -g groupname -s /bin/bash -m username creates a user with a specific UID, primary group, shell, and home directory. groupadd -g 2000 groupname creates a group with a specific GID. usermod -aG supplementarygroup username adds a user to a supplementary group (-a is critical — without it, -G replaces all supplementary groups). userdel -r username deletes a user and removes the home directory.
Password management: passwd username sets a password interactively. echo "password" | passwd --stdin username sets it non-interactively. chage -l username shows password aging info. chage -M 90 username sets a 90-day maximum password age. chage -E 2026-12-31 username sets an account expiry date.
sudo access: Add a user to the wheel group (usermod -aG wheel username) for full sudo access. Or create a custom sudoers entry in /etc/sudoers.d/filename (never edit /etc/sudoers directly — use visudo to validate syntax). A typical entry: username ALL=(ALL) NOPASSWD: /usr/bin/systemctl.
Special permissions: SGID on a directory (chmod g+s /path) makes all new files in the directory inherit the directory's group rather than the creator's primary group — the standard approach for shared group directories on RHCSA exams. Sticky bit on a directory (chmod +t /path) prevents users from deleting files they do not own. SUID on an executable (chmod u+s /path) runs the file with the owner's privileges regardless of who executes it. Know the numeric equivalents: SUID=4000, SGID=2000, sticky=1000.

Security: SELinux and firewalld

SELinux and firewalld are the two security topics that cause the most RHCSA failures. Both require understanding what the tool does at a conceptual level before the commands become intuitive.

SELinux modes and status: getenforce shows the current mode (Enforcing, Permissive, or Disabled). setenforce 0 sets Permissive mode temporarily; setenforce 1 sets Enforcing mode temporarily. For a persistent change, edit /etc/selinux/config and set SELINUX=enforcing or SELINUX=permissive. The exam will require you to ensure SELinux is in Enforcing mode — a common mistake is setting it temporarily without the persistent config change.
SELinux contexts: Every file, directory, process, and network port has an SELinux context. The context format is user:role:type:level. The type component is what most rules enforce. ls -Z /path shows file contexts. ps -eZ shows process contexts. chcon -t httpd_sys_content_t /var/www/newdir changes a context temporarily. semanage fcontext -a -t httpd_sys_content_t "/var/www/newdir(/.*)?" makes the change permanent by recording it in the policy. Run restorecon -Rv /var/www/newdir to apply the stored context. This sequence (semanage + restorecon) is the correct persistent approach — chcon alone is wiped by a relabel.
SELinux booleans: Booleans toggle optional SELinux policy behaviours without writing custom policy. getsebool -a lists all booleans. setsebool -P boolean_name on enables a boolean persistently (the -P flag writes it to policy; without -P it resets on reboot). Common exam booleans: httpd_can_network_connect (allows Apache to make outbound network connections), allow_ftpd_full_access (allows FTP daemon full filesystem access). The exam will present a service that is not working because of SELinux and ask you to identify and fix the boolean or context issue.
firewalld zones and rules: firewall-cmd --get-default-zone shows the current default zone (usually public). firewall-cmd --list-all shows all rules for the default zone. Add a service permanently: firewall-cmd --permanent --add-service=http. Add a port permanently: firewall-cmd --permanent --add-port=8080/tcp. After adding permanent rules, reload: firewall-cmd --reload. Verify with firewall-cmd --list-all. The critical distinction: rules added without --permanent are runtime-only and lost on reboot; rules added with --permanent take effect after a reload.

Containers (RHEL 9 addition)

Red Hat added container management to RHCSA with the RHEL 9 exam version. The focus is on rootless Podman containers managed as systemd services — not Kubernetes or Docker.

Podman basics: podman pull image:tag pulls an image. podman run -d --name containername -p 8080:80 image:tag runs a container in detached mode with port mapping. podman ps lists running containers; podman ps -a lists all. podman stop/start/rm containername manages the lifecycle.
Rootless containers as systemd services: The exam objective requires running a container as a non-root user that starts automatically on boot. The approach: run the container as the target user, generate a systemd unit with podman generate systemd --new --name containername > ~/.config/systemd/user/containername.service, enable it with systemctl --user enable --now containername, and enable lingering for the user with loginctl enable-linger username (so the user service starts at boot without an active login session).

The most commonly failed RHCSA task is the persistent SELinux configuration. Candidates set setenforce 0 to troubleshoot a service, the service works, they move on, and the exam grading script checks the SELinux mode and marks it wrong. Always verify both the runtime mode (getenforce) and the /etc/selinux/config file before submitting any SELinux-related task. The exam checks the config file, not just the runtime state.

Exam format and what to expect

EX200 is delivered as a two-VM lab environment: one system where you perform configuration tasks, and optionally a second system for networking and NFS tasks. You receive a task list at the start of the exam — these are your objectives. There is no partial credit structure visible to you; Red Hat's automated grading checks the final system state after time expires. You can work through tasks in any order and revisit earlier tasks.

The 150-minute window sounds generous but candidates who have to look up commands routinely run out of time. The typical recommendation is to complete all tasks you know confidently first, then return to the unfamiliar ones. Some tasks are independent; others are dependencies for later tasks (you cannot mount a file system that doesn't exist yet). Build a mental map of task dependencies at the start.

A reboot is required for some tasks — particularly after changing the default systemd target or setting a persistent SELinux mode. Always reboot after making boot-configuration changes and verify the system comes back up correctly before the exam timer expires. A misconfigured /etc/fstab that prevents boot will leave you scrambling for rescue mode on exam day.

Exam logistics

EX200 is delivered remotely (via Red Hat's remote exam platform) or at an authorised testing centre. Remote delivery requires a compatible system and a stable internet connection — verify requirements before exam day. The exam is available in English and other languages. Scores are reported within three business days. Passing earns you the RHCSA certification credential, which is valid for three years before requiring recertification.

Certification stack and career paths

Where RHCSA fits in the Red Hat certification map

Red Hat Certified Engineer (RHCE — EX294) — The natural next step from RHCSA. RHCE requires passing RHCSA first and tests Ansible automation: writing playbooks, using roles, managing inventories, and automating RHEL configuration tasks. RHCE holders earn $105k–$145k and are in high demand for enterprise Linux environments. The exam is another live practical: you are given a set of Ansible tasks to automate against a multi-host inventory.
Red Hat Certified Architect (RHCA) — The expert tier, requiring RHCE plus five specialty exams chosen from Red Hat's catalog. Specialty areas include OpenShift Administration, Ansible Advanced Automation, OpenShift Development, Ceph Storage, and several others. RHCA holders earn $140k–$175k in 2026 and are typically found in large enterprise environments running Red Hat's full stack.
Red Hat Certified Specialist in Containers (EX188) — A standalone specialty exam for container workloads with Podman and OpenShift, complementary to RHCSA for candidates moving into containerised Linux environments without pursuing the full RHCE track.
AWS / Azure / GCP with Linux skills — RHCSA-level Linux competency is a strong complement to any cloud certification. EC2 instances, Azure VMs, and GCP Compute Engine instances run Linux; the ability to configure storage, networking, and services via the command line is expected for cloud operations roles that pay $120k–$160k. RHCSA + SAA-C03 or AZ-104 is a particularly strong combination for enterprise cloud roles in 2026.
Kubernetes (CKA) — The CKA and CKAD exams are also live terminal exams on Kubernetes clusters, making RHCSA candidates naturally suited to the format. RHCSA → CKA is a common path for infrastructure engineers moving from on-premises Linux administration to container orchestration.
DoD 8570 / 8140 positions — RHCSA paired with a DoD-approved baseline security certification (such as CompTIA Security+) satisfies the IAT Level II requirement under DoD 8570, opening government and defence contractor Linux administrator roles that pay a 10–25% premium over equivalent commercial positions.

Salary data and job market (2026)

RHCSA is respected by employers who run RHEL infrastructure — primarily large enterprises, financial institutions, government agencies, and defence contractors. The certification commands a clear salary premium in these environments. Entry-level Linux system administrators with RHCSA earn $75k–$95k in 2026 in major US markets; mid-level administrators with 3–5 years of experience and RHCSA earn $90k–$115k. RHCE adds approximately $30k–$40k to these bands. The cert has lower penetration in web-scale and startup environments where Ubuntu and Debian dominate, but for traditional enterprise, healthcare, government, and financial services roles, RHCSA is a first-class credential.

Red Hat Enterprise Linux holds strong market position in enterprise on-premises deployments in 2026, particularly in environments with strict security and compliance requirements. The 2023 change to RHEL source code availability (restricting CentOS Stream as the sole downstream) has if anything strengthened RHEL's position in regulated industries where organisations need long-term support contracts. Demand for RHCSA-certified administrators remains healthy and grows with hybrid cloud deployments that include RHEL VMs on AWS, Azure, and GCP (where Red Hat offers RHEL subscriptions through each provider's marketplace).

How to prepare for RHCSA

RHCSA is a practical exam. Reading about it is not sufficient preparation. Every objective must be practiced hands-on until the commands are muscle memory. The standard preparation path is 2–4 months of daily practice on an actual RHEL or AlmaLinux 9 system (AlmaLinux is the community RHEL rebuild and is exam-accurate for practising).

Set up a practice environment: Use VirtualBox or KVM to run 2–3 RHEL 9 or AlmaLinux 9 VMs. Red Hat provides a free developer subscription that allows one RHEL 9 system — sufficient for solo practice. Practise taking snapshots before each session and reverting after, so you can repeat the same task from a clean state until it is completely automatic.
Work through all exam objectives daily: Download the official EX200 exam objectives from the Red Hat certification page and create tasks for each objective. Practice each objective from a clean system state until you can complete it without any reference material. Time yourself — if a task takes more than 5 minutes of thinking or looking up syntax, it needs more practice.
Focus on the failure-prone objectives: The tasks that most commonly cause RHCSA failures are: (1) SELinux context and boolean corrections — candidates fix the immediate problem but leave SELinux in Permissive or forget to make the context persistent with semanage + restorecon; (2) LVM extension — candidates extend the logical volume but forget to extend the file system (-r with lvextend or a separate xfs_growfs/resize2fs call); (3) fstab entries — a wrong fstab entry that prevents the system from booting requires rescue mode to fix, consuming most of the remaining exam time.
Practice the full exam format: In the final two weeks before the exam, run timed mock exams: set a 150-minute timer, configure your practice VM to a known starting state, and work through a full set of 15–20 tasks without any reference material. Grade your own results by checking each task against the expected system state. Repeat until you consistently complete all tasks with 20–30 minutes remaining.

Practice Linux and IT certification concepts with CertQuests — scenario-based quizzing for RHCSA, AWS, Azure, CompTIA, and more.

Browse Practice Packs →