Terminal Mastery Assessment Plan
Overview
Purpose: Systematic assessment of terminal/CLI proficiency across the full stack you operate in.
Method: Timed scenarios, blind challenges, and practical tasks - all terminal-based.
Scoring:
-
= Not attempted
-
[~] = Partial / needed hints
-
= Completed independently
-
[!] = Mastered (could teach it)
Domain 1: Linux Fundamentals
Level 1: Navigation & File Operations
Time limit: 5 minutes each
| # | Challenge | Status |
|---|---|---|
1.1 |
Find all |
[ ] |
1.2 |
Create a directory structure |
[ ] |
1.3 |
Find and delete all |
[ ] |
1.4 |
Show disk usage of top 10 largest directories under |
[ ] |
1.5 |
Find all broken symlinks in current directory tree |
[ ] |
Expected Commands (don’t peek until attempted)
# 1.1
find /etc -name "*.conf" -mtime -7 2>/dev/null
# 1.2
mkdir -p project/{src,tests,docs}/{v1,v2}
# 1.3
find . -name "*.log" -size +100M # dry run
find . -name "*.log" -size +100M -delete
# 1.4
du -h /home --max-depth=2 2>/dev/null | sort -rh | head -10
# 1.5
find . -xtype lLevel 2: Process & System Management
Time limit: 3 minutes each
| # | Challenge | Status |
|---|---|---|
2.1 |
Find the process using the most CPU right now, show its full command line |
[ ] |
2.2 |
List all processes owned by your user, sorted by memory usage |
[ ] |
2.3 |
Find what process is listening on port 22, show PID and command |
[ ] |
2.4 |
Show all systemd services that failed to start |
[ ] |
2.5 |
Kill all processes matching "python" owned by your user (safely) |
[ ] |
Expected Commands
# 2.1
ps aux --sort=-%cpu | awk 'NR==2 {print $2}' | xargs ps -p -o pid,cmd --no-headers
# 2.2
ps -u $USER -o pid,%mem,cmd --sort=-%mem
# 2.3
ss -tlnp | awk '$4 ~ /:22$/ {print $7}'
# or: lsof -i :22
# 2.4
systemctl --failed
# 2.5
pkill -u $USER python
# or safer: pgrep -u $USER python | xargs -r killLevel 3: Performance & Troubleshooting
Time limit: 5 minutes each
| # | Challenge | Status |
|---|---|---|
3.1 |
Identify the top 5 processes by open file descriptors |
[ ] |
3.2 |
Show real-time disk I/O by process |
[ ] |
3.3 |
Find which process is writing to a specific file right now |
[ ] |
3.4 |
Trace system calls of a running process for 10 seconds |
[ ] |
3.5 |
Profile where a slow script spends its time (bash or python) |
[ ] |
Expected Commands
# 3.1
for pid in /proc/[0-9]*; do
echo "$(ls ${pid}/fd 2>/dev/null | wc -l) ${pid##*/}"
done | sort -rn | head -5 | while read count pid; do
echo "$count $(ps -p $pid -o comm= 2>/dev/null)"
done
# 3.2
sudo iotop -o
# 3.3
sudo lsof /path/to/file
# 3.4
sudo strace -p <PID> -f -tt -T -o /tmp/trace.out &
sleep 10; kill %1
# or: timeout 10 strace -p <PID> -c
# 3.5
# Bash:
bash -x script.sh 2>&1 | ts '[%H:%M:%.S]'
# Python:
python -m cProfile -s cumtime script.pyDomain 2: Text Processing (awk/sed/grep)
Level 1: Pattern Matching
Time limit: 2 minutes each
| # | Challenge | Status |
|---|---|---|
T1.1 |
Extract all IP addresses from a log file |
[ ] |
T1.2 |
Count occurrences of each unique HTTP status code in an access log |
[ ] |
T1.3 |
Find lines containing "ERROR" but not "timeout" |
[ ] |
T1.4 |
Extract the 3rd field from a colon-delimited file |
[ ] |
T1.5 |
Show lines between "START" and "END" markers (inclusive) |
[ ] |
Expected Commands
# T1.1
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' logfile
# T1.2
awk '{print $9}' access.log | sort | uniq -c | sort -rn
# T1.3
grep "ERROR" logfile | grep -v "timeout"
# T1.4
awk -F: '{print $3}' file
# T1.5
sed -n '/START/,/END/p' fileLevel 2: Transformation
Time limit: 3 minutes each
| # | Challenge | Status |
|---|---|---|
T2.1 |
Replace all occurrences of "foo" with "bar" in-place across all |
[ ] |
T2.2 |
Swap columns 1 and 3 in a CSV file |
[ ] |
T2.3 |
Convert a file from DOS line endings (CRLF) to Unix (LF) |
[ ] |
T2.4 |
Extract JSON value for key "name" from each line of JSONL file (no jq) |
[ ] |
T2.5 |
Sum all numbers in the 5th column of a space-delimited file |
[ ] |
Expected Commands
# T2.1
sed -i 's/foo/bar/g' *.txt
# or: find . -name "*.txt" -exec sed -i 's/foo/bar/g' {} +
# T2.2
awk -F, '{print $3","$2","$1}' file.csv
# T2.3
sed -i 's/\r$//' file
# or: tr -d '\r' < file > file.unix
# T2.4
grep -oP '"name"\s*:\s*"\K[^"]+' file.jsonl
# T2.5
awk '{sum += $5} END {print sum}' fileLevel 3: Complex Pipelines
Time limit: 5 minutes each
| # | Challenge | Status |
|---|---|---|
T3.1 |
From auth.log: show top 10 IPs with failed SSH attempts, with count |
[ ] |
T3.2 |
Parse Apache log: show requests per hour as a histogram |
[ ] |
T3.3 |
Find duplicate lines in a file, show line numbers where duplicates occur |
[ ] |
T3.4 |
Convert |
[ ] |
T3.5 |
Merge two sorted files, removing duplicates, output differences |
[ ] |
Expected Commands
# T3.1
grep "Failed password" /var/log/auth.log | \
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | \
sort | uniq -c | sort -rn | head -10
# T3.2
awk '{print substr($4,14,2)}' access.log | sort | uniq -c | \
awk '{printf "%s %s ", $2, $1; for(i=0;i<$1/10;i++) printf "#"; print ""}'
# T3.3
awk 'seen[$0]++ {print NR": "$0}' file
# T3.4
awk -F: 'BEGIN {print "["}
{printf "%s{\"user\":\"%s\",\"uid\":%s,\"home\":\"%s\"}",
(NR>1?",":""), $1, $3, $6}
END {print "]"}' /etc/passwd
# T3.5
comm -3 <(sort file1) <(sort file2)Domain 3: Git Mastery
Level 1: Daily Operations
| # | Challenge | Status |
|---|---|---|
G1.1 |
Show commits from the last week by author, grouped |
[ ] |
G1.2 |
Find which commit introduced a specific line of code |
[ ] |
G1.3 |
Stash changes, pull, apply stash, resolve any conflicts |
[ ] |
G1.4 |
Create a branch from a specific commit hash, not HEAD |
[ ] |
G1.5 |
Show diff of staged changes only (not unstaged) |
[ ] |
Level 2: History Surgery
| # | Challenge | Status |
|---|---|---|
G2.1 |
Squash last 3 commits into one with a new message |
[ ] |
G2.2 |
Remove a file from the last commit without changing the message |
[ ] |
G2.3 |
Find and restore a deleted file from history |
[ ] |
G2.4 |
Cherry-pick a commit from another branch, resolve conflicts |
[ ] |
G2.5 |
Revert a merge commit (specify correct parent) |
[ ] |
Level 3: Advanced Operations
| # | Challenge | Status |
|---|---|---|
G3.1 |
Bisect to find which commit introduced a bug |
[ ] |
G3.2 |
Rewrite history to change author email across all commits |
[ ] |
G3.3 |
Split a commit into two separate commits |
[ ] |
G3.4 |
Create a patch series and apply it to another repo |
[ ] |
G3.5 |
Set up and use git worktrees for parallel branch work |
[ ] |
Domain 4: Networking & Security
Level 1: Connectivity
| # | Challenge | Status |
|---|---|---|
N1.1 |
Show all listening ports with process names |
[ ] |
N1.2 |
Trace the route to a host, identify where packets drop |
[ ] |
N1.3 |
Test if a specific TCP port is open on a remote host (no telnet/nc) |
[ ] |
N1.4 |
Show current network connections grouped by state |
[ ] |
N1.5 |
Display ARP table, identify gateway MAC |
[ ] |
Expected Commands
# N1.1
ss -tlnp
# or: netstat -tlnp
# N1.2
mtr -r -c 10 target.host
# or: traceroute target.host
# N1.3
timeout 3 bash -c "</dev/tcp/host/port" && echo "open" || echo "closed"
# or: curl -v telnet://host:port --connect-timeout 3
# N1.4
ss -tan | awk 'NR>1 {print $1}' | sort | uniq -c
# N1.5
ip neigh show | grep $(ip route | awk '/default/ {print $3}')Level 2: Certificate & TLS
| # | Challenge | Status |
|---|---|---|
N2.1 |
Show certificate chain of a remote HTTPS server |
[ ] |
N2.2 |
Verify a certificate against a CA bundle |
[ ] |
N2.3 |
Extract the public key from a certificate |
[ ] |
N2.4 |
Check certificate expiration date |
[ ] |
N2.5 |
Generate a CSR with SANs from command line |
[ ] |
Expected Commands
# N2.1
openssl s_client -connect host:443 -showcerts </dev/null 2>/dev/null | \
awk '/BEGIN/,/END/'
# N2.2
openssl verify -CAfile ca-bundle.crt certificate.crt
# N2.3
openssl x509 -in cert.crt -pubkey -noout
# N2.4
openssl x509 -in cert.crt -noout -enddate
# or remote:
echo | openssl s_client -connect host:443 2>/dev/null | \
openssl x509 -noout -enddate
# N2.5
openssl req -new -key server.key -out server.csr \
-subj "/CN=server.example.com" \
-addext "subjectAltName=DNS:server.example.com,DNS:www.example.com,IP:10.0.0.1"Level 3: Packet Analysis
| # | Challenge | Status |
|---|---|---|
N3.1 |
Capture RADIUS authentication traffic, filter by Access-Request |
[ ] |
N3.2 |
Capture TLS handshake, identify cipher negotiated |
[ ] |
N3.3 |
Detect ARP spoofing on the local network |
[ ] |
N3.4 |
Capture and decode 802.1X EAP traffic |
[ ] |
N3.5 |
Extract HTTP requests from a pcap file (tcpdump output) |
[ ] |
Domain 5: SSH & Remote Administration
Level 1: Basic Operations
| # | Challenge | Status |
|---|---|---|
S1.1 |
Set up SSH key authentication, disable password auth |
[ ] |
S1.2 |
Create an SSH tunnel for local port forwarding |
[ ] |
S1.3 |
Copy files recursively via SSH preserving permissions |
[ ] |
S1.4 |
Run a command on multiple hosts in parallel |
[ ] |
S1.5 |
Add a host key to known_hosts non-interactively |
[ ] |
Level 2: Advanced Tunneling
| # | Challenge | Status |
|---|---|---|
S2.1 |
Create a reverse tunnel (expose local service to remote) |
[ ] |
S2.2 |
Set up a SOCKS proxy through SSH |
[ ] |
S2.3 |
Jump through a bastion host to reach internal server |
[ ] |
S2.4 |
Forward a Unix socket over SSH |
[ ] |
S2.5 |
Use SSH ControlMaster for connection multiplexing |
[ ] |
Level 3: Hardening & Debugging
| # | Challenge | Status |
|---|---|---|
S3.1 |
Debug SSH connection failure (verbose output analysis) |
[ ] |
S3.2 |
Configure SSH to use only specific KEX algorithms |
[ ] |
S3.3 |
Set up SSH certificate authentication (not just keys) |
[ ] |
S3.4 |
Configure GSSAPI/Kerberos SSH authentication |
[ ] |
S3.5 |
Audit SSH server configuration against CIS benchmarks |
[ ] |
Domain 6: Containers & Orchestration
Level 1: Docker Basics
| # | Challenge | Status |
|---|---|---|
D1.1 |
Run a container with custom network, mount, and env vars |
[ ] |
D1.2 |
Debug a failing container (logs, exec, inspect) |
[ ] |
D1.3 |
Build an image, tag it, push to registry |
[ ] |
D1.4 |
Show resource usage of all running containers |
[ ] |
D1.5 |
Clean up dangling images, stopped containers, unused volumes |
[ ] |
Level 2: Compose & Networking
| # | Challenge | Status |
|---|---|---|
D2.1 |
Write a docker-compose.yml with 3 services, custom network |
[ ] |
D2.2 |
Inspect container networking, identify IP and gateway |
[ ] |
D2.3 |
Connect to a container’s network namespace from host |
[ ] |
D2.4 |
Set up container log rotation |
[ ] |
D2.5 |
Export and import container filesystem as tarball |
[ ] |
Domain 7: Vim/Neovim Mastery
Level 1: Motion & Editing
Time limit: 30 seconds each
| # | Challenge | Status |
|---|---|---|
V1.1 |
Delete from cursor to end of paragraph |
[ ] |
V1.2 |
Change text inside quotes (any quote type) |
[ ] |
V1.3 |
Select a function block and move it 10 lines down |
[ ] |
V1.4 |
Search and replace in visual selection only |
[ ] |
V1.5 |
Record a macro, run it on lines 10-50 |
[ ] |
Level 2: Advanced Editing
| # | Challenge | Status |
|---|---|---|
V2.1 |
Use |
[ ] |
V2.2 |
Align text on |
[ ] |
V2.3 |
Sort lines by the 3rd column |
[ ] |
V2.4 |
Use |
[ ] |
V2.5 |
Split window, diff two files, apply changes between them |
[ ] |
Level 3: Neovim Ecosystem
| # | Challenge | Status |
|---|---|---|
V3.1 |
Debug why an LSP isn’t attaching ( |
[ ] |
V3.2 |
Write a Lua function to toggle a terminal split |
[ ] |
V3.3 |
Create a custom Telescope picker |
[ ] |
V3.4 |
Configure DAP for Python debugging |
[ ] |
V3.5 |
Write a Treesitter query to highlight custom patterns |
[ ] |
Domain 8: Active Directory & Kerberos
Level 1: Client Configuration
| # | Challenge | Status |
|---|---|---|
A1.1 |
Join a Linux machine to AD domain |
[ ] |
A1.2 |
Obtain and verify a Kerberos ticket |
[ ] |
A1.3 |
Query AD for user attributes via ldapsearch |
[ ] |
A1.4 |
Configure SSSD for AD authentication |
[ ] |
A1.5 |
Test PAM authentication against AD |
[ ] |
Level 2: Troubleshooting
| # | Challenge | Status |
|---|---|---|
A2.1 |
Debug Kerberos ticket issues (KRB5_TRACE) |
[ ] |
A2.2 |
Verify DNS SRV records for AD services |
[ ] |
A2.3 |
Check SSSD cache, clear and refresh |
[ ] |
A2.4 |
Debug LDAP bind failures |
[ ] |
A2.5 |
Verify time sync with domain controller (Kerberos requirement) |
[ ] |
Domain 9: ISE/802.1X (Your Specialty)
Level 1: Client-Side
| # | Challenge | Status |
|---|---|---|
I1.1 |
Configure wpa_supplicant for EAP-TLS |
[ ] |
I1.2 |
Configure NetworkManager 802.1X via nmcli |
[ ] |
I1.3 |
Debug EAP authentication failures from client logs |
[ ] |
I1.4 |
Test RADIUS connectivity with eapol_test |
[ ] |
I1.5 |
Verify certificate chain is complete and valid |
[ ] |
Level 2: Infrastructure
| # | Challenge | Status |
|---|---|---|
I2.1 |
Interpret ISE live log for authentication failure |
[ ] |
I2.2 |
Identify dACL applied to an endpoint |
[ ] |
I2.3 |
Trace policy set evaluation order |
[ ] |
I2.4 |
Verify RADIUS shared secret with packet capture |
[ ] |
I2.5 |
Debug MAB vs EAP-TLS policy matching |
[ ] |
Level 3: Advanced
| # | Challenge | Status |
|---|---|---|
I3.1 |
Configure iPSK with external identity source |
[ ] |
I3.2 |
Implement CoA (Change of Authorization) trigger |
[ ] |
I3.3 |
Design policy set for wired + wireless + VPN |
[ ] |
I3.4 |
Troubleshoot SGT propagation in TrustSec |
[ ] |
I3.5 |
Automate ISE configuration via ERS API |
[ ] |
Assessment Schedule
Week 1-2: Fundamentals
-
Linux Fundamentals (all levels)
-
Text Processing (all levels)
-
Git (Level 1-2)
Week 3-4: Networking & Security
-
Networking (all levels)
-
SSH (all levels)
-
Certificates deep dive
Week 5-6: Infrastructure
-
Docker (all levels)
-
AD/Kerberos (all levels)
-
ISE (Level 1-2)
Integration Scenarios (Final Exam)
These combine multiple domains. Time limit: 30 minutes each.
Scenario 1: New Linux Endpoint Deployment
Deploy a new Linux workstation to corporate network:
-
Generate certificate from internal CA
-
Configure 802.1X wired authentication
-
Join to Active Directory
-
Verify Kerberos SSO works
-
Configure UFW with appropriate rules
-
Document in AsciiDoc
Scenario 2: Incident Response
Authentication is failing for a VLAN:
-
Capture RADIUS traffic
-
Decode EAP exchange
-
Identify failure reason
-
Trace through ISE policy
-
Implement fix
-
Verify with test client
Scenario 3: Automation
Automate endpoint onboarding:
-
Write shell script to:
-
Generate CSR
-
Submit to CA (API or manual)
-
Configure NetworkManager
-
Test authentication
-
-
Make it idempotent
-
Add error handling
-
Document usage
Scenario 4: Troubleshooting Chain
Given: "SSH to server fails with 'Connection refused'"
Systematically diagnose:
-
Network connectivity
-
DNS resolution
-
Firewall rules (local and remote)
-
SSH service status
-
Authentication configuration
-
Certificate/key validity
Document each step and finding.
Progress Tracking
Domain Completion
| Domain | L1 | L2 | L3 | Total |
|---|---|---|---|---|
Linux Fundamentals |
/5 |
/5 |
/5 |
/15 |
Text Processing |
/5 |
/5 |
/5 |
/15 |
Git |
/5 |
/5 |
/5 |
/15 |
Networking |
/5 |
/5 |
/5 |
/15 |
SSH |
/5 |
/5 |
/5 |
/15 |
Containers |
/5 |
/5 |
- |
/10 |
Vim/Neovim |
/5 |
/5 |
/5 |
/15 |
AD/Kerberos |
/5 |
/5 |
- |
/10 |
ISE/802.1X |
/5 |
/5 |
/5 |
/15 |
Total |
/125 |
Mastery Levels
-
0-40: Apprentice - Keep grinding fundamentals
-
41-70: Journeyman - Solid foundation, expand breadth
-
71-100: Craftsman - Ready for senior responsibilities
-
101-115: Expert - Can architect and teach
-
116-125: Yoda - You are the documentation
Training Protocol
Daily Practice (30 min)
-
Pick 3 random challenges from different domains
-
Time yourself strictly
-
Mark status honestly
-
Review answers, understand gaps
Weekly Deep Dive (2 hours)
-
Focus on weakest domain
-
Work through all levels
-
Build real scenarios
-
Document learnings in worklog
Monthly Assessment
-
Run through integration scenarios
-
Update progress tracking
-
Adjust focus areas
-
Celebrate wins
Notes
Use this space to track observations, gaps, and breakthrough moments.
Created: 2026-02-17 by Claude Code training session