Improve Chapter 01 sysadmin duties lesson

docs/lessons/01_where_to_start/1.01_essential_duties_of_a_system_administrator.md

@@ -1,79 +1,127 @@
 ### 1.01 Essential Duties of a System Administrator
 
-
+A system administrator keeps Linux systems useful, available, recoverable, and understandable. The role is not just "run commands as root." It is the habit of making careful changes, proving what happened, and leaving enough evidence for the next operator to trust the system.
 
 !!! abstract "What you will learn"
-    - Explain where **1.01 Essential Duties of a System Administrator** fits in day-to-day Linux operations.
-    - Use current Linux tooling to inspect, change, and verify the relevant system behavior.
-    - Connect the concept to a real operational scenario: a first-week junior admin onboarding into a small cloud team.
-
-!!! example "Field story"
-    Imagine a first-week junior admin onboarding into a small cloud team. Your job is not to memorize a command; it is to build a short evidence trail, choose a low-risk change, and prove whether the system improved.
+    - Describe the core responsibilities of a Linux system administrator.
+    - Collect a basic read-only health snapshot before changing a host.
+    - Separate routine administration from risky production change.
+    - Write a short handoff note that another operator can act on.
 
 !!! success "Operator principle"
-    Identify the OS, distribution, support window, and package source before changing anything.
-
-## Hands-on practice
+    Inspect first, change second, verify third, and document what changed.
 
-Run these on a disposable VM, container, or lab machine unless the lesson explicitly says otherwise.
+## The job in plain terms
 
-1. Inspect the current state with a read-only command related to this topic.
-2. Save the command and output in a short lab note.
-3. Make one reversible change or simulate the change in a sandbox.
-4. Re-run the inspection and explain what changed.
+Most sysadmin work falls into a few recurring duties:
 
-## Check your understanding
-
-- What evidence would tell you that this system is healthy?
-- What is the riskiest command in this lesson, and how would you make it safer?
-- How would you explain section 1.1 to a teammate during an incident handoff?
+| Duty | What it protects | Common evidence |
+| --- | --- | --- |
+| System health | uptime, capacity, service availability | `uptime`, `df -h`, `free -h`, `systemctl --failed` |
+| Software maintenance | security fixes, supported packages | `apt list --upgradable`, `dnf check-update`, `/etc/os-release` |
+| User and access management | least privilege, clean offboarding | `getent passwd`, `id USER`, `sudo -l -U USER` |
+| Network operations | reachability, routing, listening services | `ip address`, `ip route`, `ss -tulpn` |
+| Security hygiene | patching, logs, exposed services, backups | `journalctl`, firewall rules, backup status |
+| Incident response | fast triage, rollback, clear communication | timeline notes, commands run, current symptoms |
+| Documentation | repeatable operations and audit trails | tickets, runbooks, change records |
 
+The exact tools vary by distribution and company, but the pattern does not. A good administrator can explain what changed, why it changed, and how to undo or continue the work safely.
 
-A System Administrator, or SysAdmin is a troubleshooter, guardian, and overseer of servers. SysAdmins are the prime caretakers of a company's data and IT infrastructure, keeping the digital gears of the organization turning smoothly. Let's break down the essential duties of a system administrator:
+## Start with read-only evidence
 
-1. **Server Maintenance:** Servers are the pulsating heart of any IT infrastructure, and it's the responsibility of the SysAdmin to ensure their proper functioning. This includes regularly updating software packages, patching security vulnerabilities, and optimizing server performance – a mission-critical task to ensure the delivery of digital services.
+On a lab VM, collect this baseline before making any administrative change:
 
 ```bash
-# Command to update system packages in Ubuntu
-sudo apt update && sudo apt upgrade
+hostnamectl
+cat /etc/os-release
+uptime
+df -h
+free -h
+systemctl --failed
+ip address
+ip route
+ss -tulpn
 ```
-:gear: :hammer_and_wrench:
 
-2. **User Management:** SysAdmins also act as gatekeepers, managing user accounts and access rights. This involves creating, modifying, or deleting user accounts, managing passwords and user access to specific files or services.
+Do not paste sensitive hostnames, IP addresses, usernames, or tokens into public notes. In a real environment, follow the team's ticketing and data-handling rules.
 
-```bash
-# Command to add a new user in Linux
-sudo adduser username
-# Command to delete a user in Linux
-sudo deluser username
-```
-:lock: :busts_in_silhouette:
+## Routine work versus production change
 
-3. **Network Administration:** Ever wondered who keeps the computers in your office connected to the Internet? That's right, it's the SysAdmins. They configure and manage networks, troubleshoot connectivity issues, and monitor network performance.
+Some admin tasks are low-risk and reversible:
 
-```bash
-# Command to check network configuration
-ip address
-```
-:computer: :globe_with_meridians:
+- Checking disk usage.
+- Reading logs.
+- Listing users and groups.
+- Confirming the OS release.
+- Restarting a disposable lab service.
 
-4. **Security:** SysAdmins are the front line of defense against cyber threats. They implement security protocols, monitor systems for any suspicious activities, perform regular backups, and have disaster recovery plans in place to protect critical business data.
+Other tasks can interrupt users or destroy data:
 
-```bash
-# Command to update system security patches
-sudo apt install unattended-upgrades
-```
-:shield: :closed_lock_with_key:
+- Upgrading packages on a production host.
+- Removing users or home directories.
+- Changing firewall rules.
+- Repartitioning disks or formatting filesystems.
+- Restarting core services without a maintenance window.
 
-5. **System Monitoring and Troubleshooting:** SysAdmins always have their eyes on the performance charts. They continuously monitor system performance and resource utilization, promptly identifying and resolving any issues that arise.
+For risky work, slow down. Confirm scope, backup or rollback options, expected impact, and who approved the change.
 
-```bash
-# Command to monitor system resource usage in real-time
-top
+!!! warning "Do not practice destructive commands on a real system"
+    Commands such as `userdel -r`, `mkfs`, `rm -rf`, firewall resets, disk partitioning, and production service restarts belong in a disposable lab unless a real change has been reviewed and approved.
+
+## A first-week sysadmin workflow
+
+When you are handed a Linux host, use a repeatable workflow:
+
+1. Identify the host: hostname, distribution, kernel, role, owner, and environment.
+2. Check current health: CPU load, memory, disk, failed services, network addresses, and recent errors.
+3. Read the local notes: tickets, runbooks, deployment docs, monitoring alerts, and backup policy.
+4. Make one small change only when the goal and rollback are clear.
+5. Verify with commands that prove the intended result.
+6. Record what you saw, what you changed, and what remains unresolved.
+
+This workflow makes you useful even before you know every tool. It also prevents the common beginner mistake of changing a system before understanding it.
+
+## Hands-on practice
+
+Use a disposable Linux VM, cloud instance, or container.
+
+1. Run the read-only baseline commands from this lesson.
+2. Save the command output in a short lab note.
+3. Pick one service and inspect its status with `systemctl status SERVICE`.
+4. Find one recent log view with `journalctl -u SERVICE --since today`.
+5. Write a handoff note with three sections: `Observed`, `Changed`, and `Next`.
+
+Example handoff:
+
+```text
+Observed:
+- Host runs Ubuntu 24.04.
+- Disk usage is 41% on /.
+- No failed systemd units.
+
+Changed:
+- No production change made. Read-only baseline only.
+
+Next:
+- Confirm backup policy before applying package updates.
 ```
- :bar_chart: :mag:
 
-Being a sysadmin is like being the unseen hero behind the scenes, ensuring a trouble-free experience for users and seamless operation for the organization. This role requires a blend of technical acuity, problem-solving skills, and a deep understanding of the entire IT infrastructure. It's one that commands respect and is an excellent place to start your Linux journey. :sunglasses: :trophy:
+## Troubleshooting signals
+
+When a system feels "down," avoid guessing. Start by sorting the symptom:
+
+- Login failure: check account status, SSH reachability, PAM or auth logs, and group membership.
+- Service failure: check `systemctl status`, recent unit logs, configuration syntax, and dependency services.
+- Disk pressure: check `df -h`, `du`, log growth, old packages, and backup retention.
+- Network issue: check local address, route, DNS resolution, firewall rules, and listening ports.
+- Slow host: check load, memory pressure, disk I/O, and recent deployments.
+
+Most incidents become easier when you can name the symptom and show the evidence.
+
+## Check your understanding
 
-!!! tip "Modern networking command"
-    Older tutorials often use `ifconfig`. This course favors `ip address`, `ip link`, `ip route`, and `ss` because they are available by default on modern Linux distributions.
+- Why should you collect read-only evidence before changing a system?
+- Which sysadmin duties are about prevention rather than emergency response?
+- What makes a package upgrade risky on a production host?
+- What information belongs in a useful incident or change handoff?
+- Which commands in this lesson could reveal sensitive information in shared logs?