On Linux systems, where would you typically find authentication logs that help reconstruct user activity after a breach?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

On Linux systems, where would you typically find authentication logs that help reconstruct user activity after a breach?

Explanation:
Authentication activity is typically recorded in dedicated log files that capture login attempts, sudo actions, and PAM events. On Linux, you’ll usually find these in /var/log/auth.log or /var/log/secure, depending on distribution. These logs let you reconstruct user activity after a breach by showing who attempted to log in, from where (IP), when, and whether the attempt succeeded, along with elevated actions like sudo. The other paths don’t hold authentication events: /etc/shadow stores password hashes and aging data; /proc/cid isn’t a standard log location; /boot/grub/grub.cfg is the bootloader configuration and contains no user authentication data. Note that some systems use the systemd journal, accessible via journalctl, but the typical location referenced is the auth log or secure log.

Authentication activity is typically recorded in dedicated log files that capture login attempts, sudo actions, and PAM events. On Linux, you’ll usually find these in /var/log/auth.log or /var/log/secure, depending on distribution. These logs let you reconstruct user activity after a breach by showing who attempted to log in, from where (IP), when, and whether the attempt succeeded, along with elevated actions like sudo. The other paths don’t hold authentication events: /etc/shadow stores password hashes and aging data; /proc/cid isn’t a standard log location; /boot/grub/grub.cfg is the bootloader configuration and contains no user authentication data. Note that some systems use the systemd journal, accessible via journalctl, but the typical location referenced is the auth log or secure log.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy