nerdexam
EC-Council

312-50V10 · Question #716

You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:

The correct answer is B. user.log. The file 'user.log' is not a standard Linux authentication or login tracking log file found in /var/log.

System Hacking

Question

You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:

Options

  • Awtmp
  • Buser.log
  • Cbtmp
  • Dauth.log

How the community answered

(24 responses)
  • B
    88% (21)
  • C
    8% (2)
  • D
    4% (1)

Why each option

The file 'user.log' is not a standard Linux authentication or login tracking log file found in /var/log.

Awtmp

wtmp is a valid binary log file in /var/log that records all successful logins and logouts, readable via the 'last' command.

Buser.logCorrect

Linux systems track login activity in specific standard log files: wtmp records successful logins, btmp records failed login attempts, and auth.log records authentication events including sudo and SSH. The file 'user.log' is not a standard or commonly present login-tracking log file in /var/log on most Linux distributions, making it the outlier in this list.

Cbtmp

btmp is a valid binary log file in /var/log that records failed login attempts, readable via the 'lastb' command.

Dauth.log

auth.log is a standard plain-text log file in /var/log on Debian-based systems that records authentication-related events including PAM, SSH, and sudo activity.

Concept tested: Linux /var/log login and authentication log files

Source: https://linux.die.net/man/5/wtmp

Topics

#log files#Linux security#covering tracks#audit logs

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice