312-50V11 · Question #716
You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:
The correct answer is B. user.log. Most standard Linux login-tracking log files live in /var/log, but 'user.log' is not a standard login-tracking file on most distributions. The others - wtmp, btmp, and auth.log - all record login activity.
Question
You have successfully logged on a Linux system. You want to now cover your track. Your login attempt may be logged on several files located in /var/log. Which file does NOT belong to the list:
Options
- Awtmp
- Buser.log
- Cbtmp
- Dauth.log
How the community answered
(32 responses)- A16% (5)
- B72% (23)
- C9% (3)
- D3% (1)
Why each option
Most standard Linux login-tracking log files live in /var/log, but 'user.log' is not a standard login-tracking file on most distributions. The others - wtmp, btmp, and auth.log - all record login activity.
wtmp is a standard binary log that records all successful logins and logouts, readable via the 'last' command.
There is no standard 'user.log' file in /var/log dedicated to tracking login attempts on Linux systems. wtmp records successful logins and logouts, btmp records failed login attempts, and auth.log records authentication events including SSH and sudo - all of which an attacker would target when covering tracks.
btmp records failed login attempts and is read with 'lastb', making it a primary target for attackers covering tracks.
auth.log captures PAM, SSH, and sudo authentication events and is a well-known login-related log file on Debian-based systems.
Concept tested: Linux login tracking log files in /var/log
Source: https://man7.org/linux/man-pages/man5/wtmp.5.html
Topics
Community Discussion
No community discussion yet for this question.