CISSP · Question #1488
A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user's access to data files?
The correct answer is D. Guest OS audit logs. In a strongly isolated VM environment, each guest OS manages its own file access independently. Auditing user access to data files requires reviewing the audit logs maintained by the specific guest OS where those files reside.
Question
Options
- AHost VM monitor audit logs
- BGuest OS access controls
- CHost VM access controls
- DGuest OS audit logs
How the community answered
(57 responses)- A12% (7)
- B9% (5)
- C5% (3)
- D74% (42)
Why each option
In a strongly isolated VM environment, each guest OS manages its own file access independently. Auditing user access to data files requires reviewing the audit logs maintained by the specific guest OS where those files reside.
The VM monitor (hypervisor) audit logs track hypervisor-level events such as VM creation, deletion, and resource allocation, not user-level file access within individual guest operating systems.
Guest OS access controls define permissions and policies for who can access files, but they do not provide an audit trail or log of actual access events that have already occurred.
Host VM access controls govern who can manage the hypervisor and virtual machine configurations, not who accessed data files within a specific guest OS.
In a virtualized environment with strong isolation, each guest OS operates independently and maintains its own audit logs for file and resource access. Since data files live within the guest OS filesystem, only the guest OS audit logs capture user-level file access events such as reads, writes, and permission changes. The hypervisor has no visibility into file-level operations occurring inside the guest.
Concept tested: Guest OS audit logging in virtualized environments
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-object-access
Topics
Community Discussion
No community discussion yet for this question.