GCIH · Question #624
An investigator is auditing a UNIX system and finds the following entry in the wtmp file. What does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45
The correct answer is C. A user with login id test2 was able to login successfully on 1st April at 16:45 hours. The wtmp file on UNIX systems records successful login events, so an entry with a username, terminal, source IP, and timestamp confirms that user test2 authenticated and established a session.
Question
An investigator is auditing a UNIX system and finds the following entry in the wtmp file. What does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45
Options
- AA user with login id test2 attempted to login on April 1st but failed
- BA user with login id test2 logged out of the system at 16.45hrs on 1st April
- CA user with login id test2 was able to login successfully on 1st April at 16:45 hours
- DA user with login id test2 was able to login successfully with password pts
How the community answered
(22 responses)- A5% (1)
- B5% (1)
- C91% (20)
Why each option
The wtmp file on UNIX systems records successful login events, so an entry with a username, terminal, source IP, and timestamp confirms that user test2 authenticated and established a session.
Failed login attempts are written to the btmp file, not to wtmp; the presence of the entry in wtmp specifically indicates the authentication succeeded.
A logout event in wtmp typically appears as a record with a blank or dead-process username field, not a standard user record containing a source IP address.
The wtmp binary log captures every successful login, logout, and reboot event on a UNIX/Linux system. An entry containing a valid username (test2), a pseudo-terminal (pts/1), a remote IP address (202.69.197.99), and a date-time stamp is the standard record format written when a user successfully authenticates. The presence of this record in wtmp - as opposed to btmp - confirms a successful login on April 1st at 16:45.
'pts' stands for pseudo-terminal slave, which identifies the type of terminal allocated to the session - it is not related to the user's password.
Concept tested: UNIX wtmp log file login auditing
Source: https://man7.org/linux/man-pages/man5/utmp.5.html
Topics
Community Discussion
No community discussion yet for this question.