nerdexam
GIAC

GCIH · Question #701

What information will be returned when an administrator executes the command below? # last -f /var/log/btmp

The correct answer is D. See failed logins. The 'last -f /var/log/btmp' command reads the btmp binary file, which records failed login attempts on Linux systems.

Incident Response & Cyber Kill Chain

Question

What information will be returned when an administrator executes the command below? # last -f /var/log/btmp

Options

  • ASee successful logins
  • BErase bash history
  • CDelete failed login logs
  • DSee failed logins

How the community answered

(33 responses)
  • A
    6% (2)
  • B
    3% (1)
  • C
    3% (1)
  • D
    88% (29)

Why each option

The 'last -f /var/log/btmp' command reads the btmp binary file, which records failed login attempts on Linux systems.

ASee successful logins

Successful logins are stored in /var/log/wtmp and are displayed by running 'last' without the '-f /var/log/btmp' flag.

BErase bash history

Erasing bash history requires commands such as 'history -c' or manually modifying ~/.bash_history - the 'last' command has no such function.

CDelete failed login logs

The 'last' command only reads log files and does not modify or delete them; removing /var/log/btmp requires separate commands like 'rm' or '> /var/log/btmp' with root privileges.

DSee failed loginsCorrect

The 'last' command by default reads /var/log/wtmp for successful login records, but when invoked with '-f /var/log/btmp', it reads the btmp file instead. The btmp file is the binary log maintained by Linux PAM that records all bad (failed) login attempts, making this command useful for auditing unauthorized access attempts.

Concept tested: Linux failed login auditing using last and btmp log file

Source: https://man7.org/linux/man-pages/man1/last.1.html

Topics

#Linux logs#failed login#btmp#log analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice