GCIH · Question #701
What information will be returned when an administrator executes the command below? # last -f /var/log/btmp
The correct answer is D. See failed logins. The 'last -f /var/log/btmp' command reads the btmp binary file, which records failed login attempts on Linux systems.
Question
What information will be returned when an administrator executes the command below? # last -f /var/log/btmp
Options
- ASee successful logins
- BErase bash history
- CDelete failed login logs
- DSee failed logins
How the community answered
(33 responses)- A6% (2)
- B3% (1)
- C3% (1)
- D88% (29)
Why each option
The 'last -f /var/log/btmp' command reads the btmp binary file, which records failed login attempts on Linux systems.
Successful logins are stored in /var/log/wtmp and are displayed by running 'last' without the '-f /var/log/btmp' flag.
Erasing bash history requires commands such as 'history -c' or manually modifying ~/.bash_history - the 'last' command has no such function.
The 'last' command only reads log files and does not modify or delete them; removing /var/log/btmp requires separate commands like 'rm' or '> /var/log/btmp' with root privileges.
The 'last' command by default reads /var/log/wtmp for successful login records, but when invoked with '-f /var/log/btmp', it reads the btmp file instead. The btmp file is the binary log maintained by Linux PAM that records all bad (failed) login attempts, making this command useful for auditing unauthorized access attempts.
Concept tested: Linux failed login auditing using last and btmp log file
Source: https://man7.org/linux/man-pages/man1/last.1.html
Topics
Community Discussion
No community discussion yet for this question.