nerdexam
GIAC

GSEC · Question #316

GSEC Question #316: Real Exam Question with Answer & Explanation

The correct answer is B. ps-ef/ grep Rootkit. The ps -ef command lists all running processes in full format, and piping its output to grep filters for the specific process name, making it the correct tool to quickly locate a named process.

Question

If a Linux administrator wanted to quickly filter out extraneous data and find a running process named RootKit, which command could he use?

Options

  • Acat/proc;grep Rootkit
  • Bps-ef/ grep Rootkit
  • Csed's/Rootkit/g'/var/log/messages
  • Dtail/var/log/messages> Rootkit
  • Etop-u Rootkit

Explanation

The ps -ef command lists all running processes in full format, and piping its output to grep filters for the specific process name, making it the correct tool to quickly locate a named process.

Common mistakes.

  • A. cat on the /proc directory is invalid because /proc is a virtual filesystem with subdirectories, not a file that cat can read, and using a semicolon instead of a pipe means grep would search its own stdin rather than the cat output.
  • C. The sed command shown attempts a text substitution in /var/log/messages, which searches a log file for text rather than inspecting live running processes.
  • D. tail /var/log/messages redirects the end of a log file into a file named RootKit rather than searching for a running process.
  • E. The top -u flag filters processes by username, not by process name, so top -u RootKit would look for a user account named RootKit, not a process with that name.

Concept tested. Linux process inspection using ps and grep

Reference. https://man7.org/linux/man-pages/man1/ps.1.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GSEC Practice