A security analyst is investigating unauthorized privilege escalation on a Linux file server. The analyst must determine which user executed the "useradd" command at 03:17 and whether the sudoers file was modified. Which log source will most directly provide this information about user activities?
NetFlow records from the perimeter firewall
Kernel ring buffer messages accessed with dmesg
Audit logs (e.g., /var/log/audit/audit.log)
Application error log for the file-sharing service
Audit logs generated by the Linux audit framework (for example, /var/log/audit/audit.log) capture security-relevant events such as system calls, executed commands, and file permission changes together with the UID and timestamp. They therefore provide a forensic record of what each user did. Kernel ring-buffer messages (dmesg), NetFlow records, and application error logs either omit user identities or focus on different event types, so they cannot reliably show who ran useradd or edited sudoers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What specific types of user activities are recorded in audit logs?
Open an interactive chat with Bash
How are audit logs used in security investigations?
Open an interactive chat with Bash
What tools are commonly used to analyze audit logs?