A systems administrator is responsible for a fleet of Linux-based web servers. A File Integrity Monitoring (FIM) system sends an alert indicating that a critical configuration file, /etc/httpd/conf/httpd.conf, was recently modified on one of the servers. The administrator suspects unauthorized access and needs to validate the file's integrity against a known-good version. The administrator has access to a secure repository containing the original SHA-256 hashes for all baseline configuration files. Which of the following actions should the administrator perform FIRST to validate the file?
Immediately restore the httpd.conf file from the last known-good backup.
Use a network sniffer to capture and analyze traffic to and from the web server.
Review the server's firewall logs for suspicious connection attempts made around the time of the modification.
Generate a new SHA-256 hash of the current httpd.conf file and compare it to the hash from the baseline repository.
The correct action is to generate a new SHA-256 hash of the current httpd.conf file and compare it to the known-good hash from the baseline repository. This step directly follows the troubleshooting methodology by testing the theory that the file has been altered from a known-good state. Using a checksum tool like sha256sum is the standard method for verifying file integrity.
Restoring the file from a backup is a remediation step that should only be taken after the problem has been confirmed. Reviewing firewall logs or using a network sniffer are valid security investigation techniques, but they do not directly verify the integrity of the specific file in question, which is the immediate task prompted by the FIM alert.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SHA-256 hash, and why is it used?
Open an interactive chat with Bash
How does File Integrity Monitoring (FIM) work?
Open an interactive chat with Bash
How can `sha256sum` be used to check file integrity?