CompTIA Server+ SK0-005 Practice Question
During a post-incident review you discover that one senior administrator temporarily stopped event logging on several production servers, made unauthorized changes, and then re-enabled logging to hide the activity. Management wants to implement a control that prevents any single individual from both altering system settings and validating the related audit information. Which of the following actions BEST satisfies this goal?
Install host-based intrusion detection on each server and alert when the logging service is stopped.
Copy all server logs to write-once, read-many (WORM) storage so they cannot be altered after the fact.
Enforce 15-character complex passwords for all privileged accounts and require rotation every 90 days.
Assign log collection and analysis to a security operations group that has no server administration privileges, while system configuration remains with the existing administrators.