CompTIA Server+ SK0-005 Practice Question
During a post-incident review you discover that one senior administrator temporarily stopped event logging on several production servers, made unauthorized changes, and then re-enabled logging to hide the activity. Management wants to implement a control that prevents any single individual from both altering system settings and validating the related audit information. Which of the following actions BEST satisfies this goal?
Assign log collection and analysis to a security operations group that has no server administration privileges, while system configuration remains with the existing administrators.
Copy all server logs to write-once, read-many (WORM) storage so they cannot be altered after the fact.
Enforce 15-character complex passwords for all privileged accounts and require rotation every 90 days.
Install host-based intrusion detection on each server and alert when the logging service is stopped.