A system administrator needs to audit all read, write, and attribute change events for the /etc/shadow file. The rule must persist across reboots and tag these events with the key shadow_watch. Which of the following lines should the administrator add to a file in the /etc/audit/rules.d/ directory to accomplish this?
The correct rule is -w /etc/shadow -p rwa -k shadow_watch. This rule uses the -w flag to establish a watch on the /etc/shadow file. The -p rwa flag correctly specifies the permissions to audit: r for read, w for write, and a for attribute changes. The -k shadow_watch flag assigns a key to the rule, which allows for easier searching and filtering of the audit logs. Placing this rule in a file within the /etc/audit/rules.d/ directory ensures that the audit daemon loads it persistently upon service start or system reboot.
The rule beginning with auditctl is incorrect because auditctl is the command-line utility used to manage audit rules in real-time; it is not used within the rules configuration files. The rule with -p rwx is incorrect because it includes monitoring for execute (x) permissions, which was not specified in the requirements and is not a logical operation for the /etc/shadow file. The rule that omits the -p flag is incorrect because the permissions to monitor must be specified for a file watch.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the `/etc/audit/rules.d/` directory?
Open an interactive chat with Bash
What do the `-w`, `-p`, and `-k` flags mean in an audit rule?
Open an interactive chat with Bash
Why is the `-p rwx` option incorrect for the `/etc/shadow` file?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access