You have been asked to create a persistent audit rule that logs every change (write or attribute modification) to the /etc/shadow file, while ignoring normal read access. The rule must reside in /etc/audit/rules.d/50-shadow.rules and every resulting record should be labeled with the key identity_change. Which single line fulfils these requirements using standard auditctl / audit.rules syntax?
-a always,exit -F path=/etc/shadow -F perm=rw -k identity_change
In an audit watch rule, the -p flag specifies which file operations should trigger logging:
w - write access (data changes)
a - attribute changes (permission, ownership, timestamp, etc.)
r - read access
x - execute access
To record both data changes and metadata changes while excluding simple reads, the rule needs w and a but must not include r. The correct syntax therefore combines them as -p wa. Adding -k identity_change tags the resulting records, and -w /etc/shadow sets the watch on the required file.
The other options are wrong because they either log read access (include r), omit attribute changes (omit a), or use a system-call style rule that still lacks the a permission. Hence only the rule with -p wa meets all stated conditions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the /etc/shadow file in Linux?
Open an interactive chat with Bash
What does the '-p wa' option in an auditctl rule do?
Open an interactive chat with Bash
How do audit keys (e.g., -k identity_change) help in audit logs?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access