CompTIA CASP+ (CAS-004) — Question 110

A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks posed by the activity in the logs?

Answer options

• A. Altering the misconfigured service account password
• B. Modifying the AllowUsers configuration directive
• C. Restricting external port 22 access
• D. Implementing host-key preferences

Correct answer: B

Explanation

The correct answer is B because modifying the AllowUsers directive allows the administrator to specify which users can access the SSH server, thus restricting unauthorized access. The other options either address different issues or do not directly manage user access, making them less effective in this scenario.