CompTIA CySA+ (CS0-002) — Question 274

An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +"%m_%d_%Y")
This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

Answer options

• A. diff daily_11_03_2019 daily_11_04_2019
• B. ps ג€"ef | grep admin > daily_process_$(date +%m_%d_%Y")
• C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S")
• D. la ג€"lai /usr/sbin > daily_applications

Correct answer: B

Explanation

Option B is correct because it captures the currently running processes related to the 'admin' user, providing real-time insights into unauthorized activities. The other options either compare past snapshots (A), display the contents of the passwd file with a timestamp (C), or list applications in a directory (D), which do not directly relate to monitoring unauthorized account creation.