CompTIA CySA+ (CS0-003) — Question 304

A user is suspected of violating policy by logging in to a Linux VM during non-business hours. Which of the following system files is the best way to track the user’s activities?

Answer options

• A. /var/log/secure
• B. /etc/motd
• C. /var/log/messages
• D. /etc/passwd

Correct answer: A

Explanation

/var/log/secure is the appropriate file to examine as it logs authentication attempts and user login activities, making it crucial for tracking user behavior. The other options do not provide relevant information: /etc/motd displays a message upon login, /var/log/messages contains general system messages, and /etc/passwd holds user account information but not activity logs.