CompTIA PenTest+ (PT0-002) — Question 156

A penetration tester was able to compromise a web server and move laterally into a Linux web server. The tester now wants to determine the identity of the last user who signed in to the web server. Which of the following log files will show this activity?

Answer options

• A. /var/log/messages
• B. /var/log/last_user
• C. /var/log/user_log
• D. /var/log/lastlog

Correct answer: D

Explanation

The correct answer is /var/log/lastlog, as this file specifically records the last login times of users on the system. The other options do not track user login information; /var/log/messages captures system messages, while /var/log/last_user and /var/log/user_log are not standard log files found in Linux systems.