CompTIA Security+ (SY0-501) — Question 235

An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity.
Which of the following actions will help detect attacker attempts to further alter log files?

Answer options

• A. Enable verbose system logging
• B. Change the permissions on the user's home directory
• C. Implement remote syslog
• D. Set the bash_history log file to "read only"

Correct answer: C

Explanation

Implementing remote syslog allows for log files to be sent to a separate, secure server, making it difficult for an attacker to alter the logs undetected. Enabling verbose logging might provide more information but does not prevent tampering. Changing permissions on a home directory does not affect log file integrity, and setting the bash_history to 'read only' only protects that specific file, not the entire logging system.