Fountain and plaques at a Buddhist temple.

Answer #6 — CompTIA Security+ Guidance

Answer #6

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

The file /etc/shadow changed, but we expect this. It will change every time a user changes their password. Apparently "busy" implies enough users that we caught someone changing their password between yesterday's and today's Tripwire run.