🔥 3-day streak
CompTIA CySA+ (CS0-003)57 / 147
Question 57 of 147

A security analyst is reviewing /var/log/auth.log on a Linux web server after an alert fired. The relevant entries show: a successful SSH login for the low-privilege account 'svc_deploy' from an internal jump host, followed 40 seconds later by repeated 'sudo: svc_deploy : command not allowed' messages, and then a single entry: 'sudo: pam_unix(sudo:session): session opened for user root by svc_deploy(uid=1004)'. Which conclusion is best supported by these log entries?

Reviewed for accuracy · Report an issueNext question