Exam CS0-002 topic 1 question 128 discussion

Guys dont make a mistake, B is the answer to this question. The question is asking to see more information about the running script. it'll be ps -ef | grep "the script, i.e python" ... with this, you can see how long the script has been running for, the storage location of the capture, size and the time the script started etc. I do this on daily basis so I know. Answer is afirmative B!!

Answer is B.

Option B is focused on monitoring processes containing the term "admin" but is not directly related to changes in user accounts. To address the security incidents where unauthorized user accounts are being created, you would want to compare the snapshots of the /etc/passwd file on different days to identify any changes. Therefore, the most relevant command is: A. diff daily_11_03_2019 daily_11_04_2019

Command A: diff daily_11_03_2019 daily_11_04_2019 This command compares the snapshots of the /etc/passwd file on two different days to find any differences. This could potentially highlight unauthorized user account creation by showing what changed between these two snapshots.

My Guy (Just kidding ), Your answer would convince me if the word admin is not there. Why greping for admin? administrator can be root or Xoomalla or F3lix.

The command in option B (ps -ef | grep admin > daily_process_$(date +%m_%d_%Y")) would provide the analyst with additional useful information relevant to the script. This command uses the ps command to list all running processes (-ef flag) and then pipes the output to grep to search for processes containing the keyword "admin." The results are then redirected to a file named with the current date in the filename.

B most logical to me

A doesn't seen right, you are comparing 2 dates which are not stated above in the questions, and also what about the other days? I think running the command ps to see the processes make more sense and adds additional information

A compares two different snapshots of the /etc/passwd file, which could be useful for identifying changes to the user account database over time but would not provide any information about specific processes or user activity.

Diff Daily duh

The script cat /etc/passwd > daily_$(date +"%m_%d_%Y") creates a daily snapshot of the /etc/passwd file, which contains information about user accounts on the system. The script captures this information and saves it in a file named daily_<date>. To gather additional useful information relevant to the above script, the security analyst could run the following command: A. diff daily_11_03_2019 daily_11_04_2019 This command would compare the contents of the daily_11_03_2019 and daily_11_04_2019 files and show any differences. This would help the analyst identify any unauthorized changes to user accounts that may have been made between those two days.

So the question is presented as, the analyst is doing something each day (over some period of time) to gather information. I initially thought A, but that command only words for a single day as others have pointed out. I think this is CompTIA trying to trick you by giving a command that seems very useful (and honestly I would do A in real life but) but only works in that one instance (why not use the variables for that day in the script?). B allows you to output the running processes each day running under the security context of admin. Maybe there's a rogue process that has elevated it's permissions. But by reviewing the processes each day, you can see what 'admin' is doing, so if there's a funny process or port that sticks out, you can investigate further.

Viewing the diff of each day will help the analyst figure out which accounts were created by the sysadmins…

I tested this on my home lab and the "A" seems to be most logic/useful one. The diff command will show you the output of why file1.txt is different of file2.txt. For example: echo "test" >> file1.txt echo "test" >> file2.txt echo "something else" >> file1.txt diff file1.txt file2.txt --> output will be: "something else" And that would be useful for the security analyst and figure out if new accounts were added from one day to another.

The command "diff daily_11_03_2019 daily_11_04_2019" would be useful in this scenario because it compares two files and outputs the differences between them. By comparing the /etc/passwd file snapshots taken on different dates, the analyst could identify any unauthorized user accounts that were added or removed over time, which would help with their investigation into the security incidents.

While it would require changing each day, A is the only one that makes sense. B is only going to pull out processes with the word "admin" in them (why would that be useful?). C & D are nonsense.

f3lix all the way