DRAG DROP
A security auditor is reviewing the following output from file integrity monitoring software installed on a very busy server at a large service provider. The server has not been updates since it was installed. Drag and drop the log entry that identifies the first instance of server compromise.
Select and Place:
Does anyone know why this is the correct answer?
I think this answer is correct.
/etc/passwd changes a lot (adding users, etc) so the hash can be expected to change.
iptables-save doesn’t change often since ACLs are generally not edited all the time.
initrd.img is part of the boot loader, which shouldn’t change at all. The hash on it changes at 3:30 and that’s why it’s the time of the compromise.
Passwd: Changes often
IPTables: Doesn’t change often, but can change
initrd: Shouldn’t change at all
This is the same conclusion myself and a coworker arrived at. The hash change for initrd is the red flag.