Which of the following entries should cause the analyst the MOST concern?

An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary.

A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?
A . <100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ‘ su vi httpd.conf’ failed for joe
B. <100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ‘ sudo vi users.txt success
C. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ‘ su vi syslog.conf failed for jos
D. <100> 2020-01-10T19:34..002z financeserver su 201 32001 = BOM ‘ su vi success
E. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ‘ su vi httpd.conf’ success

View Answer

Answer: D

Explanation:

The syslog entries show the attempts of users to run commands with elevated permissions on two servers: webserver and finance server. The entries include the date and time, the server name, the command used (su or sudo), the user name, and the outcome (success or failed). The policy of the organization states that users should always run commands under their own account, with temporary administrator privileges if necessary. This means that users should use sudo to run commands as another user (usually root), rather than su to switch to another user’s account. Therefore, the entry that should cause the analyst the most concern is D. <100> 2020-01-10T19:34…002z financeserver su 201 32001 = BOM ’ su vi success. This entry shows that someone used su to switch to another user’s account on the finance server and successfully edited a file with vi. This could indicate an unauthorized access or a compromised account.

Reference: What is the difference between “su” and “sudo”? | Ask Ubuntu