CISA Certified Information Systems Auditor – Question2946 - CISA Certified Information Systems Auditor

An intruder accesses an application server and makes changes to the system log. Which of the following would enable the identification of the changes?

A. Mirroring the system log on another server
B. Simultaneously duplicating the system log on a write-once disk
C. Write-protecting the directory containing the system log
D. Storing the backup of the system log offsite

Correct Answer: B

Explanation:

Explanation:
A write-once CD cannot be overwritten. Therefore, the system log duplicated on the disk could be compared to the original log to detect differences, which could be the result of changes made by an intruder. Write-protecting the system log does not prevent deletion or modification, since the superuser can override the write protection. Backup and mirroring may overwrite earlier files and may not be current.