A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O) on the disk drive.
Based on the output above, from which of the following process IDs can the analyst begin an investigation?
The output shown is from the `vmstat` command in Linux, which does not display process IDs but rather system statistics such as CPU and disk I/O activity. The columns of interest here are `bi` (blocks received from a block device) and `bo` (blocks sent to a block device), as they indicate I/O activity. The first row shows high values for both `bi` (304023) and `bo` (30004040). While these values are not tied to specific process IDs in this output, the question asks for a process ID to investigate based on disk I/O. Given the context, the suggestion to start with 87 can be interpreted as the choice aligning with the CPU idle time (lower CPU utilization state indicates I/O wait). Therefore, the best option to begin the investigation would be the one correlating most with the suspected activity pattern, making '87' the option to choose.
It is definitely option C (Source man vmstat): Raw Procs r: The number of processes waiting for run time. b: The number of processes in uninterruptible sleep. Memory swpd: the amount of virtual memory used. free: the amount of idle memory. buff: the amount of memory used as buffers. cache: the amount of memory used as cache. inact: the amount of inactive memory. (-a option) active: the amount of active memory. (-a option) Swap si: Amount of memory swapped in from disk (/s). so: Amount of memory swapped to disk (/s). IO bi: Blocks received from a block device (blocks/s). bo: Blocks sent to a block device (blocks/s)
I would say that it is C, the bo (binary output) is huge in comparison to the process ID 87
83 is the only answer that can be made for the row with the largest I/O However, I agree that this is NOT a valid PID per https://www.tutorialspoint.com/unix_commands/vmstat.htm.
very logical C
Just look at the BI and BO columns.
Maybe I am off here but the ID may not be a process ID. CPU These are percentages of total CPU time. us: Time spent running non-kernel code. (user time, including nice time) sy: Time spent running kernel code. (system time) id: Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time. wa: Time spent waiting for IO. Prior to Linux 2.5.41, included in idle. st: Time stolen from a virtual machine. Prior to Linux 2.6.11, unknown. via https://access.redhat.com/solutions/1160343
might be right, higher means it requires more IO so 87 would be higher will try that next time i take the test i got this question and selected 83 so i ll stick to 87
Agreed. I believe "id" in cpu column has never meant for "Process ID" but it is CPU Idle. No valid answer in this question...
the question states: Based on the output above, from which of the following process IDs can the analyst begin an investigation? They are id'ing PID in the question and in the answers. Why are we reading so much into the question? Read it for what it is.
agree with this, thats not the process id.
I think who ever wrote this question forgot that the "id" column in this stands for "idle" not "ID" So really i think we have to just assume they want the id/idle number and not the process id which is not shown in this terminal snippet
Going by the chart though, under io, the largest value is for 87. Don't know if that matters though. The problem mentions io. I know the BO column is higher on C but not the BI which is under io.
BO (disk write activity) is key. Pick the highest one.