Palo Alto Networks Exam PCCSE Topic 5 Question 82 Discussion

Actual exam question for Palo Alto Networks's PCCSE exam

Question #: 82
Topic #: 5

An administrator sees that a runtime audit has been generated for a host. The audit message is:

''Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix- script.stop. Low severity audit, event is automatically added to the runtime model''

Which runtime host policy rule is the root cause for this runtime audit?

ACustom rule with specific configuration for file integrity

BCustom rule with specific configuration for networking

CDefault rule that alerts on capabilities

DDefault rule that alerts on suspicious runtime behavior

Show Suggested Answer

Suggested Answer: B

View users who enabled console access with both access keys and passwords: config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled is true https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/config-query/config-query-examples

by Glory at Jul 16, 2024, 01:29 PM

Limited Time Offer

25%

Off

Get Premium PCCSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Pamella

1 months ago

I'm just going to go with C) Default rule that alerts on capabilities. Seems like the safest bet, and who knows, maybe the exam writers were feeling generous and decided to make this one a giveaway. *winks*

upvoted 0 times

Johnna

6 days ago

I agree, default rules are usually there for a reason.

upvoted 0 times

...

Doug

10 days ago

Yeah, that makes sense. It's better to go with the default rule in this case.

upvoted 0 times

...

Roosevelt

22 days ago

I think C) Default rule that alerts on capabilities is the most likely answer.

upvoted 0 times

...

Samuel

1 months ago

This question is a real head-scratcher! I bet the exam writers were chuckling to themselves when they came up with this one. Anyway, I'm going to go with D) Default rule that alerts on suspicious runtime behavior. Seems like the most logical choice to me.

upvoted 0 times

...

Aaron

1 months ago

Ah, I see! The audit message specifically mentions the postfix-script.stop file, which is likely a command used by the postfix service. So, the correct answer must be C) Default rule that alerts on capabilities.

upvoted 0 times

Paris

20 days ago

Exactly, the audit message clearly points to the postfix service attempting to obtain a specific capability.

upvoted 0 times

...

France

21 days ago

So, the default rule that alerts on capabilities would be triggered in this case.

upvoted 0 times

...

Erick

24 days ago

Yes, that makes sense. The postfix service was trying to obtain the SHELL capability.

upvoted 0 times

...

Odelia

2 months ago

Hmm, I'm not sure about this one. The audit message doesn't mention anything about file integrity or networking, so A) and B) don't seem to be the right answers. I'll have to think about this a little more.

upvoted 0 times

Bernardine

1 months ago

That makes sense, the audit message does mention the service attempting to obtain a capability.

upvoted 0 times

...

Novella

1 months ago

I think the answer might be C) Default rule that alerts on capabilities.

upvoted 0 times

...

Luz

3 months ago

The runtime audit message suggests that the postfix service tried to obtain the SHELL capability, which is a suspicious runtime behavior. So, I think the correct answer is D) Default rule that alerts on suspicious runtime behavior.

upvoted 0 times