Palo Alto Networks Exam PCCSE Topic 5 Question 82 Discussion

Actual exam question for Palo Alto Networks's PCCSE exam

Question #: 82
Topic #: 5

An administrator sees that a runtime audit has been generated for a host. The audit message is:

''Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix- script.stop. Low severity audit, event is automatically added to the runtime model''

Which runtime host policy rule is the root cause for this runtime audit?

ACustom rule with specific configuration for file integrity

BCustom rule with specific configuration for networking

CDefault rule that alerts on capabilities

DDefault rule that alerts on suspicious runtime behavior

Show Suggested Answer

Suggested Answer: B

View users who enabled console access with both access keys and passwords: config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled is true https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/config-query/config-query-examples

by Glory at Jul 16, 2024, 01:29 PM

Limited Time Offer

25%

Off

Get Premium PCCSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Odelia

2 days ago

Hmm, I'm not sure about this one. The audit message doesn't mention anything about file integrity or networking, so A) and B) don't seem to be the right answers. I'll have to think about this a little more.

upvoted 0 times

...

Luz

10 days ago

The runtime audit message suggests that the postfix service tried to obtain the SHELL capability, which is a suspicious runtime behavior. So, I think the correct answer is D) Default rule that alerts on suspicious runtime behavior.

upvoted 0 times

...