CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCCSE

Free PCCSE Exam Braindumps (page: 19)

Page 18 of 63
PDF with 260 Questions

The security auditors need to ensure that given compliance checks are being run on the host.
Which option is a valid host compliance policy?

  1. Ensure functions are not overly permissive.
  2. Ensure host devices are not directly exposed to containers.
  3. Ensure images are created with a non-root user.
  4. Ensure compliant Docker daemon configuration.

Answer(s): D

Explanation:

The question focuses on valid host compliance policies within a cloud environment. Among the given options, the most relevant to host compliance is ensuring compliant Docker daemon configuration. Docker daemon configurations are critical for securing the host environment where containers are run. A compliant Docker daemon configuration involves setting security-related options to ensure the Docker engine operates securely. This can include configurations related to TLS for secure communication, logging levels, authorization plugins, and user namespace remapping for isolation. Ensuring functions are not overly permissive (Option A) and ensuring images are created with a non- root user (Option C) are more directly related to the security best practices for serverless functions and container images, respectively, rather than host-specific compliance checks. Ensuring host devices are not directly exposed to containers (Option B) is also important for security, but it falls under the broader category of container runtime security rather than host-specific compliance. Thus, the most valid host compliance policy from the given options is to ensure a compliant Docker daemon configuration, as it directly impacts the security posture of the host environment in a containerized infrastructure. This aligns with best practices for securing Docker environments and is a common recommendation in container security guidelines, including those from Docker and cybersecurity frameworks.


Reference:

Docker Documentation: Security configuration and best practices for Docker engine:
https://docs.docker.com/engine/security/
CIS Docker Benchmark: Providing consensus-based best practices for securing Docker environments:
https://www.cisecurity.org/benchmark/docker/



DRAG DROP
Match the correct scanning mode for each given operation.
(Select your answer from the pull-down list. Answers may be used more than once or not at all.)

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Create SNS Topic Triggers: No data security scan
Select an S3 bucket: Forward Scan only
Select an S3 bucket with existing files: Forward or Backward Scan Link an S3 logging to CloudTrail: Backward Scan only

The scanning mode for Data Security in AWS typically depends on the configuration and the desired outcomes for monitoring and protecting data within S3 buckets.

Creating SNS Topic Triggers is a configuration step that does not directly involve scanning. It is part of setting up notifications for events in S3 buckets, but on its own, it does not initiate a data security scan.
Selecting an S3 bucket without specifying existing files typically implies that you intend to scan new objects as they are added to the bucket, which is known as a Forward Scan. This mode is proactive and scans files upon their arrival in the bucket.
When you select an S3 bucket with existing files, you can perform either Forward Scanning for new files or Backward Scanning to scan all existing files in the bucket. This option provides the most comprehensive scanning coverage for both new and existing data. Linking an S3 logging to CloudTrail is usually a step taken to monitor access and changes to S3 resources. In the context of scanning, linking S3 to CloudTrail does not initiate a scan, but the CloudTrail logs can be used to trigger a Backward Scan if configured to do so, which scans historical files in the bucket based on CloudTrail events.



A customer wants to be notified about port scanning network activities in their environment.
Which policy type detects this behavior?

  1. Network
  2. Port Scan
  3. Anomaly
  4. Config

Answer(s): B

Explanation:

To detect port scanning activities within an environment, a "Port Scan" policy type (option B) would be the most appropriate. Port scanning is a technique used to identify open ports and services available on a host, often used by attackers to find vulnerabilities. A Port Scan policy is designed to detect and alert on such scanning activities, allowing security teams to take preventive measures.
While Network (option A), Anomaly (option C), and Config (option D) policies play critical roles in cloud security, they do not specifically target the detection of port scanning behavior.



A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application. The application is running an NGINX container. The container is listening on port 8080 and is mapped to host port 80.
Which port should the team specify in the CNAF rule to protect the application?

  1. 443
  2. 80
  3. 8080
  4. 8888

Answer(s): B

Explanation:

In the deployment scenario described, where an NGINX container is listening on port 8080 and mapped to host port 80, the Cloud Native Application Firewall (CNAF) rule should specify host port 80 (option B) to protect the application. This is because the external traffic directed towards the containerized application will be accessing it through the host port 80, which is the exposed port to the outside network. Specifying port 80 in the CNAF rule ensures that the firewall can inspect and protect the incoming traffic to the application effectively.






Post your Comments and Discuss Palo Alto Networks PCCSE exam with other Community members:

PCCSE Discussions & Posts