Home

Home / Palo Alto Networks / PCCSE

Question list

List of questions

Question 1

(0)

A customer wants to be notified about port scanning network activities in their environment. Which policy type detects this behavior?

Question 2

(0)

A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application. The application is running an NGINX container. The container is listening on port 8080 and i

Question 3

(0)

Which three types of buckets exposure are available in the Data Security module? (Choose three.)

Question 4

(0)

The administrator wants to review the Console audit logs from within the Console. Which page in the Console should the administrator use to review this data, if it can be reviewed at all?

Question 5

(0)

Which statement is true regarding CloudFormation templates?

Question 6

(0)

Given a default deployment of Console, a customer needs to identify the alerted compliance checks that are set by default. Where should the customer navigate in Console?

Question 7

(0)

Which container scan is constructed correctly?

Question 8

(0)

The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?

Question 9

(0)

Which three types of classifications are available in the Data Security module? (Choose three.)

Question 10

(0)

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed. How should the administrator configure Prisma Cloud Compute to satis

Open VPLUS File

Convert VPLUS to PDF

Related questions

Which three types of runtime rules can be created? (Choose three.)

DRAG DROP What is the order of steps in a Jenkins pipeline scan? (Drag the steps into the correct order of occurrence, from the first step to the last.)

DRAG DROP Match the correct scanning mode for each given operation. (Select your answer from the pull-down list. Answers may be used more than once or not at all.)

Which type of query is used for scanning Infrastructure as Code (laC) templates?

Where can a user submit an external new feature request?

What should be used to associate Prisma Cloud policies with compliance frameworks?

Which two variables must be modified to achieve automatic remediation for identity and access management (IAM) alerts in Azure cloud? (Choose two.)

A customer has a requirement to restrict any container from resolving the name www.evil-url.com . How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud. Which two steps can be performed by the Terraform script? (Choose two.)

DRAG DROP You wish to create a custom policy with build and run subtypes. Match the query types for each example. (Select your answer from the pull-down list. Answers may be used more than once or not at all.)

Question 74 - PCCSE discussion

Report

The security auditors need to ensure that given compliance checks are being run on the host. Which option is a valid host compliance policy?

A.

Ensure functions are not overly permissive.

B.

Ensure host devices are not directly exposed to containers.

C.

Ensure images are created with a non-root user.

D.

Ensure compliant Docker daemon configuration.

Suggested answer: D

Explanation:

The question focuses on valid host compliance policies within a cloud environment. Among the given options, the most relevant to host compliance is ensuring compliant Docker daemon configuration. Docker daemon configurations are critical for securing the host environment where containers are run. A compliant Docker daemon configuration involves setting security-related options to ensure the Docker engine operates securely. This can include configurations related to TLS for secure communication, logging levels, authorization plugins, and user namespace remapping for isolation.

Ensuring functions are not overly permissive (Option A) and ensuring images are created with a non-root user (Option C) are more directly related to the security best practices for serverless functions and container images, respectively, rather than host-specific compliance checks. Ensuring host devices are not directly exposed to containers (Option B) is also important for security, but it falls under the broader category of container runtime security rather than host-specific compliance.

Thus, the most valid host compliance policy from the given options is to ensure a compliant Docker daemon configuration, as it directly impacts the security posture of the host environment in a containerized infrastructure. This aligns with best practices for securing Docker environments and is a common recommendation in container security guidelines, including those from Docker and cybersecurity frameworks.

Docker Documentation: Security configuration and best practices for Docker engine: https://docs.docker.com/engine/security/

CIS Docker Benchmark: Providing consensus-based best practices for securing Docker environments: https://www.cisecurity.org/benchmark/docker/

Show Answer

asked 23/09/2024

ahmed bin shehab

45 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first