nerdexam
Palo_Alto_Networks

PCCSE · Question #84

An administrator sees that a runtime audit has been generated for a host. The audit message is: 'Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix-

The correct answer is B. Default rule that alerts on suspicious runtime behavior. The audit message shows that the 'postfix' service executed '/bin/sh' to gain the SHELL capability, which is suspicious but not a custom-defined rule match. The key phrase is 'Low severity audit event is automatically added to the runtime model' - this is the behavior of the out-

Cloud Native Security

Question

An administrator sees that a runtime audit has been generated for a host. The audit message is:

'Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix-script stop. Low severity audit event is automatically added to the runtime mode'' Which runtime host policy rule is the root cause for this runtime audit?

Options

  • ACustom rule with specific configuration for file integrity
  • BDefault rule that alerts on suspicious runtime behavior
  • CCustom rule with specific configuration for networking
  • DDefault rule that alerts on capabilities

How the community answered

(26 responses)
  • A
    4% (1)
  • B
    88% (23)
  • C
    8% (2)

Explanation

The audit message shows that the 'postfix' service executed '/bin/sh' to gain the SHELL capability, which is suspicious but not a custom-defined rule match. The key phrase is 'Low severity audit event is automatically added to the runtime model' - this is the behavior of the out-of-the-box default runtime host policy that automatically audits and alerts on suspicious capability acquisition attempts. No custom file integrity rule (A) or custom networking rule (C) is involved. The alert on capabilities (D) is a separate default rule, but the broader 'suspicious runtime behavior' default rule is the root cause here since it encompasses shell spawning by non-shell services.

Topics

#Runtime Security#Host Protection#Security Policies#Suspicious Behavior Detection

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice