PCCSE · Question #84
An administrator sees that a runtime audit has been generated for a host. The audit message is: 'Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix-
The correct answer is B. Default rule that alerts on suspicious runtime behavior. The audit message shows that the 'postfix' service executed '/bin/sh' to gain the SHELL capability, which is suspicious but not a custom-defined rule match. The key phrase is 'Low severity audit event is automatically added to the runtime model' - this is the behavior of the out-
Question
An administrator sees that a runtime audit has been generated for a host. The audit message is:
'Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix-script stop. Low severity audit event is automatically added to the runtime mode'' Which runtime host policy rule is the root cause for this runtime audit?
Options
- ACustom rule with specific configuration for file integrity
- BDefault rule that alerts on suspicious runtime behavior
- CCustom rule with specific configuration for networking
- DDefault rule that alerts on capabilities
How the community answered
(26 responses)- A4% (1)
- B88% (23)
- C8% (2)
Explanation
The audit message shows that the 'postfix' service executed '/bin/sh' to gain the SHELL capability, which is suspicious but not a custom-defined rule match. The key phrase is 'Low severity audit event is automatically added to the runtime model' - this is the behavior of the out-of-the-box default runtime host policy that automatically audits and alerts on suspicious capability acquisition attempts. No custom file integrity rule (A) or custom networking rule (C) is involved. The alert on capabilities (D) is a separate default rule, but the broader 'suspicious runtime behavior' default rule is the root cause here since it encompasses shell spawning by non-shell services.
Topics
Community Discussion
No community discussion yet for this question.