Prisma Certified Cloud Security Engineer (PCCSE) — Question 164

An administrator sees that a runtime audit has been generated for a host.
The audit message is:
`Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix-script.stop. Low severity audit, event is automatically added to the runtime model`
Which runtime host policy rule is the root cause for this runtime audit?

Answer options

• A. Custom rule with specific configuration for file integrity
• B. Custom rule with specific configuration for networking
• C. Default rule that alerts on capabilities
• D. Default rule that alerts on suspicious runtime behavior

Correct answer: D

Explanation

The correct answer is D because the audit pertains to suspicious behavior related to the service attempting to gain elevated capabilities. Options A and B are incorrect as they relate to file integrity and networking, which do not apply to this incident. Option C is also incorrect since it specifically addresses alerts on capabilities, rather than the broader category of suspicious runtime behavior.