An admin has configured the Linux audit framework to generate audit events for the Docker daemon’s data root. After a recent OS update, the data root is no longer being audited. What is the likely reason?
- The rules need to be added to the kernel’s audit framework by the administrator using the auditctl command after each system reboot.
- The first rule in the audit.rules file is -D, which deletes all rules and watches and means the daemon’s data root is no longer under audit.
- The rules were generated using the auditctl utility, but weren’t written to the audit.rules file and weren’t preserved on reboot. (Ans)
Which of the following is not a benefit of using a minimalist, cloud-native OS to host a Docker platform?
- The userspace hypervisor employed by cloud-native OSes helps protect the host from any potential container workload breakouts. (Ans)
- A read-only filesystem protects the Docker host from unintended changes, either accidental or malicious, which may render the host vulnerable to attack.
- Atomic updates lend themselves to immutable infrastructure, allowing for the creation of dependable, reproducible Docker platforms.
- A stripped-down OS configured for hosting the Docker platform provides a smaller surface area for an attacker to exploit.
Which of the following factors is least likely to influence your decision concerning the most appropriate tool to use and test a Docker platform for CIS Docker Benchmark compliance?
- The tool is only available as a containerized testing facility (Ans)
- The established use of an existing test framework in your organization
- The currency of the tools implementation of the CIS Docker Benchmark
Which three environment variables can be used when configuring a Docker client to communicate with a Docker daemon using TLS?
- DOCKER_DAEMON, DOCKER_TLS_PATH, DOCKER_TLS_VERIFY.
- DOCKER_HOST, DOCKER_CERT_PATH, DOCKER_TLS_ENABLE.
- DOCKER_DAEMON, DOCKER_TLS_PATH, DOCKER_TLS_ENABLE.
- DOCKER_HOST, DOCKER_CERT_PATH, DOCKER_TLS_VERIFY. (Ans)
Which port does the Docker Engine use for secure TLS communication with clients?
- 2375
- 2377
- 2376 (Ans)
Which methods must a third-party Docker authorization plugin implement?
- AuthZPlugin.AuthZReq and AuthNPlugin.AuthNReq
- The implementation of the plugin is down to its author, provided it uses a UNIX domain socket to communicate with the daemon.
- AuthZPlugin.AuthZReq and AuthZPlugin.AuthZRes (Ans)
What is a valid method for limiting a client user from inspecting a production container whilst allowing them to inspect non-production containers?
- Provide production containers with labels and implement an authorization plugin that checks the daemon’s response body for the label and denies the response if it exists. (Ans)
- Provide production containers with labels, get the authorization plugin to check the body of the request passed by the daemon, and deny the request if the label exists.
- If you deny the user the ability to inspect a production container, you deny them the ability to inspect any container.
You require access to a self-hosted registry. When must the –insecure-registry config option be configured on the Docker daemon?
- When the registry is configured to receive API calls over plain HTTP (Ans)
- When the registry is being served from the loopback network
- When the registry uses a self-signed certificate for authentication
Which of the following commands would not pull an image from the nginxhello repo on the Docker Hub registry for the user account nbrown?
- docker image pull registry-1.docker.io/nbrown/nginxhello
- docker image pull nbrown/nginxhello
- docker image pull hub.docker.com/nbrown/nginxhello (Ans)
What secret artifact is used to decrypt the key that encrypts the Raft log in an autolock swarm cluster?
- Unlock key (Ans)
- Join token
- Node TLS key
On which date is it likely that Docker Community Edition 19.06 will cease to receive fixes and updates?
- 20th July 2019
- 15th October 2019 (Ans)
- 1st September 2019
Which utility is the most appropriate for analyzing the events that the audit framework records for all activity related to key Docker filesystem objects?
- The aureport utility is the more useful, as it summarizes the logged events.
- Aureport and ausearch provide a useful interface into the audit log and can be used independently or together. (Ans)
- The ausearch utility is the more useful, as it provides in-depth information on logged events.
A Docker client user attempts to invoke a CLI command but gets the following response:
$ docker info
Get http://wolff:2376/v1.37/info: net/http: HTTP/1.x transport connection broken: malformed HTTP response
“\x15\x03\x01\x00\x02\x02”.* Are you trying to connect to a TLS-enabled daemon without TLS?
What is the likely problem?
- The client’s certificate has been signed by a different certificate authority to that of the Docker daemon.
- The user has not specified any command line arguments or set the appropriate environment variable for communicating with a remote Docker daemon using TLS. (Ans)
- The user has not been added to the docker group by the system admin and is unable to read or write to the local daemon’s socket.
A user runs a container and mounts a host volume inside of it so that data persists between container invocations. The daemon is configured to use user namespaces. After the container exits, the user realizes that there is no change to the volume of dat- What’s the likely explanation?
- Subordinate ranges may not have been specified for the remap user in the subordinate files, so Docker sets the ownership of the files to ‘nobody.’
- Volumes cannot be mounted within a container when the user namespace feature is enabled for the daemon. The daemon ignores the request to mount the volume.
- Because of the remapping associated with user namespaces, it will not have the necessary privileges to write to the host’s filesystem object, despite the container’s process running as the root user,. (Ans)
Which statement best describes the purpose of the following Rego syntax:
allow {
input.Path = “/v1.37/containers/create”
labels[“com.acme/environment”] = “production”
input.Body.HostConfig.Memory != 0
}
labels[key] = value {
input.Body.Labels[key] = value
}
- Containers created with the label com.acme/environment and set to the string production must have a memory limit set. (Ans)
- When containers are created before their deployment to production, they must not consume any of the host’s memory.
- In conjunction, the rules provide a label, called production, for a container when it starts consuming the host’s memory.
A join token is a secret generated by the initiating manager node in a swarm cluster. What is its purpose?
- To provide the joiner with the key that unlocks the manager node’s encrypted TLS credentials
- To let the manager node decide whether to allow a new node to join the cluster based on how many tokens it has generated and issued
- To let the joiner authenticate the manager, and allows the manager to register the joiner with the correct role (Ans)
A Docker daemon can authenticate a registry that uses a self-signed certificate by placing the CA certificate in a directory, such as /etc/docker/certs.d/registry.acme.com:443. What filename extension must the certificate have?
- .cert
- .pem
- .crt (Ans)
Which is the most accurate statement about the Docker platform?
- Docker platform best practices are generated by the Docker security team and embodied in the InSpec test and audit framework.
- The CIS Docker Benchmark is an audit and compliance tool used for measuring the effective security of a Docker platform.
- By concensus, security professionals and subject-matter experts define security recommendations for the Docker platform, embodied in the CIS Docker Benchmark. (Ans)
Which of the following statements is true of Docker Bench for Security?
- The Docker Bench for Security cannot run in a container because containers are created with their own set of namespaces that render the tests ineffective.
- In order to test a Docker platform effectively, the Docker Bench for Security needs to be unintrusive and should be run inside a container.
- The Docker Bench for Security can be run as a process on the host or can be run inside a container, provided the container has access to the necessary host resources. (Ans)
Which of the following specifies the required quorum in a swarm cluster of n manager nodes?
- (n – 1)/2
- (n/2) + 1 (Ans)
- (2n -1)/2
- Implementing Managed IT Services: A Step-by-Step Guide - August 30, 2024
- DevOps Foundation Certification - August 29, 2024
- SRE Foundation Certification - August 29, 2024