What must you specify when configuring a discovery scan for UNIX? (Choose two.)
Correct Answer:
BD
When configuring a discovery scan for UNIX, you must specify theCPM Scanner and thelist of machines to scan. The CPM Scanner is the component responsible for executing the discovery process, and it requires a list of target machines to scan for new and modified accounts and their dependencies. This list can be provided in the form of a CSV file for UNIX machines1. The discovery process will then scan the predefined machines to identify privileged accounts that should be onboarded into the Vault for secure and automated management according to enterprise compliance policies2. References:
✑ CyberArk Docs - Manage discovery processes1
✑ CyberArk Docs - Scan for accounts using Account Discovery
A password compliance audit found:
1) One-time password access of 20 domain accounts that are members of Domain Admins group in Active Directory are not being enforced.
2) All the sessions of connecting to domain controllers are not being recorded by CyberArk PSM.
What should you do to address these findings?
Correct Answer:
A
To address the findings of the password compliance audit, you should edit the Master Policy in CyberArk Privileged Access Manager. The Master Policy is where you can enforce one-time password access and record session activity. One-time password access ensures that each password is used only once and then changed, which is a security measure to prevent unauthorized reuse of passwords1. Recording session activity is a feature of the Privileged Session Manager (PSM) that allows all activities during a session to be recorded for auditing purposes2. By enabling these settings in the Master Policy, you ensure that the domain accounts have one-time password access enforced and that all sessions connecting to domain controllers are recorded by CyberArk PSM. References:
✑ CyberArk Docs: One-time passwords and exclusive accounts1
Where can reconcile and/or logon accounts be linked to an account? (Choose two.)
Correct Answer:
BD
Reconcile and logon accounts can be linked to an account within the platform settings and safe settings. The platform settings define the parameters for its linked accounts in either the Target Account or Service Account that requires them. When linked accounts are specified in the Target Account platform, they appear in the CPM pane of the Account Details page. Similarly, when they are specified in the Service Account platform, they appear in the CPM pane of the Service Account Details page1. Safe settings are also involved in the process of linking accounts, as they determine where the accounts are stored and managed within the CyberArk Vault.
References:
✑ CyberArk Docs - Linked Accounts1
✑ CyberArk REST API documentation on adding Reconcile and Login Accounts to an Account
All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.
Which safe permission do you need to grant Operations Staff? Check all that apply.
Correct Answer:
AB
To use the show, copy, and connect buttons on the accounts in the safe UnixRoot, the Operations Staff need to have the Use Accounts permission, which allows them to request access to the accounts and perform actions on them. However, since dual control is enabled for some of the accounts, they also need to have the Retrieve Accounts permission, which allows them to view the password of the account after it is authorized by another user. The Authorize Password Requests permission is not needed, as it is only required for the users who can approve the requests, not the ones who make them. The Access Safe without Authorization permission is not needed, as it would bypass the dual control mechanism and allow the Operations Staff to access the accounts without approval. References:
✑ [Defender PAM Sample Items Study Guide], page 10, question 5
✑ [CyberArk Privileged Access Security Implementation Guide], page 30, table 2-1
✑ [CyberArk Privileged Access Security Administration Guide], page 43, section 3.2.2.1
To manage automated onboarding rules, a CyberArk user must be a member of which
group?
Correct Answer:
A
To manage automated onboarding rules in CyberArk, a user must be a member of the Vault Admins group. This group has the necessary permissions to create and manage predefined rules that automatically onboard newly discovered accounts, which helps minimize the time it takes to onboard and securely manage accounts, reduces the time spent on reviewing pending accounts, and prevents human errors that may occur during manual onboarding1.
References:
✑ CyberArk’s official documentation on onboarding rules provides detailed information on the groups required to manage these rules, including the Vault Admins group1.