Free CyberArk PAM-DEF Practice Exam with Questions & Answers | Set: 5

 To view recorded sessions through the PVWA without having auditor access, a user needs access to two specific safes: the Recordings safe and the safe the account is in. The Recordings safe is where the PSM session recordings are stored, and users need permission to access this safe to view the recordings. Additionally, users need access to the safe where the account associated with the recorded session is stored, as this is where the session details and permissions are managed12.

References:

• CyberArk Docs - Configure video and text recordings3
• CyberArk Community - Viewing PSM recorded sessions1

 The report that provides a list of accounts stored in the vault is the Privileged Accounts Inventory report. This report can be generated in the Reports page in the PVWA by users who belong to the group that is specified in the ManageReportsGroup parameter in the Reports section of the Web Access Options in the System Configuration page1. The Privileged Accounts Inventory report contains information such as the safe, folder, name, platform ID, username, address, group, last accessed date, last accessed by, last modified date, last modified by, verification date, checkout date, checked out by, age, change failure, verification failure, master pass folder, master pass name, disabled by, and disabled reason of each account stored in the vault2. References:

• 1: Reports in PVWA
• 2: Users List Report

 During a High Availability (HA) node switch, if an error occurs and the Cluster Vault Manager Utility fails back to the original node, you should check the following log files to investigate the cause of the issue:

• VaultDB.log: This log file contains information related to the database operations within the CyberArk Vault. It can provide insights into any issues that may have occurred during the database transactions at the time of the node switch1.
• PM_Error.log: The PM_Error.log file records errors encountered by the Password Manager (PM) during its operations. This log can help identify any issues related to password management that might have contributed to the failure of the node switch1.
• ClusterVault.console.log: The ClusterVault.console.log file includes error, warning, and information messages from the CyberArk Digital Cluster Vault. It is used for advanced troubleshooting and can reveal details about the error that caused the failback to the original node2.

References:

• CyberArk Docs - Troubleshooting High Availability issues1
• CyberArk Docs - Monitoring the CyberArk Digital Cluster Vault Server2

The following statements are not true when enabling PSM recording for a target Windows server:

• A. The PSM software must be instated on the target server. This is not true, because the PSM software is installed on a dedicated server that acts as a proxy between the user and the target server. The PSM server intercepts the user’s connection request, initiates the connection to the target server, and records the privileged session. The target server does not need to have the PSM software installed on it1.
• C. PSMConnect must be added as a local user on the target server. This is not true, because PSMConnect is a predefined user that is created on the PSM server during the installation. This user is used to establish the connection between the PSM server and the target server, and to run the PSM processes. The target server does not need to have a local user named PSMConnect on it2.

The following statements are true when enabling PSM recording for a target Windows server:

• B. PSM must be enabled in the Master Policy (either directly, or through exception). This is true, because the Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. One of the rules in the Master Policy is the Session Isolation rule, which determines whether or not privileged sessions are isolated and recorded by PSM. This rule can be enabled either directly in the Master Policy, or through an exception for a specific scope of accounts3.
• D. RDP must be enabled on the target server. This is true, because RDP is the protocol that is used by PSM to connect to Windows servers. The target server must have RDP enabled and configured properly to allow the PSM server to access it. The PSM server must also have the RDP client installed on it4.

References:

• 1: Privileged Session Manager
• 2: PSMConnect and PSMAdminConnect
• 3: Session Isolation
• 4: Configure RDP for PSM

The minvalidity parameter on a platform policy in CyberArk determines the minimum amount of time that must pass between the retrieval of a password and when the account becomes eligible for a password change. This parameter ensures that a user has a guaranteed period to use the password before it is changed again, providing stability and predictability in password management1. References: The information provided is based on general knowledge of CyberArk PAM best practices and the functionality of the minvalidity parameter as outlined in CyberArk’s official documentation

When using the AccountUploader Utility to create accounts with SSH keys, the parameter used to set the full or relative path of the SSH private key file that will be attached to the account is KeyFile. This parameter specifies the location of the SSH private key file, which is then associated with the account being onboarded into the CyberArk Privileged Access Security system. The correct configuration of this parameter is crucial for the successful attachment of the SSH key to the account1.

References:

• CyberArk’s official documentation on the AccountUploader Utility, which provides detailed information on the parameters and usage for onboarding accounts with SSH keys1.

According to the CyberArk Defender PAM documentation1, when Dual Control is enabled, a user must first submit a request in the Password Vault Web Access (PVWA) and receive approval before being able to launch a secure connection via PSM for Windows (previously known as RDP Proxy). This is a security feature that ensures that passwords can only be retrieved after permission or ‘confirmation’ has been granted from an authorized Safe Owner(s). The user must specify the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it. The request is then sent to the authorized Safe Owners, who can either confirm or reject it. The number of confirmations required is defined in the Master Policy. Only after the user receives the required confirmations, they can activate the request and access the account through PSM for Windows. This way, Dual Control adds an additional measure of protection and accountability for accessing sensitive accounts.

The Master Policy in CyberArk allows organizations to permit users to check out a ‘one-time’ password and lock it so that no other users can retrieve it at the same time. After the user has used the password, they check the password back into the Vault, ensuring exclusive usage of the privileged account. This is achieved by setting the ‘Enforce check-in/check-out exclusive access’ to active. Additionally, to ensure that all sessions are monitored and isolated, the ‘Require privileged session monitoring and isolation’ must also be set to active. This combination of settings guarantees both the exclusive access to privileged accounts and the necessary session monitoring for security and compliance purposes1.

References:

• CyberArk’s official documentation on Account check-out and check-in1.
• The Master Policy overview provided by CyberArk2.

The command to configure email alerts within PTA (Privileged Threat Analytics) after the initial installation is /opt/tomcat/utility/emailConfiguration.sh. This command is used to start the PTA utility that allows you to set up email notifications for various alerts. During the configuration process, you will be prompted to enter details such as the SMTP/S protocol, email server IP address, SMTP port, sender’s email address, and recipient’s email address. If the mail server requires authentication, you will also need to provide the username and password for the user that will send email notifications1.

References:

• CyberArk’s official documentation provides a detailed procedure on how to configure PTA to send alerts to emails, including the use of the /opt/tomcat/utility/emailConfiguration.sh command

 To ensure that each component server is operational, you can log on to the Privileged Vault Web Access (PVWA) with the version 10 user interface, navigate to the Healthcheck section, and validate that each component server is connected to the Vault. The System Health dashboard in PVWA provides a high-level visual representation of the health status of the different CyberArk components, including whether the Vault service is up and whether the component servers are connected1.

References:

• CyberArk Docs - Monitor system health