Free ECCouncil 312-97 Practice Exam with Questions & Answers | Set: 2

To inspect mount propagation modes for Docker containers, Rockmond needs to list all container IDs and then inspect their configuration. The docker ps --quiet --all command outputs container IDs only, which are then passed to docker inspect using xargs. The --format option allows extraction of specific fields, such as mount propagation settings. Option C correctly uses valid flags (--quiet --all) and proper formatting syntax. Options A and D incorrectly use single hyphens, and option B omits the equals sign, which is required to display the propagation value. Inspecting mount propagation during the Operate and Monitor stage helps prevent unintended privilege escalation or data modification by other containers, aligning with container hardening best practices.

========

Git hooks must have executable permissions to run automatically during Git operations such as commits. The standard way to make a file executable on Unix-like systems is by using the chmod command with the +x flag. In Elizabeth’s setup, the pre-commit hook is located in the ~/.git-templates/hooks/ directory, so the correct command is chmod a+x ~/.git-templates/hooks/pre-commit. The a+x option grants execute permission to all users, ensuring that the hook runs regardless of the user context. Options using +e are invalid because e is not a recognized permission flag. Ensuring that the hook is executable during the Code stage helps prevent accidental exposure of AWS credentials by enforcing security checks before commits are finalized.

In Go-based tool installation, the standard method to download, compile, and install a Go package is using the go get command followed by the repository import path. Since Matt has already ensured that Go version 1.8 or later is installed and that $GOPATH/bin is included in the system PATH, running go get github.com/michenriksen/gitrob will fetch the GitRob source code, build the binary, and place it in the appropriate bin directory. Options B, C, and D are invalid because go get does not accept multiple positional arguments in that manner, and go git is not a valid Go command. Installing GitRob during the Code stage enables DevSecOps teams to scan repositories for accidentally committed credentials, API keys, and other sensitive information, helping prevent data leakage from public repositories.

========

Chef InSpec provides a command-line interface for creating and executing compliance profiles. To initialize a new profile with the required directory structure, metadata file, and example controls, the correct command is inspec init profile . In Jeremy’s case, running inspec init profile jyren-azureTests creates a new folder with all required artifacts needed to write and run Azure compliance tests. Options using prof are invalid abbreviations, and prefixing the command with chef is incorrect when using the InSpec CLI directly. Creating a structured InSpec profile during the Build and Test stage enables automated validation of infrastructure against architectural standards and security policies, supporting Infrastructure as Code security and continuous compliance practices.

========

The git-multimail tool provides a mechanism to verify whether it has been installed and configured correctly before being relied upon for production notifications. This verification is done using an environment variable namedGIT_MULTIMAIL_CHECK_SETUP. When this variable is set to anon-empty string, git-multimail performs a setup validation and outputs diagnostic information toconfirm that configuration values, hooks, and parameters are correctly defined. This helps prevent silent failures where commits occur but email notifications are not sent. Options that referenceGITHUB_MULTIMAIL_CHECK_SETUPare incorrect because git-multimail is not limited to GitHub and does not use that variable name. Additionally, setting the variable to an empty string does not trigger the setup check. Ensuring proper configuration during the Code stage is important because it supports auditability, traceability, and timely communication among development and security teams. Therefore, Brett must run the environment variableGIT_MULTIMAIL_CHECK_SETUPwith a non-empty value to ensure the tool is set up appropriately.

========

Keywhiz CLI requires authentication before secrets can be added. The correct process involves logging in using the --devTrustStore option and authenticating as an administrator using the --admin flag. Once authenticated, the add secret command is used with input redirection to securely store the secret. Options that use incorrect flag names, incorrect casing, or invalid trust store identifiers do not follow Keywhiz CLI syntax. Adding secrets through Keywhiz instead of embedding them in code supports secure secret distribution and management, which is a fundamental aspect of DevSecOps culture. This approach ensures secrets remain protected, auditable, and available even during outages.

In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualifiedpolicy path of the variable name, and the -v option specifies thesecret valueto be stored securely. This command writes the secret into Conjur’s encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements—critical for financial-sector applications.

========

Runtime Application Self-Protection (RASP) operates from within the application runtime environment, monitoring incoming traffic, API calls, and execution behavior in real time. Because it has deep visibility into application logic and execution context, RASP can accurately detect attacks such as injection, tampering, and abnormal behavior while minimizing false positives. SAST analyzes source code statically, DAST tests running applications externally, and IAST combines some runtime insight with testing but does not actively block threats. RASP’s ability to detect and remediate attacks during runtime makes it ideal for protecting applications in production environments, aligning with the Operate and Monitor stage of the DevSecOps pipeline.

The Gradle wrapper script used to execute all features in the BDD Security framework on Unix-like systems is ./gradlew. The dot-slash prefix indicates execution from the current directory, which is required when running scripts locally. Options using /gardlew or /gardlev imply incorrect paths or misspelled wrapper names. Executing ./gradlew without additional parameters runs the default task, which includes all configured features such as OWASP ZAP, Nessus, SSLyze, and Selenium tests. Running all features during the Build and Test stage provides comprehensive external security testing coverage, helping identify vulnerabilities without needing access to source code.

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.

========