Implementing Your Strategy(not needed for exam)

Question 1

What’s the benefit of using a baseline approach as a starting point for your security strategy?

A. A baseline approach allows you to fully customize all the rules according to your organization’s needs.
B. You set the rules without the need for guidance.
C. You transfer the risk from yourself by using an approved baseline that a reputable author/authority creates.

Answer 1

C. You transfer the risk from yourself by using an approved baseline that a reputable author/authority creates.

With a baseline approach, you follow a checklist of prescribed controls and settings that you can configure to the baseline that you and your organization’s security team have decided on.

Question 2

What action takes place before tailoring your baseline with ODVs?

A. Generate new rules
B. Customize rules
C. Generate inital guidance

Answer 2

C. Generate inital guidance

Before you tailor your baseline, you should create documentation in the form of initial guidance to direct conversations with your security team and make important security-related decisions about which rules to include, omit, and customize in your security strategy.

Question 3

When discussing baselines and rules, which items CANNOT be properly tailored?

A. Rules
B. Benchmarks
C. Baselines

Answer 3

B. Benchmarks

You can edit a baseline by omitting rules, and you can edit rules by changing their values. But controls that the benchmark authors publish are intended to be measured against.

Question 4

Why must you generate revised guidance after tailoring a baseline?

A. The revised guidance removes any previous settings that were generated every time a baseline is tailored.
B. You must generate revised guidance every time you change a new setting in the baseline.
C. It allows you to scan and compare your current endpoint devices against the custom benchmark that you create based on your security plan.

Answer 4

C. It allows you to scan and compare your current endpoint devices against the custom benchmark that you create based on your security plan.

You use this guidance to scan your endpoints and bring them into compliance using the compliance script that you generate.

Question 5

What’s the purpose of the auditor guide?

A. This file runs checks and fixes on controls to modify any rules that require customization.
B. This file contains a report that auditors can submit to security teams to show compliance.
C. This file helps an auditor spot check controls and identify any customizations of rules.

Answer 5

C. This file helps an auditor spot check controls and identify any customizations of rules.

If rules were customized using the custom directory, then the .xls auditor guide can identify which customizations were implemented.

Question 6

What tasks does the compliance script perform?

A. It compares the settings in the managed endpoint computer with the guidance. Then it changes the settings that reflect a fail status so that the Mac computer is in compliance with the baseline rules.

B. It compares the settings in the managed endpoint computer with a computer that’s in compliance. Then it builds a list of results that reflects the pass or fail status of how each setting complies with those specified in the baseline’s rules.

C. It compares the settings in the managed endpoint computer with the guidance. Then it builds a list of results that reflects the pass or fail status of how each setting complies with those specified in the baseline’s rules.

Answer 6

C. It compares the settings in the managed endpoint computer with the guidance. Then it builds a list of results that reflects the pass or fail status of how each setting complies with those specified in the baseline’s rules.

The script creates output files that you can use to check and fix those settings that are out of compliance with the rules specified in the guidance.

Question 7

On macOS, which of the following isn’t used by the mSCP Security Compliance Tool to remediate?

A. Manually
B. Configuration profiles
C. Blueprints

Answer 7

C. Blueprints

You can’t use Apple Configurator Blueprints with the mSCP.

Question 8

While reviewing a rule in the auditor guide, what information does the Mechanism column contain?

A. It shows a description of the setting.
B. It shows the name of the setting.
C. It describes the method by which a noncompliant rule will be remediated.

Answer 8

C. It describes the method by which a noncompliant rule will be remediated.

A mechanism is a method that you use to remediate the settings that failed and then achieve compliance.

Question 9

Which column in the auditor guide contains customized ODVs?

A. Title
B. Mechanism
C. Modified Rule

Answer 9

C. Modified Rule

This column contains any customized ODVs.

Question 10

What does the -x option do in the generate_guidance.py script?

A. It excludes rules defined in a baseline with a specified tag.
B. It generates reference documentation for the supplied baseline.
C. It creates mitigation scripts for extra rules defined in the custom rules folder.

Answer 10

B. It generates reference documentation for the supplied baseline.

The -x option generates baseline documentation in AsciiDoc, HTML, .xls, and PDF formats.

Question 11

Which term describes the process used to select which rules to include in a baseline?

A. Customizing
B. Streamlining
C. Tailoring

Answer 11

C. Tailoring

The process used to select which rules to include in a baseline is called tailoring.

Question 12

When using the generate_baseline.py script to customize rules for a baseline, what does the -t option do?

A. It performs an audit on a specified baseline.
B. It adds a timestamp to the generated baseline.
C. It runs the script in interactive tailoring mode.

Answer 12

C. It runs the script in interactive tailoring mode.

In this mode the script asks you for custom input values for each rule in the custom benchmark.

Question 13

Where should you put modified rules that you want to include in the output that the generate_baseline.py script generates?

A. In the project’s rules directory
B. In the project’s build directory
C. In the project’s includes directory
D. In the project’s custom/rules directory

Answer 13

D. In the project’s custom/rules directory

Modified rules should be placed in the custom/rules directory to be included in any custom baselines that the generate_baseline.py script generates.

Question 14

When adding a custom rule that’s not part of the mSCP, where must you add the reference to your custom rule so that it’s included in the generated output?

A. At the end of the supported_payloads.yaml file
B. On a new line in an org.baseline.plist file in the project’s includes directory
C. On a new line in the appropriate section in your custom baseline file with a reference to the rule ID contained in your custom rule

Answer 14

C. On a new line in the appropriate section in your custom baseline file with a reference to the rule ID contained in your custom rule

A baseline file contains a separate line for each included rule with a reference to the rule ID defined in the associated rule file.

Question 15

Which script is used to create profiles, plists, and documentation for a tailored baseline?

A. generate_baseline.py
B. generate_guidance.py
C. cis_lvl1-CUSTOMIZED_compliance.sh

Answer 15

B. generate_guidance.py

This script generates all of the output files related to a tailored baseline.

Question 16

After running the script to generate output for a tailored baseline called my_custom_baseline, which subdirectory contains .plist files that you can import into your MDM solution as custom configuration profiles to enforce the rules defined in your tailored baseline?

A. /my_custom_baseline/preferences
B. /my_custom_baseline/mobileconfigs/unsigned
C. /my_custom_baseline/mobileconfigs/preferences

Answer 16

C. /my_custom_baseline/mobileconfigs/preferences

You can import the files in this subdirectory into your MDM solution and use them to enforce the rules defined in your tailored baseline.

Question 17

After running the script to generate output for a tailored baseline called my_custom_baseline, which subdirectory contains a file that you can use to set explicit exemptions to rules on an endpoint computer so that compliance checks can succeed without findings?

A. /my_custom_baseline/preferences
B. /my_custom_baseline/mobileconfigs/unsigned
C. /my_custom_baseline/mobileconfigs/preferences

Answer 17

A. /my_custom_baseline/preferences

You can use the file in this subdirectory to set explicit exemptions to rules on an endpoint computer.

Question 18

After running the script to generate output for a tailored baseline called my_custom_baseline, which file is specifically formatted for an auditor to help them more easily spot check controls and identify any customizations of rules?

A. my_custom_baseline.adoc
B. my_custom_baseline.html
C. my_custom_baseline.xls

Answer 18

C. my_custom_baseline.xls

The information in this file is formatted in a spreadsheet table, making it easier for an auditor spot check controls and identify any customizations of rules.

Question 19

Which script did you use in section 6 to scan your endpoint computer against your tailored baseline?

A. generate_baseline.py
B. generate_guidance.py
C. cis_lvl1-CUSTOMIZED_compliance.sh

Answer 19

C. cis_lvl1-CUSTOMIZED_compliance.sh

This script is used to scan your endpoint computer for compliance against your tailored baseline.

Question 20

Which of the following contains the definitions for the remediation mechanisms for the rules defined in a tailored baseline called cis_lvl1-CUSTOMIZED?

A. /Library/Logs/cis_lvl1-CUSTOMIZED_baseline.log
B. /build/cis_lvl1-CUSTOMIZED/cis_lvl1-CUSTOMIZED.xls
C. /Library/Preferences/org.cis_lvl1-CUSTOMIZED.audit.plist

Answer 20

B. /build/cis_lvl1-CUSTOMIZED/cis_lvl1-CUSTOMIZED.xls

The auditor guide contains the remediation instructions for rules defined in a tailored baseline, including the mechanisms.

Question 21

When reviewing the audit log after a compliance scan, how do findings appear for rules whose check results don’t match the guidance defined in the baseline?

A. 1
B. True
C. Failed

Answer 21

C. Failed

The audit log displays a finding of Failed for rules whose check results don’t match the guidance defined in the baseline.

Question 22

Which remediation method was applied to your customized Disable Screen Sharing and Apple Remote Desktop rule?

A. Manual
B. Script
C. Configuration Profile

Answer 22

A. Manual

You and your security team made the RBD to remove the remediation instructions for this rule and to include documentation of your decision.

Question 23

Which remediation method was applied to your customized AirDrop Contacts Only rule?

A. Manual
B. Script
C. Configuration profile

Answer 23

C. Configuration profile

You implemented this custom rule’s remediation in your tailored baseline by adding a custom key to the com.apple.sharingd configuration profile.

Question 24

After running the cis_lvl1-CUSTOMIZED_compliance.sh script on your test endpoint computer against your tailored baseline, you notice in the audit log that one of the custom rules with a configuration profile remediation mechanism failed. What’s the most likely reason?

A. The profile was unsigned.
B. The profile wasn’t installed on the machine prior to running the scan.
C. The compliance script checks only rules with script remediation mechanisms.

Answer 24

B. The profile wasn’t installed on the machine prior to running the scan.

In order for rules with configuration profile mechanisms to pass a compliance scan, you should install the configuration profiles on your test endpoint Mac before you run a compliance scan.

Question 25

When running the the cis_lvl1-CUSTOMIZED_compliance.sh script in noninteractive mode, which option displays the compliance % results at the end of the scan?

A. –cfc
B. –check
C. –stats

Answer 25

C. –stats

You use this option when running the compliance script in noninteractive mode to generate results for passed, failed, and compliance completion percentages that will be displayed at the end of the scan.