CompTIA CV0-004 Exam - Topic 6 Question 23 Discussion

Actual exam question for CompTIA's CV0-004 exam

Question #: 23
Topic #: 6

A security engineer Identifies a vulnerability m a containerized application. The vulnerability can be exploited by a privileged process to read tie content of the host's memory. The security engineer reviews the following Dockerfile to determine a solution to mitigate similar exploits:

Which of the following is the best solution to prevent similar exploits by privileged processes?

AAdding the USER myappuserinstruction

BPatching the host running the Docker daemon

CChanging FROM alpiner3.17 to FROM alpine:latest

DRunning the container with the ready-only filesystem configuration

Show Suggested Answer

Suggested Answer: A

The output from the 'ps' command indicates there is a process running under the UID (User ID) of 0, which is the root user, and the command that was run is '/var/www/command.py'. Given that the normal Apache processes are running under their own UID (65535), this suggests that a command was executed with root privileges that typically should not have such high-level access. This is a strong indicator of privilege escalation, where an unauthorized user or process gains elevated access to resources that are normally protected from an application or user. Reference: CompTIA Cloud+ Certification Study Guide (Exam CV0-004) by Scott Wilson and Eric Vanderburg

by Erasmo at Sep 14, 2024, 11:10 AM

Limited Time Offer

25%

Off

Get Premium CV0-004 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Alita

4 months ago

Wow, didn't realize privileged processes could access host memory like that!

upvoted 0 times

...

Felicia

4 months ago

Running with a read-only filesystem sounds risky.

upvoted 0 times

...

Noble

4 months ago

Changing to alpine:latest? Not sure that helps much.

upvoted 0 times

...

Trinidad

5 months ago

I think patching the host is more important.

upvoted 0 times

...

Jeannine

5 months ago

Adding the USER myappuser instruction is a solid move.

upvoted 0 times

...

Joni

5 months ago

I think running the container with a read-only filesystem could be a strong defense. It might prevent any unauthorized access to the host's memory, but I need to double-check that.

upvoted 0 times

...

Laura

5 months ago

Changing the base image to alpine:latest sounds familiar, but I can't recall if that really mitigates privilege issues. It seems more about keeping the image updated.

upvoted 0 times

...

Bong

5 months ago

I'm not entirely sure, but I think patching the host could help too. It might not directly address the container's privileges, though.

upvoted 0 times

...

Sabina

6 months ago

I remember we discussed the importance of running containers as non-root users to limit privileges. So, option A seems like a good choice.

upvoted 0 times

...

Vallie

6 months ago

I'm pretty confident that running the container with the read-only filesystem configuration is the way to go here. That should effectively block the privileged process from accessing the host's memory.

upvoted 0 times

...

Denny

6 months ago

Okay, I think I've got this. The key is to prevent the privileged process from being able to read the host's memory. Adding the USER myappuser instruction seems like the best way to do that.

upvoted 0 times

...

Shawnna

6 months ago

Hmm, I'm a bit confused by the question. I'll need to make sure I understand the vulnerability and the different options before selecting an answer.

upvoted 0 times

...

Clarence

6 months ago

This looks like a tricky question. I'll need to carefully review the Dockerfile and think through the potential solutions.

upvoted 0 times

...

Laurel

6 months ago

I'm feeling pretty confident about this one. The key is to remove the Defenders DaemonSet and then use Cloud Discovery to automatically redeploy them with the new version.

upvoted 0 times

...

Leatha

10 months ago

You know, I heard about this one guy who tried to hack a container by reading the host's memory. Bet he felt pretty silly when he realized the container was running with a read-only filesystem!

upvoted 0 times

...

Rasheeda

10 months ago

Ha! Trying to run as a different user? That's like putting a bandaid on a broken leg. Option D is definitely the way to go.

upvoted 0 times

Bernardine

9 months ago

User 4: Patching the host might not be enough, option D seems more secure.

upvoted 0 times

...

Gracia

9 months ago

User 3: Changing the base image won't fix the vulnerability.

upvoted 0 times

...

Toi

9 months ago

User 2: Agreed, option D with read-only filesystem is the best solution.

upvoted 0 times

...

Arthur

9 months ago

User 1: Running as a different user won't help much.

upvoted 0 times

...

Chau

11 months ago

Changing the base image might help, but it's not a complete solution. I agree with option D - the read-only filesystem should be the way to go.

upvoted 0 times

Inocencia

10 months ago

Patching the host running the Docker daemon might be a good idea as well to ensure overall security.

upvoted 0 times

...

Jose

10 months ago

I think adding the USER myappuserinstruction could also help limit the privileges of the containerized application.

upvoted 0 times

...

Annette

10 months ago

Option D is definitely the best choice. A read-only filesystem would prevent any unauthorized access to the host's memory.

upvoted 0 times

...

Marlon

11 months ago

Patching the host is a good idea, but it may not be enough to prevent similar exploits. I'd go with option D as well.

upvoted 0 times

Dalene

10 months ago

It's important to consider all options before making a decision, but option D does seem like a strong choice.

upvoted 0 times

...

Maryanne

10 months ago

I agree, running the container with a read-only filesystem configuration can help mitigate the vulnerability.

upvoted 0 times

...

Valda

10 months ago

Option D seems like the best solution to prevent similar exploits.

upvoted 0 times

...

Iraida

11 months ago

Hmm, the key seems to be limiting the privileges of the running container. I think option D is the best solution here.

upvoted 0 times

Casey

10 months ago

Changing the base image to the latest version might also address potential vulnerabilities.

upvoted 0 times

...

Reita

10 months ago

Patching the host running the Docker daemon could also help enhance security.

upvoted 0 times

...

Bernardo

11 months ago

I think running the container with a read-only filesystem is a good way to prevent exploits.

upvoted 0 times

...

Geraldine

11 months ago

I agree, limiting the privileges of the container is crucial.

upvoted 0 times

...

Karan

12 months ago

But wouldn't changing FROM alpine:3.17 to FROM alpine:latest also help prevent similar exploits?

upvoted 0 times

...

Corrina

12 months ago

I disagree, I believe patching the host running the Docker daemon is the best solution.

upvoted 0 times

...

Karan

12 months ago

I think the best solution is adding the USER myappuser instruction.

upvoted 0 times

...