CyberArk Defender - PAM PAM-DEF Exam Practice Test

Answer : B

When managing SSH keys, the CPM stores the public key on the target server. The CPM generates a new random SSH key pair and updates the public SSH key on the target machine. The public SSH key is stored in the home directory of the privileged user on the target machine, usually in the file~/.ssh/authorized_keys. The public SSH key is not stored in the Vault, as this would be redundant and unnecessary. The public SSH key cannot be generated from the private key, as this would defeat the purpose of asymmetric encryption.Reference:

Manage SSH Keys

SSH Key Manager

Use SSH Keys

Answer : B

tsparm.ini isnotthe main configuration file for the Vault. It is one of the several configuration files that control the initial settings and method of operation of the Server. The main configuration file for the Vault is DBParm.ini, which contains the general parameters of the database, such as the Vault name, the Vault IP address, the Vault port, the encryption algorithm, the log retention, and the debug mode.Reference:

Defender PAM Sample Items Study Guide, page 9, question 92

CyberArk Privileged Access Security Implementation Guide, page 75, section ''DBParm.ini''

CyberArk Vault Server Parameter Files, page 1, section ''TSParm.ini''

Answer : C

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online, if the AllowFailback setting is set to ''yes'' in the padr.ini file. The padr.ini file is the configuration file for the Disaster Recovery application, which enables the DR Vault to replicate data from the Primary Vault and take over its role in case of a failure. The AllowFailback setting determines whether the DR Vault will automatically switch back to the passive mode when the Primary Vault is restored.The default value of this setting is ''no'', which means that the DR Vault will remain active until a manual failback is performed1.To enable the automatic failback, the setting must be changed to ''yes'' and the padr service must be restarted1.The dbparm.ini file is not relevant to this setting, as it is the main configuration file for the Vault database2.Reference:

Configure the DR Vault - CyberArk, section ''AllowFailback''

DBParm.ini - CyberArk, section ''Main parameters''

Answer : A

The report that provides a list of accounts stored in the vault is the Privileged Accounts Inventory report.This report can be generated in the Reports page in the PVWA by users who belong to the group that is specified in the ManageReportsGroup parameter in the Reports section of the Web Access Options in the System Configuration page1.The Privileged Accounts Inventory report contains information such as the safe, folder, name, platform ID, username, address, group, last accessed date, last accessed by, last modified date, last modified by, verification date, checkout date, checked out by, age, change failure, verification failure, master pass folder, master pass name, disabled by, and disabled reason of each account stored in the vault2.Reference:

1:Reports in PVWA

2:Users List Report

Answer : C

Setting the reconcile account at the platform level allows for flexibility in how the reconcile account is specified. A rule can be used to dynamically determine the appropriate reconcile account, or a specific reconcile account can be selected and configured directly in the platform settings.This approach provides the ability to manage reconciliation accounts more efficiently and adapt to different scenarios1.

CyberArk Community - Associate reconcile account with a specific platform

Answer : A

According to the web search results, the Vault administrator can change the Vault license by uploading the new license to the system Safe123. This can be done either from the Vault machine or from a remote machine using the PrivateArk client. The new license file should be named license.xml and replace the current one in the system Safe. This can be done without having to reinstall the Vault or restart the service.

Answer : A

The Interval setting in a CPM policy is used to control how often the CPM looks for System Initiated CPM work, such as password changes, verifications, and reconciliations. The Interval setting defines the frequency, in minutes, that the CPM will check the accounts that are associated with the policy and perform the required actions. For example, if the Interval is set to 60, the CPM will check the accounts every hour and change, verify, or reconcile the passwords according to the policy settings. The Interval setting does not affect User Initiated CPM work, such as manual password changes or retrievals, which are performed immediately upon request. The Interval setting also does not control how long the CPM rests between password changes or the maximum amount of time the CPM will wait for a password change to complete. These parameters are configured in the CPM.ini file, which is stored in the root folder of the <CPM username> Safe.Reference:

[Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM Policies, Slide 9: CPM Policy Settings

[Defender PAM Sample Items Study Guide], Question 4: CPM Policy Settings

[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide, Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Interval