최신 NCM-MCI-6.10 무료덤프 - Nutanix Certified Master - Multicloud Infrastructure (NCM-MCI)

The security team has provided some new security requirements for cluster level security on Cluster 2.
Security requirements:
* Update the password for the root user on the Cluster 2 node to match the admin user password.
Note: The 192.168.x.x network is not available. To access a node use the host IP (172.30.0.x) from the CVM.
* Output the cluster-wide configuration of the SCMA policy to desktop\output.txt before changes are made.
* Enable the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis for the hypervisor and cvms for Cluster 2.
* Enable high-strength password policies for the hypervisor and cluster.
* Ensure CVMs require SSH keys for login instead of passwords. (SSH keys are located in the desktop\Files\SSH folder.) Ensure the cluster meets these requirements. Do not reboot any cluster components.
Note: Please ensure you are modifying the correct components.
정답:
See the Explanation below for detailed answer.
Explanation:
Here is the step-by-step solution to apply the security requirements to Cluster 2.
1. Access Cluster 2 Prism Element
First, we must access the Prism Element (PE) interface for Cluster 2, as most security settings are cluster- specific.
* From the Prism Central dashboard, navigate to Hardware > Clusters.
* Find Cluster 2 in the list and click its name. This will open the Prism Element login page for that specific cluster in a new tab.
* Log in to Cluster 2's Prism Element using the admin credentials.
2. Requirement: Update Node Root Password
This task syncs the root password for all AHV hypervisor nodes with the cluster's admin user password.
* In the Cluster 2 PE interface, click the gear icon (Settings) in the top right corner.
* Select Cluster Lockdown from the left-hand menu.
* Click the Set Root Password on All Hosts button.
* A dialog box will appear. Enter the current admin password (the one you just used to log in) into both the New Password and Confirm New Password fields.
* Click Save. This will propagate the admin password to the root user on all nodes in Cluster 2.
3. Requirement: Add CVM SSH Key
This task adds the security team's public key to the admin user, which is required before we can disable password-based login.
* On the desktop, navigate to the Files > SSH folder.
* Open the id_rsa.pub file (or equivalent public key file) with Notepad.
* Copy the entire string of text (e.g., ssh-rsa AAAA...).
* In the Cluster 2 PE interface, go to Settings (gear icon) > User Management.
* Select the admin user and click Modify User.
* Paste the copied public key into the Public Keys text box.
* Click Save.
4. Requirement: Apply SCMA Policies (All other requirements)
The remaining requirements are all applied via the command line on a CVM using Nutanix's Security Configuration Management Automation (SCMA).
* Access the CVM:
* Find a CVM IP for Cluster 2 by going to Hardware > CVMs in the PE interface.
* Open an SSH client (like PuTTY) and connect to that CVM's IP address.
* Log in with the username admin and the corresponding password.
* Output Current Policy (Req 2):
* Before making changes, run the following command to see the current policy:
ncli scma status
* Copy the entire output from your SSH terminal.
* Open Notepad on the desktop, paste the copied text, and Save the file to the desktop as output.
txt.
* Apply New Policies (Req 3, 4, 5):
* Run the following commands one by one. The cluster will apply them immediately without a reboot.
* Enable AIDE (Req 3):
ncli scma update aide-status=enabled aide-schedule=weekly
* Enable High-Strength Passwords (Req 4):
ncli scma update password-policy=high
* Require SSH Keys for CVMs (Req 5):
ncli scma update ssh-login=keys-only
Verification
You can verify all changes by running the status command again. The output should now reflect the new, hardened security posture.
ncli scma status
* AIDE Status: should show Enabled
* AIDE Schedule: should show Weekly
* Password Policy: should show High
* SSH Login: should show keys-only
Task 5
An administrator has noticed that after a host failure, the SQL03 VM was not powered back on from another host within the cluster. The Other SQL VMs (SQL01, SQL02) have recovered properly in the past.
Resolve the issue and configure the environment to ensure any single host failure affects a minimal number os SQL VMs.
Note: Do not power on any VMs
정답:
See the Explanation for step by step solution.
Explanation:
One possible reason why the SQL03 VM was not powered back on after a host failure is that the cluster was configured with the default (best effort) VM high availability mode, which does not guarantee the availability of VMs in case of insufficient resources on the remaining hosts. To resolve this issue, I suggest changing the VM high availability mode to guarantee (reserved segments), which reserves some memory on each host for failover of VMs from a failed host. This way, the SQL03 VM will have a higher chance of being restarted on another host in case of a host failure.
To change the VM high availability mode to guarantee (reserved segments), you can follow these steps:
Log in to Prism Central and select the cluster where the SQL VMs are running.
Click on the gear icon on the top right corner and select Cluster Settings.
Under Cluster Services, click on Virtual Machine High Availability.
Select Guarantee (Reserved Segments) from the drop-down menu and click Save.
To configure the environment to ensure any single host failure affects a minimal number of SQL VMs, I suggest using anti-affinity rules, which prevent VMs that belong to the same group from running on the same host. This way, if one host fails, only one SQL VM will be affected and the other SQL VMs will continue running on different hosts.
To create an anti-affinity rule for the SQL VMs, you can follow these steps:
Log in to Prism Central and click on Entities on the left menu.
Select Virtual Machines from the drop-down menu and click on Create Group.
Enter a name for the group, such as SQL Group, and click Next.
Select the SQL VMs (SQL01, SQL02, SQL03) from the list and click Next.
Select Anti-Affinity from the drop-down menu and click Next.
Review the group details and click Finish.
I hope this helps. How else can I help?
https://portal.nutanix.com/page/documents/details?targetId=AHV-Admin-Guide-v6_5:ahv-affinity-policies-c.html
A screenshot of a computer Description automatically generated with medium confidence
Task 10
An administrator will be deploying Flow Networking and needs to validate that the environment, specifically switch vs1, is appropriately configured. Only VPC traffic should be carried by the switch.
Four versions each of two possible commands have been placed in Desktop\Files\Network\flow.txt. Remove the hash mark (#) from the front of correct First command and correct Second command and save the file.
Only one hash mark should be removed from each section. Do not delete or copy lines, do not add additional lines. Any changes other than removing two hash marks (#) will result in no credit.
Also, SSH directly to any AHV node (not a CVM) in the cluster and from the command line display an overview of the Open vSwitch configuration. Copy and paste this to a new text file named Desktop\Files\Network\AHVswitch.txt.
Note: You will not be able to use the 192.168.5.0 network in this environment.
First command
#net.update_vpc_traffic_config virtual_switch=vs0
net.update_vpc_traffic_config virtual_switch=vs1
#net.update_vpc_east_west_traffic_config virtual_switch=vs0
#net.update_vpc_east_west_traffic_config virtual_switch=vs1
Second command
#net.update_vpc_east_west_traffic_config permit_all_traffic=true
net.update_vpc_east_west_traffic_config permit_vpc_traffic=true
#net.update_vpc_east_west_traffic_config permit_all_traffic=false
#net.update_vpc_east_west_traffic_config permit_vpc_traffic=false
정답:
First, you need to open the Prism Central CLI from the Windows Server 2019 workstation. You can do this by clicking on the Start menu and typing "Prism Central CLI". Then, you need to log in with the credentials provided to you.
Second, you need to run the two commands that I have already given you in Desktop\Files\Network\flow.txt.
These commands are:
net.update_vpc_traffic_config virtual_switch=vs1 net.update_vpc_east_west_traffic_config permit_vpc_traffic=true These commands will update the virtual switch that carries the VPC traffic to vs1, and update the VPC east- west traffic configuration to allow only VPC traffic. You can verify that these commands have been executed successfully by running the command:
net.get_vpc_traffic_config
This command will show you the current settings of the virtual switch and the VPC east-west traffic configuration.
Third, you need to SSH directly to any AHV node (not a CVM) in the cluster and run the command:
ovs-vsctl show
This command will display an overview of the Open vSwitch configuration on the AHV node. You can copy and paste the output of this command to a new text file named Desktop\Files\Network\AHVswitch.txt.
You can use any SSH client such as PuTTY or Windows PowerShell to connect to the AHV node. You will need the IP address and the credentials of the AHV node, which you can find in Prism Element or Prism Central.
remove # from greens
On AHV execute:
sudo ovs-vsctl show
CVM access AHV access command
nutanix@NTNX-A-CVM:192.168.10.5:~$ ssh [email protected] "ovs-vsctl show" Open AHVswitch.txt and copy paste output
Your security team is working on automation to manage Security Policies.
They have exported some of the existing rules to the file "Security Policy.txt" located on the desktop. This file needs to be modified for the test environment.
* All rules except the quarantine rule should be logged.
* Only the Quarantine rule should be enforced, the other rules will only be logged.
* The quarantine rule should affect the SecOps environment.
* The SMB rule should only affect VMs with the "smbhost" and "smbclient" tags.
* The "DN test" policy should allow ipv6 and should not restrict any protocols between the included tiers.
There are three rules in the file, do not delete, add or copy lines. Only replace xxxx with the correct value as appropriate. It is possible that not all "xxxxx" will be replaced.
Save the file with the same name.
Possible values to replace the "xxxxx":
8080
ALL
APPLY
false
MONITOR
Non-Prod
SecOps
smbhost
smbclient
TCP
True
정답:
See the Explanation below for detailed answer.
Explanation:
Here is the step-by-step solution to modify the security policy file as required.
Navigate to the desktop and open the file Security Policy.txt (which corresponds to the provided Security Policy.bak content) using a text editor like Notepad.
Modify the file content by replacing the xxxxx and xxxx placeholders according to the security requirements.
Modifications by Rule
Here are the specific changes to make within the file:
1. Quarantine Rule
Requirement 1 (No Logging): The quarantine rule should not be logged.
Change "is_policy_hitlog_enabled": "xxxxx" to "is_policy_hitlog_enabled": "false" Requirement 2 (Enforce): This rule must be enforced.
Change "action": "xxxxx" (under quarantine_rule) to "action": "APPLY"
Requirement 3 (Environment): The rule must affect the "SecOps" environment.
Change "Environment": ["xxxxx"] to "Environment": ["SecOps"]
2. SMB-block Rule
Requirement 1 (Logging): This rule must be logged.
Change "is_policy_hitlog_enabled": "xxxxx" to "is_policy_hitlog_enabled": "True" Requirement 2 (Monitor): This rule must not be enforced, only logged.
Change "action": "xxxxx" (under isolation_rule) to "action": "MONITOR"
Requirement 4 (Tags): The rule must affect the "smbhost" and "smbclient" tags.
Change "SMBv1": ["xxxxx"] to "SMBv1": ["smbhost"]
Change "SMRv1": ["xxxxx"] to "SMRv1": ["smbclient"]
3. DN test (dn-policy1) Rule
Requirement 2 (Monitor): This rule must not be enforced, only logged.
Change "action": "xxxx" (under app_rule) to "action": "MONITOR"
Requirement 5 (Allow IPv6): This policy must allow IPv6 traffic.
Change "allow_ipv6_traffic": "xxxx" to "allow_ipv6_traffic": "True"
Final Step
After making all the replacements, Save the file, overwriting the original Security Policy.txt on the desktop.
Example of completed rules (replace xxxxx accordingly):
Rule Name: Quarantine Rule
Logged: false
Action: APPLY
Environment: SecOps
Protocols: TCP
Ports: 8080
Rule Name: SMB Rule
Logged: True
Action: MONITOR
Tags: smbhost, smbclient
Protocols: TCP
Ports: 8080
Rule Name: DN Test Policy
Logged: True
Action: MONITOR
Environment: Non-Prod
Protocols: ALL
Ports: 8080

우리와 연락하기

문의할 점이 있으시면 메일을 보내오세요. 12시간이내에 답장드리도록 하고 있습니다.

근무시간: ( UTC+9 ) 9:00-24:00
월요일~토요일

서포트: 바로 연락하기