Nutanix Certified Master - Multicloud Infrastructure v6.10 - NCM-MCI무료 덤프문제 풀어보기
TASK2
The security team has provided some new security requirements for cluster level security on Cluster 2.
Security requirements:
Update the password for the root user on the Cluster 2 node to match the admin user password.
Note: The 192.168.x.x network is not available. To access a node use the host IP (172.30.0.x) from the CVM.
Output the cluster-wide configuration of the SCMA policy to desktop\output.txt before changes are made.
Enable the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis for the hypervisor and cvms for Cluster 2.
Enable high-strength password policies for the hypervisor and cluster.
Ensure CVMs require SSH keys for login instead of passwords. (SSH keys are located in the desktop\Files\SSH folder.) Ensure the cluster meets these requirements. Do not reboot any cluster components.
Note: Please ensure you are modifying the correct components.
The security team has provided some new security requirements for cluster level security on Cluster 2.
Security requirements:
Update the password for the root user on the Cluster 2 node to match the admin user password.
Note: The 192.168.x.x network is not available. To access a node use the host IP (172.30.0.x) from the CVM.
Output the cluster-wide configuration of the SCMA policy to desktop\output.txt before changes are made.
Enable the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis for the hypervisor and cvms for Cluster 2.
Enable high-strength password policies for the hypervisor and cluster.
Ensure CVMs require SSH keys for login instead of passwords. (SSH keys are located in the desktop\Files\SSH folder.) Ensure the cluster meets these requirements. Do not reboot any cluster components.
Note: Please ensure you are modifying the correct components.
정답:
See the Explanation
Explanation:
This task focuses on Security Technical Implementation Guides (STIGs) and general hardening of the Nutanix cluster. Most of these tasks are best performed via the Nutanix Command Line Interface (ncli) on the CVM, though the SSH key requirement is often easier to handle via the Prism GUI.
Here is the step-by-step procedure to complete Task 2.
Prerequisites: Connection
Open PuTTY (or the available terminal) from the provided Windows Desktop.
SSH into the Cluster 2 CVM. (If the Virtual IP is unknown, check Prism Element for the CVM IP).
Log in using the provided credentials (usually nutanix / nutanix/4u or the admin password provided in your instructions).
Step 1: Output SCMA Policy (Do this FIRST)
Requirement: Output the cluster-wide configuration of the SCMA policy to desktop\output.txt before changes are made.
In the SSH session on the CVM, run:
Bash
ncli cluster get-software-config-management-policy
Copy the output from the terminal window.
Open Notepad on the Windows Desktop.
Paste the output.
Save the file as output.txt on the Desktop.
Step 2: Enable AIDE (Weekly)
Requirement: Enable the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis for the hypervisor and CVMs.
In the same CVM SSH session, run the following command to modify the SCMA policy:
Bash
ncli cluster edit-software-config-management-policy enable-aide=true schedule-interval=WEEKLY (Note: This single command applies the policy to both Hypervisor and CVMs by default in most versions).
Step 3: Enable High-Strength Password Policies
Requirement: Enable high-strength password policies for the hypervisor and cluster.
Run the following command:
Bash
ncli cluster set-high-strength-password-policy enable=true
Step 4: Update Root Password for Cluster Nodes
Requirement: Update the password for the root user on the Cluster 2 node to match the admin user password.
Method A: The Automated Way (Recommended)
Use ncli to set the password for all hypervisor nodes at once without needing to SSH into them individually.
Run:
Bash
ncli cluster set-hypervisor-password
When prompted, enter the current admin password (this becomes the new root password).
Method B: The Manual Way (If NCLI fails or manual access is required)
Note: Use this if the exam specifically wants you to touch the node via the 172.x network.
From the CVM, SSH to the host using the internal IP:
Bash
ssh [email protected] (Replace x with the host ID, e.g., 4 or 5)
Run the password change command:
Bash
passwd
Enter the admin password twice.
Repeat for other nodes in Cluster 2.
Step 5: Cluster Lockdown (SSH Keys)
Requirement: Ensure CVMs require SSH keys for login instead of passwords.
It is safest to do this via the Prism Element GUI to prevent locking yourself out.
Open Prism Element for Cluster 2 in the browser.
Click the Gear Icon (Settings) -> Cluster Lockdown.
Uncheck the box "Enable Remote Login with Password".
Click New Public Key (or Add Key).
Open the folder Desktop\Files\SSH on the Windows desktop.
Open the public key file (usually ends in .pub) in Notepad and copy the contents.
Paste the key into the Prism "Key" box.
Click Save.
Note: Do not reboot the cluster. The SCMA and Password policies take effect immediately without a reboot.
Explanation:
This task focuses on Security Technical Implementation Guides (STIGs) and general hardening of the Nutanix cluster. Most of these tasks are best performed via the Nutanix Command Line Interface (ncli) on the CVM, though the SSH key requirement is often easier to handle via the Prism GUI.
Here is the step-by-step procedure to complete Task 2.
Prerequisites: Connection
Open PuTTY (or the available terminal) from the provided Windows Desktop.
SSH into the Cluster 2 CVM. (If the Virtual IP is unknown, check Prism Element for the CVM IP).
Log in using the provided credentials (usually nutanix / nutanix/4u or the admin password provided in your instructions).
Step 1: Output SCMA Policy (Do this FIRST)
Requirement: Output the cluster-wide configuration of the SCMA policy to desktop\output.txt before changes are made.
In the SSH session on the CVM, run:
Bash
ncli cluster get-software-config-management-policy
Copy the output from the terminal window.
Open Notepad on the Windows Desktop.
Paste the output.
Save the file as output.txt on the Desktop.
Step 2: Enable AIDE (Weekly)
Requirement: Enable the Advanced Intrusion Detection Environment (AIDE) to run on a weekly basis for the hypervisor and CVMs.
In the same CVM SSH session, run the following command to modify the SCMA policy:
Bash
ncli cluster edit-software-config-management-policy enable-aide=true schedule-interval=WEEKLY (Note: This single command applies the policy to both Hypervisor and CVMs by default in most versions).
Step 3: Enable High-Strength Password Policies
Requirement: Enable high-strength password policies for the hypervisor and cluster.
Run the following command:
Bash
ncli cluster set-high-strength-password-policy enable=true
Step 4: Update Root Password for Cluster Nodes
Requirement: Update the password for the root user on the Cluster 2 node to match the admin user password.
Method A: The Automated Way (Recommended)
Use ncli to set the password for all hypervisor nodes at once without needing to SSH into them individually.
Run:
Bash
ncli cluster set-hypervisor-password
When prompted, enter the current admin password (this becomes the new root password).
Method B: The Manual Way (If NCLI fails or manual access is required)
Note: Use this if the exam specifically wants you to touch the node via the 172.x network.
From the CVM, SSH to the host using the internal IP:
Bash
ssh [email protected] (Replace x with the host ID, e.g., 4 or 5)
Run the password change command:
Bash
passwd
Enter the admin password twice.
Repeat for other nodes in Cluster 2.
Step 5: Cluster Lockdown (SSH Keys)
Requirement: Ensure CVMs require SSH keys for login instead of passwords.
It is safest to do this via the Prism Element GUI to prevent locking yourself out.
Open Prism Element for Cluster 2 in the browser.
Click the Gear Icon (Settings) -> Cluster Lockdown.
Uncheck the box "Enable Remote Login with Password".
Click New Public Key (or Add Key).
Open the folder Desktop\Files\SSH on the Windows desktop.
Open the public key file (usually ends in .pub) in Notepad and copy the contents.
Paste the key into the Prism "Key" box.
Click Save.
Note: Do not reboot the cluster. The SCMA and Password policies take effect immediately without a reboot.
Task 5
An administrator has been informed that a new workload requires a logically segmented network to meet security requirements.
Network configuration:
VLAN: 667
Network: 192.168.0.0
Subnet Mask: 255.255.255.0
DNS server: 34.82.231.220
Default Gateway: 192.168.0.1
Domain: cyberdyne.net
IP Pool: 192.168.9.100-200
DHCP Server IP: 192.168.0.2
Configure the cluster to meet the requirements for the new workload if new objects are required, start the name with 667.
An administrator has been informed that a new workload requires a logically segmented network to meet security requirements.
Network configuration:
VLAN: 667
Network: 192.168.0.0
Subnet Mask: 255.255.255.0
DNS server: 34.82.231.220
Default Gateway: 192.168.0.1
Domain: cyberdyne.net
IP Pool: 192.168.9.100-200
DHCP Server IP: 192.168.0.2
Configure the cluster to meet the requirements for the new workload if new objects are required, start the name with 667.
정답:
See the Explanation for step by step solution
Explanation:
To configure the cluster to meet the requirements for the new workload, you need to do the following steps:
Create a new VLAN with ID 667 on the cluster. You can do this by logging in to Prism Element and going to Network Configuration > VLANs > Create VLAN. Enter 667 as the VLAN ID and a name for the VLAN, such as 667_VLAN.
Create a new network segment with the network details provided. You can do this by logging in to Prism Central and going to Network > Network Segments > Create Network Segment. Enter a name for the network segment, such as 667_Network_Segment, and select 667_VLAN as the VLAN. Enter 192.168.0.0 as the Network Address and 255.255.255.0 as the Subnet Mask. Enter 192.168.0.1 as the Default Gateway and 34.82.231.220 as the DNS Server. Enter cyberdyne.net as the Domain Name.
Create a new IP pool with the IP range provided. You can do this by logging in to Prism Central and going to Network > IP Pools > Create IP Pool. Enter a name for the IP pool, such as 667_IP_Pool, and select 667_Network_Segment as the Network Segment. Enter 192.168.9.100 as the Starting IP Address and 192.168.9.200 as the Ending IP Address.
Configure the DHCP server with the IP address provided. You can do this by logging in to Prism Central and going to Network > DHCP Servers > Create DHCP Server. Enter a name for the DHCP server, such as 667_DHCP_Server, and select 667_Network_Segment as the Network Segment. Enter 192.168.0.2 as the IP Address and select 667_IP_Pool as the IP Pool.
Explanation:
To configure the cluster to meet the requirements for the new workload, you need to do the following steps:
Create a new VLAN with ID 667 on the cluster. You can do this by logging in to Prism Element and going to Network Configuration > VLANs > Create VLAN. Enter 667 as the VLAN ID and a name for the VLAN, such as 667_VLAN.
Create a new network segment with the network details provided. You can do this by logging in to Prism Central and going to Network > Network Segments > Create Network Segment. Enter a name for the network segment, such as 667_Network_Segment, and select 667_VLAN as the VLAN. Enter 192.168.0.0 as the Network Address and 255.255.255.0 as the Subnet Mask. Enter 192.168.0.1 as the Default Gateway and 34.82.231.220 as the DNS Server. Enter cyberdyne.net as the Domain Name.
Create a new IP pool with the IP range provided. You can do this by logging in to Prism Central and going to Network > IP Pools > Create IP Pool. Enter a name for the IP pool, such as 667_IP_Pool, and select 667_Network_Segment as the Network Segment. Enter 192.168.9.100 as the Starting IP Address and 192.168.9.200 as the Ending IP Address.
Configure the DHCP server with the IP address provided. You can do this by logging in to Prism Central and going to Network > DHCP Servers > Create DHCP Server. Enter a name for the DHCP server, such as 667_DHCP_Server, and select 667_Network_Segment as the Network Segment. Enter 192.168.0.2 as the IP Address and select 667_IP_Pool as the IP Pool.