Exam CISSP topic 1 question 142 discussion

Agree with B. Admin access to web server allow access to all other application being hosted on that web server. Although there's only one SaaS mentioned, but correct... least privilege principle. Here's a simplified hierarchical breakdown from the hypervisor to the application folder: >Hypervisor: Manages virtual machines. >Operating System: Provides the base environment for applications. >Web Server: Software application responsible for serving web content. > Web Server Configuration Files: Store settings for the web server. > Log Files: Record server activity. > Application Folders: Contain specific web applications. > Application Code: Source code for the application. > Application Data: Configuration files, databases, and other data. > Application Logs: Specific logs for the application.

Least priv is the key here. Dont give access more than they need. application folders access is what they need. So, C. Administrative privileges on the web server is wrong. you break least priv here

Option B is correct . I agree with 629f731.Those of us that have had to scour logs understand that the application does not hold all of the logs. In many cases applications log very little.

Option B involves granting administrative privileges directly to the application folders. While it can provide access to application logs, it also carries additional risks. With access to application folders, changes or modifications can be made to other system files, which could compromise the stability or security of the application if inadvertent or unauthorized modifications are made. Additionally, logs may not be exclusively contained in specific application folders, so limiting privileges to folders only does not guarantee complete access to all necessary logs. For these reasons, option C (administrative privileges on the web server) might be more appropriate as it allows more controlled access to logs without providing direct access to other system components.

B. Administrative privileges on the application folders

least privilege guys. You want to give them access to only what they need to do the Job. No more, no less.

B is the right answer. You do not need to have admin privileges to the web server but rather to the app folders. Reason: the principle of least privilege!

The MOST suitable privilege in this scenario would be C. Administrative privileges on the web server. This would allow the support team to access and analyze the application logs without compromising the security of the hypervisor or the underlying OS. Administrative privileges on the application folders or the OS may be too broad and could potentially allow access to sensitive information beyond just the logs.

B. Administrative privileges on the application folders

So we have no idea where the application logs are written to. I am a linux admin and some apps write in their own folders, some write to /var/log, the same place the OS writes to. So I don't think this question provides enough info to answer. A best guess would be B, least privilege, but there is no way to know.

The most suitable privilege in this scenario would be administrative privileges on the web server. This is because the web server is responsible for hosting the web application and generating the application logs. By granting administrative privileges on the web server, the support team would be able to access the logs without having complete control over the underlying OS or other applications running on the same VM. Granting administrative privileges on the hypervisor or the OS would give the support team access to more than just the application logs, which could pose a security risk. Granting administrative privileges on the application folders alone may not provide the support team with enough access to view and analyze the logs.

As Humongous1593 has already said. Least privilege rule applies.

A,C,D are managed by cloud vendor

Give them access to the only resources they need to do their job. No more no less!

Least privilege