Practice CKS Monitoring, Logging and Runtime Security questions with full explanations on every answer.
Start practicing
Monitoring, Logging and Runtime Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?
2A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?
3You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?
4You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?
5An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?
6You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?
7You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?
8Which Kubernetes resource is used to define audit logging configuration?
9A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?
10You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?
11You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?
12Which audit policy level logs the request metadata and the request body?
13Which TWO of the following are valid audit stages in Kubernetes? (Select 2)
14Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)
15Which TWO are valid stages in a Kubernetes audit event? (Select 2)
16Which kubectl command can be used to exec into a running container for forensic analysis during an incident response?
17An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?
18A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?
19You need to configure Kubernetes audit logging to log all requests to the 'secrets' API. Which audit policy level captures the body of the request?
20You run 'crictl ps' and see no output, but the node has running pods. What is the most likely cause?
21To isolate a compromised pod and prevent all incoming and outgoing traffic, which Kubernetes resource should you use?
22A Falco rule has the following condition: spawned_process and container and proc.name = bash and proc.pname != sshd. What does this rule detect?
23You need to preserve evidence (container logs) from a compromised pod before deleting it. Which command should you run first?
24Which audit stage in Kubernetes audit logging captures the stage after a request is processed and before a response is sent?
25Which crictl command is used to view logs from a specific container?
26A pod has securityContext.readOnlyRootFilesystem: true. What happens if a process inside the container tries to write to the root filesystem?
27Which of the following is NOT a valid priority level in a Falco rule?
28Which TWO of the following are valid methods to detect a container spawning a shell (e.g., /bin/bash) using Falco? (Select two.)
29Which THREE of the following are required components to enable audit logging in Kubernetes? (Select three.)
30Which TWO of the following are valid steps to respond to a runtime security incident where a container is suspected to be compromised? (Select two.)
31A security team wants to detect any attempt to open /etc/shadow in a container. Which Falco rule condition field is MOST appropriate?
32An admin runs 'crictl ps' on a node and sees multiple containers. Which command should they use to view the logs of a specific container?
33A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?
34You need to configure audit logging for the Kubernetes API server to log all requests at the Metadata level. Which flag and value should you set in the kube-apiserver configuration?
35A pod named 'busybox-pod' is compromised. You want to isolate it from all other pods using a NetworkPolicy. Which YAML snippet correctly denies all ingress and egress traffic to/from the pod?
36During a runtime incident, you suspect a container has a reverse shell. Which kubectl command can you use to examine the container's running processes from the node level without entering the container?
37An administrator needs to preserve evidence from a compromised container. Which approach is BEST for capturing the container's filesystem and memory for later analysis?
38A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?
39An audit policy is configured with the following rule: - level: RequestResponse users: ["system:serviceaccount:kube-system:admin"] verbs: ["get", "list"] resources: - group: "" resources: ["secrets"] What will be logged when the service account 'admin' in kube-system performs a GET request on a Secret?
40You need to detect any unexpected outbound connections from pods in the 'production' namespace. Which Falco rule condition is MOST appropriate?
41A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?
42To ensure a container's filesystem is read-only, which field should be set to 'true' in the container spec?
43Which TWO of the following are valid audit stages in Kubernetes audit logging? (Choose two)
44Which THREE of the following are valid techniques for isolating a compromised pod during incident response? (Choose three)
45Which TWO Falco priority levels are correctly ordered from lowest to highest severity? (Choose two correct sequences)
46An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?
47A security team wants to detect attempts to read /etc/shadow inside containers. Which Falco rule condition would trigger on a container reading that file?
48You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?
49An audit policy is configured with level: Request. Which operations are recorded in the audit log?
50A cluster administrator wants to enforce that containers run with a read-only root filesystem. Which security context field should be set?
51You suspect a pod is making unexpected outbound connections. Which tool can you use to inspect network connections from within the container?
52A Falco rule has priority: CRITICAL and condition: evt.type=execve and proc.name!=bash. What does this rule detect?
53You need to configure Kubernetes audit logging to log all requests at the Metadata level except for requests to the 'kube-system' namespace, which should be logged at Request level. How should you structure the audit policy?
54Which stage of the Kubernetes API request processing should be audited to capture the final response sent to the client?
55You run 'crictl ps' and see a container with state CONTAINER_RUNNING. What does this indicate?
56A pod has been compromised. You want to isolate it from other pods while preserving its network state for forensics. Which NetworkPolicy rule achieves this?
57You need to detect any attempt to run a shell inside a container using Falco. Which macro or condition should you use?
58Which TWO of the following are valid Falco output fields?
59Which THREE stages can be configured for Kubernetes audit logging?
60You need to preserve forensic evidence from a compromised pod. Which TWO actions should you take?
61A security team wants to detect any attempt to spawn an interactive shell inside a container. Which Falco rule condition would be appropriate?
62You have configured an audit policy with level: Request. Which request information is logged?
63You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?
64What is the purpose of setting a container's filesystem to read-only in a Pod spec?
65Which crictl command can you use to view the logs of a specific container?
66You are writing a Falco rule to detect privilege escalation via setuid binaries. Which syscall should the rule monitor?
67An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?
68A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?
69You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?
70A compromised pod is making unexpected outbound connections. You want to isolate the pod by blocking all egress traffic while keeping it running for forensic analysis. Which action is correct?
71Which flag must be provided to the kube-apiserver to enable audit logging?
72A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?
73Which TWO of the following are valid audit stages in Kubernetes audit logging?
74Which THREE of the following are recommended incident response steps when a container is compromised?
75Which TWO tools can be used to directly interact with the container runtime (without going through the Kubernetes API) for troubleshooting?
76Which Falco rule priority is used to indicate a potentially malicious activity that should be investigated?
77You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?
78A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?
79Which crictl command is used to view the logs of a specific container?
80A Falco rule is triggered when a shell is spawned inside a container. Which syscall is typically used to detect shell execution?
81Which Kubernetes resource can be used to enforce that a container's filesystem is read-only?
82You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?
83You have deployed a DaemonSet to run a logging agent on every node. After an update, the new pods are stuck in 'Pending' state. You run 'kubectl describe pod ds-pod-xxxxx' and see '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the MOST likely cause?
84Which Falco rule condition would detect an attempt to read the /etc/shadow file in a container?
85You want to ensure that a container's root filesystem is immutable. Which field in the Pod spec should you set?
86You need to configure a NetworkPolicy that allows egress traffic only to an external database at IP 10.0.0.5 on port 5432, and denies all other egress. Which policy BEST achieves this?
87You have a pod that is in CrashLoopBackOff. You want to inspect the logs from the previous instance of the container. Which flag should you use with kubectl logs?
88Which TWO of the following are valid audit stages in Kubernetes audit logging?
89Which THREE of the following are recommended steps during incident response for a compromised pod?
90Which TWO tools can be used to directly interact with a container runtime on a Kubernetes node without using kubectl?
91A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?
92You need to configure the Kubernetes API server to log all requests at the Metadata level. Which flag should you use when starting kube-apiserver?
93You want to run crictl to list all running containers on a node. Which command should you execute?
94A pod runs with an immutable root filesystem (readOnlyRootFilesystem: true). The application attempts to write to /tmp. What is the expected behavior?
95You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?
96You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?
97A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?
98You need to detect when a container attempts to mount the host's Docker socket. Which Falco macro or condition would you use?
99A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?
100You want to isolate a compromised pod by blocking all network traffic to and from it. Which NetworkPolicy would you apply?
101A Falco rule is configured to detect privilege escalation via setuid binaries. Which syscall is commonly associated with this activity?
102You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?
103You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?
104You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?
105A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?
106You need to configure a Kubernetes Pod to have an immutable root filesystem. Which field should you set in the Pod spec?
107An incident responder needs to isolate a compromised pod immediately without deleting it. Which action should they take?
108Which crictl command is used to view the logs of a specific container in a node?
109In a Falco rule, what does the 'priority' field indicate?
110You are writing a Falco rule to detect when a container tries to read /etc/shadow. Which condition should you use?
111An audit policy is configured with the following rule: - level: Metadata resources: - group: "" resources: ["secrets"] What does this rule log for requests to the Secrets API?
112Which kubectl command can be used to execute a shell inside a running container for forensic analysis?
113You need to create a NetworkPolicy that allows only ingress traffic from pods with label 'app: frontend' in the same namespace. Which policyType and ingress rule should you use?
114An administrator runs 'crictl ps' and sees no containers listed, but kubectl shows running pods. What is the most likely cause?
115Which TWO of the following are valid audit stages in Kubernetes audit logging?
116Which THREE of the following are effective methods to preserve evidence during a container security incident?
117Which TWO of the following are valid priority levels in Falco rules?
118A security admin needs to audit all API requests to the Kubernetes API server. Which audit policy level logs the request body and response body?
119Falco detects a shell being opened inside a container. Which Falco rule field is used to specify the syscall condition for detection?
120A container has been compromised. You need to isolate it by denying all network traffic. Which NetworkPolicy manifest achieves this?
121An administrator wants to set an immutable root filesystem for a container in a Pod. Which securityContext field should be set to true?
122You need to detect any attempt to read /etc/shadow inside a container using Falco. Which macro would you use in the condition?
123Which crictl command is used to list all running containers managed by the container runtime?
124You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?
125A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?
126Which audit stage is logged after the request is fully processed and the response is sent?
127A Falco rule detects unexpected outbound connections. Which condition would identify a connection to an external IP not in the allowed list?
128You need to ensure a container's filesystem is immutable at runtime except for a temporary volume. Which Pod spec configuration achieves this?
129You want to preserve evidence from a compromised pod. Which command should you use to copy the entire container filesystem to a safe location?
130Which TWO of the following are valid Falco rule priorities?
131Which THREE of the following are true about Kubernetes audit logging?
132Which TWO crictl commands can be used to inspect a running container?
133You suspect a container is running an unexpected process. Which crictl command can you use to list all running containers on the node?
134Which flag is used when starting kube-apiserver to enable audit logging?
135You are investigating a compromised pod. You need to capture the contents of a file in the container without modifying the container. Which kubectl command should you use?
136A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?
137In a Falco rule, you have the condition: 'evt.type=execve and proc.name=bash and container.id!=host'. What does this rule detect?
138You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?
139You need to isolate a compromised pod named 'malicious-pod' in the 'default' namespace so that it cannot communicate with any other pod, but can still receive traffic from a specific monitoring pod. Which NetworkPolicy should you apply?
140You run 'kubectl exec -it <pod> -- /bin/sh' inside a pod that has an immutable root filesystem. What happens?
141During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?
142Which audit policy level logs all requests and responses, including the request body and response body?
143A Falco rule has the condition: 'evt.type=open and fd.name contains /etc/shadow and container.id != host'. What is being detected?
144You want to detect any attempt to run a shell inside a container that is not running as root. Which Falco condition would you use?
145Which kubectl command can you use to view the logs of a specific container in a multi-container pod?
146Which TWO of the following are valid audit stages in Kubernetes?
147Which THREE of the following are recommended steps when responding to a compromised pod?
148A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?
149You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?
150During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?
151An administrator wants to ensure that containers in the 'secure-app' namespace cannot write to their own filesystem. Which pod security context setting should be used?
152A Falco rule is written to detect access to /etc/shadow inside a container. Which condition should be used?
153You are using crictl to debug a container. Which command lists all running containers on the node?
154A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the most likely solution?
155Which command can be used to view the logs of a container using the container runtime interface (crictl)?
156You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?
157A security policy requires that all pods in a namespace must run with a read-only root filesystem. Which admission controller can enforce this?
158You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?
159Which TWO of the following are valid audit levels in a Kubernetes audit policy? (Select TWO.)
160Which TWO of the following are valid techniques to detect and respond to runtime incidents in a Kubernetes cluster? (Select TWO.)
161Which THREE of the following are valid Falco rule priorities? (Select THREE.)
162Which THREE of the following are valid audit stages in Kubernetes audit logging? (Select THREE.)
163Which kubectl command can be used to view the live logs of a container in a pod named 'my-pod'?
164A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would detect this syscall?
165An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?
166A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?
167Which crictl command lists all running containers on a node?
168Which TWO of the following are valid audit policy levels in Kubernetes? (Choose two.)
169Which THREE of the following are recommended steps during incident response for a compromised pod? (Choose three.)
170Which TWO of the following Falco fields can be used in a rule condition to detect a shell spawned inside a container? (Choose two.)
171Which TWO of the following are valid audit stages in Kubernetes? (Choose two.)
172Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)
The Monitoring, Logging and Runtime Security domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.
The Courseiva CKS question bank contains 172 questions in the Monitoring, Logging and Runtime Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Monitoring, Logging and Runtime Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included