Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSDomainsMonitoring, Logging and Runtime Security
CKSFree — No Signup

Monitoring, Logging and Runtime Security

Practice CKS Monitoring, Logging and Runtime Security questions with full explanations on every answer.

172questions

Start practicing

Monitoring, Logging and Runtime Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CKS Domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice Monitoring, Logging and Runtime Security questions

10Q20Q30Q50Q

All CKS Monitoring, Logging and Runtime Security questions (172)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?

2

A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?

3

You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?

4

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

5

An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?

6

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

7

You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?

8

Which Kubernetes resource is used to define audit logging configuration?

9

A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?

10

You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?

11

You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?

12

Which audit policy level logs the request metadata and the request body?

13

Which TWO of the following are valid audit stages in Kubernetes? (Select 2)

14

Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)

15

Which TWO are valid stages in a Kubernetes audit event? (Select 2)

16

Which kubectl command can be used to exec into a running container for forensic analysis during an incident response?

17

An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?

18

A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?

19

You need to configure Kubernetes audit logging to log all requests to the 'secrets' API. Which audit policy level captures the body of the request?

20

You run 'crictl ps' and see no output, but the node has running pods. What is the most likely cause?

21

To isolate a compromised pod and prevent all incoming and outgoing traffic, which Kubernetes resource should you use?

22

A Falco rule has the following condition: spawned_process and container and proc.name = bash and proc.pname != sshd. What does this rule detect?

23

You need to preserve evidence (container logs) from a compromised pod before deleting it. Which command should you run first?

24

Which audit stage in Kubernetes audit logging captures the stage after a request is processed and before a response is sent?

25

Which crictl command is used to view logs from a specific container?

26

A pod has securityContext.readOnlyRootFilesystem: true. What happens if a process inside the container tries to write to the root filesystem?

27

Which of the following is NOT a valid priority level in a Falco rule?

28

Which TWO of the following are valid methods to detect a container spawning a shell (e.g., /bin/bash) using Falco? (Select two.)

29

Which THREE of the following are required components to enable audit logging in Kubernetes? (Select three.)

30

Which TWO of the following are valid steps to respond to a runtime security incident where a container is suspected to be compromised? (Select two.)

31

A security team wants to detect any attempt to open /etc/shadow in a container. Which Falco rule condition field is MOST appropriate?

32

An admin runs 'crictl ps' on a node and sees multiple containers. Which command should they use to view the logs of a specific container?

33

A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?

34

You need to configure audit logging for the Kubernetes API server to log all requests at the Metadata level. Which flag and value should you set in the kube-apiserver configuration?

35

A pod named 'busybox-pod' is compromised. You want to isolate it from all other pods using a NetworkPolicy. Which YAML snippet correctly denies all ingress and egress traffic to/from the pod?

36

During a runtime incident, you suspect a container has a reverse shell. Which kubectl command can you use to examine the container's running processes from the node level without entering the container?

37

An administrator needs to preserve evidence from a compromised container. Which approach is BEST for capturing the container's filesystem and memory for later analysis?

38

A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?

39

An audit policy is configured with the following rule: - level: RequestResponse users: ["system:serviceaccount:kube-system:admin"] verbs: ["get", "list"] resources: - group: "" resources: ["secrets"] What will be logged when the service account 'admin' in kube-system performs a GET request on a Secret?

40

You need to detect any unexpected outbound connections from pods in the 'production' namespace. Which Falco rule condition is MOST appropriate?

41

A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?

42

To ensure a container's filesystem is read-only, which field should be set to 'true' in the container spec?

43

Which TWO of the following are valid audit stages in Kubernetes audit logging? (Choose two)

44

Which THREE of the following are valid techniques for isolating a compromised pod during incident response? (Choose three)

45

Which TWO Falco priority levels are correctly ordered from lowest to highest severity? (Choose two correct sequences)

46

An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?

47

A security team wants to detect attempts to read /etc/shadow inside containers. Which Falco rule condition would trigger on a container reading that file?

48

You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?

49

An audit policy is configured with level: Request. Which operations are recorded in the audit log?

50

A cluster administrator wants to enforce that containers run with a read-only root filesystem. Which security context field should be set?

51

You suspect a pod is making unexpected outbound connections. Which tool can you use to inspect network connections from within the container?

52

A Falco rule has priority: CRITICAL and condition: evt.type=execve and proc.name!=bash. What does this rule detect?

53

You need to configure Kubernetes audit logging to log all requests at the Metadata level except for requests to the 'kube-system' namespace, which should be logged at Request level. How should you structure the audit policy?

54

Which stage of the Kubernetes API request processing should be audited to capture the final response sent to the client?

55

You run 'crictl ps' and see a container with state CONTAINER_RUNNING. What does this indicate?

56

A pod has been compromised. You want to isolate it from other pods while preserving its network state for forensics. Which NetworkPolicy rule achieves this?

57

You need to detect any attempt to run a shell inside a container using Falco. Which macro or condition should you use?

58

Which TWO of the following are valid Falco output fields?

59

Which THREE stages can be configured for Kubernetes audit logging?

60

You need to preserve forensic evidence from a compromised pod. Which TWO actions should you take?

61

A security team wants to detect any attempt to spawn an interactive shell inside a container. Which Falco rule condition would be appropriate?

62

You have configured an audit policy with level: Request. Which request information is logged?

63

You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?

64

What is the purpose of setting a container's filesystem to read-only in a Pod spec?

65

Which crictl command can you use to view the logs of a specific container?

66

You are writing a Falco rule to detect privilege escalation via setuid binaries. Which syscall should the rule monitor?

67

An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?

68

A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?

69

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?

70

A compromised pod is making unexpected outbound connections. You want to isolate the pod by blocking all egress traffic while keeping it running for forensic analysis. Which action is correct?

71

Which flag must be provided to the kube-apiserver to enable audit logging?

72

A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?

73

Which TWO of the following are valid audit stages in Kubernetes audit logging?

74

Which THREE of the following are recommended incident response steps when a container is compromised?

75

Which TWO tools can be used to directly interact with the container runtime (without going through the Kubernetes API) for troubleshooting?

76

Which Falco rule priority is used to indicate a potentially malicious activity that should be investigated?

77

You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?

78

A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?

79

Which crictl command is used to view the logs of a specific container?

80

A Falco rule is triggered when a shell is spawned inside a container. Which syscall is typically used to detect shell execution?

81

Which Kubernetes resource can be used to enforce that a container's filesystem is read-only?

82

You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?

83

You have deployed a DaemonSet to run a logging agent on every node. After an update, the new pods are stuck in 'Pending' state. You run 'kubectl describe pod ds-pod-xxxxx' and see '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the MOST likely cause?

84

Which Falco rule condition would detect an attempt to read the /etc/shadow file in a container?

85

You want to ensure that a container's root filesystem is immutable. Which field in the Pod spec should you set?

86

You need to configure a NetworkPolicy that allows egress traffic only to an external database at IP 10.0.0.5 on port 5432, and denies all other egress. Which policy BEST achieves this?

87

You have a pod that is in CrashLoopBackOff. You want to inspect the logs from the previous instance of the container. Which flag should you use with kubectl logs?

88

Which TWO of the following are valid audit stages in Kubernetes audit logging?

89

Which THREE of the following are recommended steps during incident response for a compromised pod?

90

Which TWO tools can be used to directly interact with a container runtime on a Kubernetes node without using kubectl?

91

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?

92

You need to configure the Kubernetes API server to log all requests at the Metadata level. Which flag should you use when starting kube-apiserver?

93

You want to run crictl to list all running containers on a node. Which command should you execute?

94

A pod runs with an immutable root filesystem (readOnlyRootFilesystem: true). The application attempts to write to /tmp. What is the expected behavior?

95

You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?

96

You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?

97

A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?

98

You need to detect when a container attempts to mount the host's Docker socket. Which Falco macro or condition would you use?

99

A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?

100

You want to isolate a compromised pod by blocking all network traffic to and from it. Which NetworkPolicy would you apply?

101

A Falco rule is configured to detect privilege escalation via setuid binaries. Which syscall is commonly associated with this activity?

102

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?

103

You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?

104

You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?

105

A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?

106

You need to configure a Kubernetes Pod to have an immutable root filesystem. Which field should you set in the Pod spec?

107

An incident responder needs to isolate a compromised pod immediately without deleting it. Which action should they take?

108

Which crictl command is used to view the logs of a specific container in a node?

109

In a Falco rule, what does the 'priority' field indicate?

110

You are writing a Falco rule to detect when a container tries to read /etc/shadow. Which condition should you use?

111

An audit policy is configured with the following rule: - level: Metadata resources: - group: "" resources: ["secrets"] What does this rule log for requests to the Secrets API?

112

Which kubectl command can be used to execute a shell inside a running container for forensic analysis?

113

You need to create a NetworkPolicy that allows only ingress traffic from pods with label 'app: frontend' in the same namespace. Which policyType and ingress rule should you use?

114

An administrator runs 'crictl ps' and sees no containers listed, but kubectl shows running pods. What is the most likely cause?

115

Which TWO of the following are valid audit stages in Kubernetes audit logging?

116

Which THREE of the following are effective methods to preserve evidence during a container security incident?

117

Which TWO of the following are valid priority levels in Falco rules?

118

A security admin needs to audit all API requests to the Kubernetes API server. Which audit policy level logs the request body and response body?

119

Falco detects a shell being opened inside a container. Which Falco rule field is used to specify the syscall condition for detection?

120

A container has been compromised. You need to isolate it by denying all network traffic. Which NetworkPolicy manifest achieves this?

121

An administrator wants to set an immutable root filesystem for a container in a Pod. Which securityContext field should be set to true?

122

You need to detect any attempt to read /etc/shadow inside a container using Falco. Which macro would you use in the condition?

123

Which crictl command is used to list all running containers managed by the container runtime?

124

You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?

125

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?

126

Which audit stage is logged after the request is fully processed and the response is sent?

127

A Falco rule detects unexpected outbound connections. Which condition would identify a connection to an external IP not in the allowed list?

128

You need to ensure a container's filesystem is immutable at runtime except for a temporary volume. Which Pod spec configuration achieves this?

129

You want to preserve evidence from a compromised pod. Which command should you use to copy the entire container filesystem to a safe location?

130

Which TWO of the following are valid Falco rule priorities?

131

Which THREE of the following are true about Kubernetes audit logging?

132

Which TWO crictl commands can be used to inspect a running container?

133

You suspect a container is running an unexpected process. Which crictl command can you use to list all running containers on the node?

134

Which flag is used when starting kube-apiserver to enable audit logging?

135

You are investigating a compromised pod. You need to capture the contents of a file in the container without modifying the container. Which kubectl command should you use?

136

A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?

137

In a Falco rule, you have the condition: 'evt.type=execve and proc.name=bash and container.id!=host'. What does this rule detect?

138

You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?

139

You need to isolate a compromised pod named 'malicious-pod' in the 'default' namespace so that it cannot communicate with any other pod, but can still receive traffic from a specific monitoring pod. Which NetworkPolicy should you apply?

140

You run 'kubectl exec -it <pod> -- /bin/sh' inside a pod that has an immutable root filesystem. What happens?

141

During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?

142

Which audit policy level logs all requests and responses, including the request body and response body?

143

A Falco rule has the condition: 'evt.type=open and fd.name contains /etc/shadow and container.id != host'. What is being detected?

144

You want to detect any attempt to run a shell inside a container that is not running as root. Which Falco condition would you use?

145

Which kubectl command can you use to view the logs of a specific container in a multi-container pod?

146

Which TWO of the following are valid audit stages in Kubernetes?

147

Which THREE of the following are recommended steps when responding to a compromised pod?

148

A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?

149

You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?

150

During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?

151

An administrator wants to ensure that containers in the 'secure-app' namespace cannot write to their own filesystem. Which pod security context setting should be used?

152

A Falco rule is written to detect access to /etc/shadow inside a container. Which condition should be used?

153

You are using crictl to debug a container. Which command lists all running containers on the node?

154

A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the most likely solution?

155

Which command can be used to view the logs of a container using the container runtime interface (crictl)?

156

You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?

157

A security policy requires that all pods in a namespace must run with a read-only root filesystem. Which admission controller can enforce this?

158

You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?

159

Which TWO of the following are valid audit levels in a Kubernetes audit policy? (Select TWO.)

160

Which TWO of the following are valid techniques to detect and respond to runtime incidents in a Kubernetes cluster? (Select TWO.)

161

Which THREE of the following are valid Falco rule priorities? (Select THREE.)

162

Which THREE of the following are valid audit stages in Kubernetes audit logging? (Select THREE.)

163

Which kubectl command can be used to view the live logs of a container in a pod named 'my-pod'?

164

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would detect this syscall?

165

An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?

166

A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?

167

Which crictl command lists all running containers on a node?

168

Which TWO of the following are valid audit policy levels in Kubernetes? (Choose two.)

169

Which THREE of the following are recommended steps during incident response for a compromised pod? (Choose three.)

170

Which TWO of the following Falco fields can be used in a rule condition to detect a shell spawned inside a container? (Choose two.)

171

Which TWO of the following are valid audit stages in Kubernetes? (Choose two.)

172

Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)

Practice all 172 Monitoring, Logging and Runtime Security questions

Other CKS exam domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityCluster SetupCluster Hardening

Frequently asked questions

What does the Monitoring, Logging and Runtime Security domain cover on the CKS exam?

The Monitoring, Logging and Runtime Security domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.

How many Monitoring, Logging and Runtime Security questions are in the CKS question bank?

The Courseiva CKS question bank contains 172 questions in the Monitoring, Logging and Runtime Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Monitoring, Logging and Runtime Security for CKS?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Monitoring, Logging and Runtime Security questions for CKS?

Yes — the session launcher on this page draws questions exclusively from the Monitoring, Logging and Runtime Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CKS domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CKACKADSY0-701