Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Monitoring, Logging and Runtime Security practice sets

CKS Monitoring, Logging and Runtime Security • Complete Question Bank

CKS Monitoring, Logging and Runtime Security — All Questions With Answers

Complete CKS Monitoring, Logging and Runtime Security question bank — all 0 questions with answers and detailed explanations.

172
Questions
Free
No signup
Certifications/CKS/Practice Test/Monitoring, Logging and Runtime Security/All Questions
Question 1mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?

Question 2hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?

Question 3mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?

Question 4easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

Question 5mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?

Question 6hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

Question 7mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?

Question 8easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which Kubernetes resource is used to define audit logging configuration?

Question 9mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?

Question 10hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?

Question 11mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?

Question 12easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which audit policy level logs the request metadata and the request body?

Question 13mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes? (Select 2)

Question 14hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)

Question 15mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO are valid stages in a Kubernetes audit event? (Select 2)

Question 16easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which kubectl command can be used to exec into a running container for forensic analysis during an incident response?

Question 17mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?

Question 18hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?

Question 19mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure Kubernetes audit logging to log all requests to the 'secrets' API. Which audit policy level captures the body of the request?

Question 20mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You run 'crictl ps' and see no output, but the node has running pods. What is the most likely cause?

Question 21easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

To isolate a compromised pod and prevent all incoming and outgoing traffic, which Kubernetes resource should you use?

Question 22hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule has the following condition: spawned_process and container and proc.name = bash and proc.pname != sshd. What does this rule detect?

Question 23mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to preserve evidence (container logs) from a compromised pod before deleting it. Which command should you run first?

Question 24mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which audit stage in Kubernetes audit logging captures the stage after a request is processed and before a response is sent?

Question 25easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command is used to view logs from a specific container?

Question 26mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod has securityContext.readOnlyRootFilesystem: true. What happens if a process inside the container tries to write to the root filesystem?

Question 27hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which of the following is NOT a valid priority level in a Falco rule?

Question 28mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid methods to detect a container spawning a shell (e.g., /bin/bash) using Falco? (Select two.)

Question 29hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are required components to enable audit logging in Kubernetes? (Select three.)

Question 30mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid steps to respond to a runtime security incident where a container is suspected to be compromised? (Select two.)

Question 31easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect any attempt to open /etc/shadow in a container. Which Falco rule condition field is MOST appropriate?

Question 32easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An admin runs 'crictl ps' on a node and sees multiple containers. Which command should they use to view the logs of a specific container?

Question 33mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?

Question 34mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure audit logging for the Kubernetes API server to log all requests at the Metadata level. Which flag and value should you set in the kube-apiserver configuration?

Question 35mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod named 'busybox-pod' is compromised. You want to isolate it from all other pods using a NetworkPolicy. Which YAML snippet correctly denies all ingress and egress traffic to/from the pod?

Question 36mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

During a runtime incident, you suspect a container has a reverse shell. Which kubectl command can you use to examine the container's running processes from the node level without entering the container?

Question 37mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator needs to preserve evidence from a compromised container. Which approach is BEST for capturing the container's filesystem and memory for later analysis?

Question 38hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?

Question 39hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An audit policy is configured with the following rule: - level: RequestResponse users: ["system:serviceaccount:kube-system:admin"] verbs: ["get", "list"] resources: - group: "" resources: ["secrets"] What will be logged when the service account 'admin' in kube-system performs a GET request on a Secret?

Question 40hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to detect any unexpected outbound connections from pods in the 'production' namespace. Which Falco rule condition is MOST appropriate?

Question 41mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?

Question 42easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

To ensure a container's filesystem is read-only, which field should be set to 'true' in the container spec?

Question 43mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes audit logging? (Choose two)

Question 44hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are valid techniques for isolating a compromised pod during incident response? (Choose three)

Question 45hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO Falco priority levels are correctly ordered from lowest to highest severity? (Choose two correct sequences)

Question 46easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?

Question 47easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect attempts to read /etc/shadow inside containers. Which Falco rule condition would trigger on a container reading that file?

Question 48mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?

Question 49mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An audit policy is configured with level: Request. Which operations are recorded in the audit log?

Question 50mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A cluster administrator wants to enforce that containers run with a read-only root filesystem. Which security context field should be set?

Question 51mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You suspect a pod is making unexpected outbound connections. Which tool can you use to inspect network connections from within the container?

Question 52hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule has priority: CRITICAL and condition: evt.type=execve and proc.name!=bash. What does this rule detect?

Question 53hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure Kubernetes audit logging to log all requests at the Metadata level except for requests to the 'kube-system' namespace, which should be logged at Request level. How should you structure the audit policy?

Question 54easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which stage of the Kubernetes API request processing should be audited to capture the final response sent to the client?

Question 55mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You run 'crictl ps' and see a container with state CONTAINER_RUNNING. What does this indicate?

Question 56hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod has been compromised. You want to isolate it from other pods while preserving its network state for forensics. Which NetworkPolicy rule achieves this?

Question 57mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to detect any attempt to run a shell inside a container using Falco. Which macro or condition should you use?

Question 58mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid Falco output fields?

Question 59mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE stages can be configured for Kubernetes audit logging?

Question 60hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

You need to preserve forensic evidence from a compromised pod. Which TWO actions should you take?

Question 61mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect any attempt to spawn an interactive shell inside a container. Which Falco rule condition would be appropriate?

Question 62mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You have configured an audit policy with level: Request. Which request information is logged?

Question 63hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?

Question 64easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

What is the purpose of setting a container's filesystem to read-only in a Pod spec?

Question 65mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command can you use to view the logs of a specific container?

Question 66hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are writing a Falco rule to detect privilege escalation via setuid binaries. Which syscall should the rule monitor?

Question 67easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?

Question 68mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?

Question 69mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?

Question 70hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A compromised pod is making unexpected outbound connections. You want to isolate the pod by blocking all egress traffic while keeping it running for forensic analysis. Which action is correct?

Question 71easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which flag must be provided to the kube-apiserver to enable audit logging?

Question 72mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?

Question 73mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Question 74hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are recommended incident response steps when a container is compromised?

Question 75easymulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO tools can be used to directly interact with the container runtime (without going through the Kubernetes API) for troubleshooting?

Question 76easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which Falco rule priority is used to indicate a potentially malicious activity that should be investigated?

Question 77mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?

Question 78hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?

Question 79mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command is used to view the logs of a specific container?

Question 80mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule is triggered when a shell is spawned inside a container. Which syscall is typically used to detect shell execution?

Question 81easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which Kubernetes resource can be used to enforce that a container's filesystem is read-only?

Question 82mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?

Question 83hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You have deployed a DaemonSet to run a logging agent on every node. After an update, the new pods are stuck in 'Pending' state. You run 'kubectl describe pod ds-pod-xxxxx' and see '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the MOST likely cause?

Question 84mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which Falco rule condition would detect an attempt to read the /etc/shadow file in a container?

Question 85easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to ensure that a container's root filesystem is immutable. Which field in the Pod spec should you set?

Question 86hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure a NetworkPolicy that allows egress traffic only to an external database at IP 10.0.0.5 on port 5432, and denies all other egress. Which policy BEST achieves this?

Question 87mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You have a pod that is in CrashLoopBackOff. You want to inspect the logs from the previous instance of the container. Which flag should you use with kubectl logs?

Question 88mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Question 89hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are recommended steps during incident response for a compromised pod?

Question 90easymulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO tools can be used to directly interact with a container runtime on a Kubernetes node without using kubectl?

Question 91mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?

Question 92easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure the Kubernetes API server to log all requests at the Metadata level. Which flag should you use when starting kube-apiserver?

Question 93easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to run crictl to list all running containers on a node. Which command should you execute?

Question 94mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod runs with an immutable root filesystem (readOnlyRootFilesystem: true). The application attempts to write to /tmp. What is the expected behavior?

Question 95mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?

Question 96hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?

Question 97mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?

Question 98mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to detect when a container attempts to mount the host's Docker socket. Which Falco macro or condition would you use?

Question 99hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?

Question 100easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to isolate a compromised pod by blocking all network traffic to and from it. Which NetworkPolicy would you apply?

Question 101mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule is configured to detect privilege escalation via setuid binaries. Which syscall is commonly associated with this activity?

Question 102hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?

Question 103mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?

Question 104easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?

Question 105hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?

Question 106mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure a Kubernetes Pod to have an immutable root filesystem. Which field should you set in the Pod spec?

Question 107hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An incident responder needs to isolate a compromised pod immediately without deleting it. Which action should they take?

Question 108mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command is used to view the logs of a specific container in a node?

Question 109easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

In a Falco rule, what does the 'priority' field indicate?

Question 110mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are writing a Falco rule to detect when a container tries to read /etc/shadow. Which condition should you use?

Question 111hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An audit policy is configured with the following rule: - level: Metadata resources: - group: "" resources: ["secrets"] What does this rule log for requests to the Secrets API?

Question 112easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which kubectl command can be used to execute a shell inside a running container for forensic analysis?

Question 113mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to create a NetworkPolicy that allows only ingress traffic from pods with label 'app: frontend' in the same namespace. Which policyType and ingress rule should you use?

Question 114mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator runs 'crictl ps' and sees no containers listed, but kubectl shows running pods. What is the most likely cause?

Question 115mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Question 116hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are effective methods to preserve evidence during a container security incident?

Question 117easymulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid priority levels in Falco rules?

Question 118mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security admin needs to audit all API requests to the Kubernetes API server. Which audit policy level logs the request body and response body?

Question 119easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Falco detects a shell being opened inside a container. Which Falco rule field is used to specify the syscall condition for detection?

Question 120mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A container has been compromised. You need to isolate it by denying all network traffic. Which NetworkPolicy manifest achieves this?

Question 121hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator wants to set an immutable root filesystem for a container in a Pod. Which securityContext field should be set to true?

Question 122mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to detect any attempt to read /etc/shadow inside a container using Falco. Which macro would you use in the condition?

Question 123easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command is used to list all running containers managed by the container runtime?

Question 124mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?

Question 125hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?

Question 126easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which audit stage is logged after the request is fully processed and the response is sent?

Question 127mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule detects unexpected outbound connections. Which condition would identify a connection to an external IP not in the allowed list?

Question 128hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to ensure a container's filesystem is immutable at runtime except for a temporary volume. Which Pod spec configuration achieves this?

Question 129mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to preserve evidence from a compromised pod. Which command should you use to copy the entire container filesystem to a safe location?

Question 130mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid Falco rule priorities?

Question 131hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are true about Kubernetes audit logging?

Question 132easymulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO crictl commands can be used to inspect a running container?

Question 133easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You suspect a container is running an unexpected process. Which crictl command can you use to list all running containers on the node?

Question 134easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which flag is used when starting kube-apiserver to enable audit logging?

Question 135mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are investigating a compromised pod. You need to capture the contents of a file in the container without modifying the container. Which kubectl command should you use?

Question 136mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?

Question 137hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

In a Falco rule, you have the condition: 'evt.type=execve and proc.name=bash and container.id!=host'. What does this rule detect?

Question 138hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?

Question 139mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to isolate a compromised pod named 'malicious-pod' in the 'default' namespace so that it cannot communicate with any other pod, but can still receive traffic from a specific monitoring pod. Which NetworkPolicy should you apply?

Question 140mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You run 'kubectl exec -it <pod> -- /bin/sh' inside a pod that has an immutable root filesystem. What happens?

Question 141hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?

Question 142easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which audit policy level logs all requests and responses, including the request body and response body?

Question 143mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule has the condition: 'evt.type=open and fd.name contains /etc/shadow and container.id != host'. What is being detected?

Question 144hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You want to detect any attempt to run a shell inside a container that is not running as root. Which Falco condition would you use?

Question 145mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which kubectl command can you use to view the logs of a specific container in a multi-container pod?

Question 146mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes?

Question 147hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are recommended steps when responding to a compromised pod?

Question 148mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?

Question 149easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?

Question 150hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?

Question 151mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator wants to ensure that containers in the 'secure-app' namespace cannot write to their own filesystem. Which pod security context setting should be used?

Question 152hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A Falco rule is written to detect access to /etc/shadow inside a container. Which condition should be used?

Question 153easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You are using crictl to debug a container. Which command lists all running containers on the node?

Question 154mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the most likely solution?

Question 155easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which command can be used to view the logs of a container using the container runtime interface (crictl)?

Question 156hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?

Question 157mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security policy requires that all pods in a namespace must run with a read-only root filesystem. Which admission controller can enforce this?

Question 158mediummultiple choice
Read the full NAT/PAT explanation →

You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?

Question 159mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit levels in a Kubernetes audit policy? (Select TWO.)

Question 160mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid techniques to detect and respond to runtime incidents in a Kubernetes cluster? (Select TWO.)

Question 161hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are valid Falco rule priorities? (Select THREE.)

Question 162hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are valid audit stages in Kubernetes audit logging? (Select THREE.)

Question 163easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which kubectl command can be used to view the live logs of a container in a pod named 'my-pod'?

Question 164mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would detect this syscall?

Question 165hardmultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?

Question 166mediummultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?

Question 167easymultiple choice
Read the full Monitoring, Logging and Runtime Security explanation →

Which crictl command lists all running containers on a node?

Question 168mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit policy levels in Kubernetes? (Choose two.)

Question 169hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are recommended steps during incident response for a compromised pod? (Choose three.)

Question 170mediummulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following Falco fields can be used in a rule condition to detect a shell spawned inside a container? (Choose two.)

Question 171easymulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which TWO of the following are valid audit stages in Kubernetes? (Choose two.)

Question 172hardmulti select
Read the full Monitoring, Logging and Runtime Security explanation →

Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKS Practice Test 1 — 10 Questions→CKS Practice Test 2 — 10 Questions→CKS Practice Test 3 — 10 Questions→CKS Practice Test 4 — 10 Questions→CKS Practice Test 5 — 10 Questions→CKS Practice Exam 1 — 20 Questions→CKS Practice Exam 2 — 20 Questions→CKS Practice Exam 3 — 20 Questions→CKS Practice Exam 4 — 20 Questions→Free CKS Practice Test 1 — 30 Questions→Free CKS Practice Test 2 — 30 Questions→Free CKS Practice Test 3 — 30 Questions→CKS Practice Questions 1 — 50 Questions→CKS Practice Questions 2 — 50 Questions→CKS Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Monitoring, Logging and Runtime Security setsAll Monitoring, Logging and Runtime Security questionsCKS Practice Hub