You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?
A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?
You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?
You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?
An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?
You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?
You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?
A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?
You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?
A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?
A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?
You need to configure audit logging for the Kubernetes API server to log all requests at the Metadata level. Which flag and value should you set in the kube-apiserver configuration?
A pod named 'busybox-pod' is compromised. You want to isolate it from all other pods using a NetworkPolicy. Which YAML snippet correctly denies all ingress and egress traffic to/from the pod?
During a runtime incident, you suspect a container has a reverse shell. Which kubectl command can you use to examine the container's running processes from the node level without entering the container?
An administrator needs to preserve evidence from a compromised container. Which approach is BEST for capturing the container's filesystem and memory for later analysis?
A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?
An audit policy is configured with the following rule:
- level: RequestResponse
users: ["system:serviceaccount:kube-system:admin"]
verbs: ["get", "list"]
resources:
- group: ""
resources: ["secrets"]
What will be logged when the service account 'admin' in kube-system performs a GET request on a Secret?
A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?
An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?
A security team wants to detect attempts to read /etc/shadow inside containers. Which Falco rule condition would trigger on a container reading that file?
You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?
You need to configure Kubernetes audit logging to log all requests at the Metadata level except for requests to the 'kube-system' namespace, which should be logged at Request level. How should you structure the audit policy?
A pod has been compromised. You want to isolate it from other pods while preserving its network state for forensics. Which NetworkPolicy rule achieves this?
You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?
An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?
A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?
You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?
A compromised pod is making unexpected outbound connections. You want to isolate the pod by blocking all egress traffic while keeping it running for forensic analysis. Which action is correct?
A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?
You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?
A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?
You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?
You have deployed a DaemonSet to run a logging agent on every node. After an update, the new pods are stuck in 'Pending' state. You run 'kubectl describe pod ds-pod-xxxxx' and see '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the MOST likely cause?
You need to configure a NetworkPolicy that allows egress traffic only to an external database at IP 10.0.0.5 on port 5432, and denies all other egress. Which policy BEST achieves this?
You have a pod that is in CrashLoopBackOff. You want to inspect the logs from the previous instance of the container. Which flag should you use with kubectl logs?
A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?
You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?
You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?
A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?
A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?
You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?
You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?
You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?
A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?
An audit policy is configured with the following rule:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
What does this rule log for requests to the Secrets API?
You need to create a NetworkPolicy that allows only ingress traffic from pods with label 'app: frontend' in the same namespace. Which policyType and ingress rule should you use?
You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?
A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?
You are investigating a compromised pod. You need to capture the contents of a file in the container without modifying the container. Which kubectl command should you use?
A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?
You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?
You need to isolate a compromised pod named 'malicious-pod' in the 'default' namespace so that it cannot communicate with any other pod, but can still receive traffic from a specific monitoring pod. Which NetworkPolicy should you apply?
During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?
A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?
You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?
During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?
An administrator wants to ensure that containers in the 'secure-app' namespace cannot write to their own filesystem. Which pod security context setting should be used?
A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the most likely solution?
You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?
You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?
An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?
A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?