CCNA Monitoring, Logging and Runtime Security Questions

75 of 172 questions · Page 1/3 · Monitoring, Logging and Runtime Security · Answers revealed

1
MCQhard

In a Falco rule, you have the condition: 'evt.type=execve and proc.name=bash and container.id!=host'. What does this rule detect?

A.A non-root bash process on the host
B.A bash shell being spawned inside a container
C.An interactive shell session inside a container
D.A bash process reading /etc/shadow
AnswerB

The rule matches execve events where the process name is bash and it is not running on the host (i.e., inside a container).

Why this answer

The rule triggers when a bash shell is executed (execve) inside any container (container.id != host). It does not check for interactive use; it simply detects bash execution.

2
MCQeasy

To ensure a container's filesystem is read-only, which field should be set to 'true' in the container spec?

A.securityContext.readOnlyRootFilesystem
B.securityContext.runAsNonRoot
C.container.fsGroup
D.podSpec.containers.readonly
AnswerA

This is the correct field in the container's security context.

Why this answer

The securityContext field readOnlyRootFilesystem controls whether the container's root filesystem is read-only. The other options are either non-existent or have different effects.

3
MCQmedium

You need to configure audit logging for the Kubernetes API server to log all requests at the Metadata level. Which flag and value should you set in the kube-apiserver configuration?

A.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
B.--audit-webhook-config=/etc/kubernetes/audit-webhook.yaml
C.--audit-log-path=/var/log/audit.log
D.--audit-log-format=json
AnswerA

This flag specifies the path to the audit policy file, which defines rules including the level.

Why this answer

The --audit-policy-file flag points to a YAML file defining the audit policy. The policy file sets the level (Metadata) and stages. The other options are incorrect: --audit-log-path sets the log file, --audit-log-format sets the format, and --audit-webhook-config is for webhook backend.

4
Multi-Selectmedium

Which TWO of the following are valid Falco rule priorities?

Select 2 answers
A.MEDIUM
B.WARNING
C.HIGH
D.CRITICAL
E.LOW
AnswersB, D

WARNING is a valid priority.

Why this answer

Falco priorities include EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. HIGH and MEDIUM are not valid.

5
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Select 2 answers
A.Authentication
B.ResponseComplete
C.Authorization
D.RequestReceived
E.ResponseStarted
AnswersB, D

Correct. This stage logs after the full response is sent.

Why this answer

Valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. RequestReceived and ResponseComplete are correct.

6
MCQeasy

In a Falco rule, what does the 'priority' field indicate?

A.The syscall filter condition
B.The format of the output message
C.The severity level of the event
D.The rule name
AnswerC

Correct: Priority defines how severe the event is.

Why this answer

The priority field sets the severity level of the rule (e.g., CRITICAL, WARNING). Option B is about output format, option C is for filtering, option D is about the rule name.

7
MCQmedium

An administrator wants to ensure that containers in the 'secure-app' namespace cannot write to their own filesystem. Which pod security context setting should be used?

A.securityContext: { runAsNonRoot: true }
B.securityContext: { privileged: false }
C.securityContext: { capabilities: { drop: ["ALL"] } }
D.securityContext: { readOnlyRootFilesystem: true }
AnswerD

Correct. This setting makes the container's root filesystem read-only.

Why this answer

Immutable container filesystem is achieved by setting readOnlyRootFilesystem: true in the securityContext of the container. This prevents writes to the root filesystem.

8
MCQmedium

You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?

A.crictl logs <container-id>
B.crictl export <container-id>
C.crictl inspect <container-id>
D.crictl exec <container-id> tar cvf /tmp/fs.tar /
AnswerB

Correct: crictl export exports the container's filesystem as a tar archive.

Why this answer

`crictl export` exports the container's filesystem as a tar archive. `crictl inspect` shows container metadata, not filesystem content. `crictl logs` retrieves logs. `crictl exec` runs commands in the container but does not export filesystem.

9
MCQmedium

You are writing a Falco rule to detect when a container tries to read /etc/shadow. Which condition should you use?

A.fd.name=/etc/shadow and container.id != host
B.fd.name=/etc/passwd
C.container.id != host
D.fd.name=/etc/shadow
AnswerA

Correct: This targets containers accessing the shadow file.

Why this answer

The condition 'fd.name=/etc/shadow and container.id != host' ensures the file accessed is /etc/shadow and it's from a container (not the host). Option A misses the container check, option C is for /etc/passwd, option D is incomplete.

10
MCQmedium

You have configured an audit policy with level: Request. Which request information is logged?

A.Only metadata for the request
B.Nothing is logged because Request is not a valid level
C.Request metadata and request body
D.Request metadata, request body, and response body
AnswerC

Correct. Request level includes metadata plus the request body.

Why this answer

The Request level logs request metadata and request body. This is more detailed than Metadata but less than RequestResponse.

11
MCQmedium

A cluster administrator wants to enforce that containers run with a read-only root filesystem. Which security context field should be set?

A.privileged: false
B.readOnlyRootFilesystem: true
C.readOnly: true
D.allowPrivilegeEscalation: false
AnswerB

This is the correct field to set the root filesystem read-only.

Why this answer

readOnlyRootFilesystem: true makes the container's root filesystem read-only.

12
MCQmedium

During a runtime incident, you suspect a container has a reverse shell. Which kubectl command can you use to examine the container's running processes from the node level without entering the container?

A.kubectl logs <pod-name>
B.kubectl exec <pod-name> -- ps aux
C.kubectl top pod <pod-name>
D.kubectl describe pod <pod-name>
AnswerB

This runs ps aux inside the container, listing all processes.

Why this answer

kubectl exec into the container and running 'ps aux' is the standard way to view processes inside the container. The other options: kubectl top pod shows resource usage, not processes; kubectl logs shows logs; kubectl describe pod shows metadata.

13
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes? (Select 2)

Select 2 answers
A.RequestEvaluated
B.All of the above
C.ResponseStarted
D.RequestReceived
E.ResponseSent
AnswersC, D

ResponseStarted is a valid audit stage, logged when the response headers are sent.

Why this answer

The valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. RequestReceived and ResponseComplete are among them. 'RequestEvaluated' and 'ResponseSent' are not valid stages.

14
MCQhard

A Falco rule has priority: CRITICAL and condition: evt.type=execve and proc.name!=bash. What does this rule detect?

A.Any process spawning bash
B.All execve events except bash regardless of namespace
C.All execve events inside containers except bash
D.All execve events on the host except bash
AnswerD

Without a container filter, the rule applies to all execve events, including host.

Why this answer

It triggers on execve syscalls where the process name is not bash, but the condition doesn't specify container context, so it may fire on host processes as well.

15
MCQhard

A pod has been compromised. You want to isolate it from other pods while preserving its network state for forensics. Which NetworkPolicy rule achieves this?

A.Deny all ingress and egress traffic to/from the pod's namespace
B.Create a NetworkPolicy with podSelector matching the compromised pod and empty ingress/egress rules (deny all)
C.Add a label to the pod and create a NetworkPolicy allowing only traffic from a forensic pod
D.Delete the pod
AnswerB

This denies all traffic to/from that specific pod.

Why this answer

A NetworkPolicy with podSelector matching the compromised pod and ingress/egress rules that deny all traffic except to specific endpoints needed for investigation.

16
Multi-Selectmedium

Which TWO of the following Falco fields can be used in a rule condition to detect a shell spawned inside a container? (Choose two.)

Select 2 answers
A.evt.type
B.k8s.ns.name
C.proc.pname
D.container.id
E.proc.name
AnswersC, E

Parent process name; shell often spawned by another process.

Why this answer

Falco's 'proc.name' matches the process name (e.g., bash, sh). 'container.id' identifies the container. 'evt.type' is for syscall type, not process name. 'k8s.ns.name' is namespace, not shell detection. 'fd.name' is file path.

17
MCQmedium

You need to create a NetworkPolicy that allows only ingress traffic from pods with label 'app: frontend' in the same namespace. Which policyType and ingress rule should you use?

A.policyTypes: [Ingress] ingress: - from: - podSelector: matchLabels: app: frontend
B.policyTypes: [Ingress] ingress: - from: - podSelector: {}
C.policyTypes: [Ingress] ingress: - from: - namespaceSelector: {}
D.policyTypes: [Egress]
AnswerA

Correct: This restricts ingress to pods with label app: frontend.

Why this answer

The correct policy uses 'policyTypes: [Ingress]' and an ingress rule with a podSelector matching 'app: frontend'. Option B uses podSelector: {} which selects all pods, option C has no ingress rule, option D uses namespaceSelector incorrectly.

18
MCQhard

An audit policy is configured with the following rule: - level: RequestResponse users: ["system:serviceaccount:kube-system:admin"] verbs: ["get", "list"] resources: - group: "" resources: ["secrets"] What will be logged when the service account 'admin' in kube-system performs a GET request on a Secret?

A.Only the request metadata will be logged
B.Only the response will be logged
C.The request and response metadata and body will be logged
D.Nothing will be logged because the rule uses an empty api group
AnswerC

RequestResponse level logs both the request and the response objects.

Why this answer

The rule matches the user, verb, and resource, and sets level to RequestResponse. According to audit policy, this means the log entry will include the request and the response (metadata and body). Option A is correct.

19
MCQhard

A compromised pod is making unexpected outbound connections. You want to isolate the pod by blocking all egress traffic while keeping it running for forensic analysis. Which action is correct?

A.Use kubectl exec to kill the outbound processes inside the container
B.Apply a NetworkPolicy that selects the pod and has no egress rules, effectively blocking all outbound traffic
C.Modify the pod's /etc/hosts to block external IPs
D.Delete the pod and recreate it with a restrictive NetworkPolicy
AnswerB

Correct. A NetworkPolicy with an empty egress list (or egress: []) will deny all egress traffic by default. This isolates the pod while keeping it running.

Why this answer

Applying a NetworkPolicy that denies all egress traffic (podSelector: {} with no egress rules) while allowing all ingress (to continue receiving requests) will isolate the pod. The policy must target the specific pod via podSelector. Option C achieves this.

20
MCQhard

You need to configure a NetworkPolicy that allows egress traffic only to an external database at IP 10.0.0.5 on port 5432, and denies all other egress. Which policy BEST achieves this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-egress spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - port: 5432
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-egress spec: podSelector: {} policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: db
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-egress spec: podSelector: {} policyTypes: - Egress egress: []
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-egress spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 10.0.0.5/32 ports: - port: 5432
AnswerD

This policy allows egress only to the specified IP and port, and denies all other egress due to default deny.

Why this answer

The correct policy has an egress rule that allows traffic to 10.0.0.5 on port 5432, and no other egress rules, so all other egress is denied by default.

21
Multi-Selecthard

Which THREE of the following are recommended steps during incident response for a compromised pod? (Choose three.)

Select 3 answers
A.Take a memory dump of the container for analysis
B.Delete the entire namespace containing the pod
C.Use kubectl logs and kubectl exec to collect forensic data
D.Apply a NetworkPolicy to deny egress traffic from the pod
E.Immediately restart the pod to stop the attack
AnswersA, C, D

Preserves in-memory evidence.

Why this answer

Isolating via egress denial, collecting logs/exec output, and taking a memory dump for forensic analysis are appropriate. Restarting pods may destroy evidence, and deleting the namespace is too drastic.

22
MCQmedium

A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?

A.open
B.chmod
C.write
D.openat
AnswerC

Falco monitors write syscalls to detect modifications to sensitive files like /etc/shadow.

Why this answer

Falco uses system calls to monitor file writes. The 'write' syscall is used when a process writes data to a file. 'open' and 'openat' are used to open files, but the actual write event is captured by 'write'. 'chmod' changes permissions.

23
MCQhard

You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?

A.rules: - level: Body resources: ["secrets"] - level: Metadata resources: ["*"]
B.apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: ["secrets"] - level: Metadata resources: - group: "" resources: ["*"]
C.policies: - level: RequestResponse resources: ["secrets"] - level: Metadata resources: ["*"]
D.rules: - level: RequestResponse resources: - group: "" resources: ["secrets"] - level: Metadata resources: - group: "" resources: ["*"]
AnswerB, D

Additionally includes apiVersion and kind, which are required. This is the correct complete YAML.

Why this answer

Option D is correct: it uses a list of rules with a specific rule for secrets at RequestResponse level, and a catch-all rule for other resources at Metadata level. Option A has the structure backwards. Option B uses an invalid 'rules' field name.

Option C has an invalid 'level' value 'Body'.

24
MCQmedium

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?

A.evt.type=open and proc.name=bash and fd.name=/etc/shadow
B.evt.type=open and fd.name contains /etc
C.evt.type=open and fd.name=/etc/shadow and evt.arg.flags contains O_WRONLY
D.evt.type=open and fd.name=/etc/shadow and evt.arg.flags contains O_RDONLY
AnswerD

Why this answer

Falco uses the open or openat system calls with flags indicating read access. The condition checks for a file descriptor opened for reading on /etc/shadow. Option A correctly uses evt.type=open and fd.name=/etc/shadow with a read-only flag.

Option B uses write access, Option C is too broad, Option D only matches a specific process.

25
MCQhard

A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?

A.proc.name contains "shadow" and evt.type=read
B.evt.type=read and fd.name contains "shadow"
C.evt.type=open and fd.name=/etc/shadow
D.container and fd.name=/etc/shadow
AnswerC

Why this answer

The condition checks for an open system call on the file /etc/shadow.

26
Multi-Selectmedium

Which TWO of the following are valid techniques to detect and respond to runtime incidents in a Kubernetes cluster? (Select TWO.)

Select 2 answers
A.Deleting the compromised pod immediately to stop the attack
B.Using crictl images to list container images on the node
C.Applying a NetworkPolicy to isolate a compromised pod
D.Using kubectl exec to gather forensic data from a running container
E.Running kubectl logs --previous to view logs of a terminated container
AnswersC, D

Correct. NetworkPolicy can deny all traffic to/from the pod.

Why this answer

'kubectl exec' can be used for forensics by executing commands inside a container. NetworkPolicy can isolate compromised pods. 'kubectl delete pod' removes evidence. 'crictl images' lists images, not running containers. 'kubectl logs --previous' shows logs of crashed pods but is not a response technique.

27
MCQeasy

Which Falco rule priority is used to indicate a potentially malicious activity that should be investigated?

A.INFO
B.ERROR
C.DEBUG
D.WARNING
AnswerD

WARNING is the priority for potentially malicious activities that should be investigated.

Why this answer

Falco rule priorities are: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. WARNING is used for potentially malicious activities that warrant investigation.

28
MCQmedium

You run 'kubectl exec -it <pod> -- /bin/sh' inside a pod that has an immutable root filesystem. What happens?

A.The command fails with an error because the container has an immutable root filesystem
B.The shell starts and can write to any directory because 'exec' bypasses the restriction
C.The shell starts successfully, but any attempt to write to the root filesystem will be denied
D.The pod is restarted with a writable filesystem
AnswerC

The shell can run, but writes to the root filesystem (e.g., creating files in /) will fail due to readOnlyRootFilesystem.

Why this answer

An immutable root filesystem (readOnlyRootFilesystem: true) prevents any writes to the container's root filesystem. However, /tmp is often a tmpfs mount that is writable, and /proc is a virtual filesystem. The exec command itself runs a process; it does not write to the filesystem.

The shell can still run, but any attempt to write to the root filesystem will fail.

29
MCQmedium

You need to detect any attempt to read /etc/shadow inside a container using Falco. Which macro would you use in the condition?

A.open_write and fd.name=/etc/shadow
B.open_read and fd.name=/etc/shadow
C.syscall.type=open and fd.name=/etc/shadow
D.spawned_process and proc.name=cat
AnswerB

open_read matches read opens, and fd.name checks the file path.

Why this answer

The 'open_read' macro matches open syscalls with read access. The 'fd.name' field matches the file path. Combining them detects reads to /etc/shadow.

30
Multi-Selectmedium

Which TWO of the following are valid audit levels in a Kubernetes audit policy? (Select TWO.)

Select 2 answers
A.Response
B.None
C.Metadata
D.Log
E.Full
AnswersB, C

Correct. None means do not log events.

Why this answer

Audit levels are None, Metadata, Request, RequestResponse. 'Full' is not valid; 'Response' is not a level; 'Log' is not a level.

31
MCQhard

A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?

A.Change the policy level to 'Metadata' for high-volume resources
B.Add a rule to log 'RequestResponse' only for create and delete operations
C.Change the policy level to 'Request' for all resources
D.Set the audit log backend to 'webhook' instead of 'log'
AnswerA

Why this answer

RequestResponse logs the full request and response objects, which are large and increase load. Changing the level to Metadata reduces the amount of data written. Option A is correct.

Option B increases load. Option C captures even more data. Option D is not a valid stage to modify for reducing load.

32
Multi-Selecteasy

Which TWO tools can be used to directly interact with the container runtime (without going through the Kubernetes API) for troubleshooting?

Select 2 answers
A.kubelet
B.docker
C.ctr
D.crictl
E.kubectl
AnswersC, D

Correct. ctr is a CLI for containerd, the underlying runtime.

Why this answer

crictl and ctr are CLI tools for interacting with the CRI-compatible container runtime (e.g., containerd). kubectl goes through the API server. docker is not typically used in Kubernetes nodes (unless using Docker as runtime).

33
Multi-Selecteasy

Which TWO of the following are valid priority levels in Falco rules?

Select 2 answers
A.MEDIUM
B.LOW
C.WARNING
D.HIGH
E.CRITICAL
AnswersC, E

Correct: WARNING is a valid priority.

Why this answer

Falco priority levels include EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Option B (HIGH) is not a standard priority; it's CRITICAL. Option D (LOW) is not standard; it's NOTICE or INFO.

Option E (MEDIUM) is not standard; it's WARNING or NOTICE.

34
MCQhard

You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?

A.kubectl logs <pod> && kubectl describe pod <pod>
B.kubectl cp <pod>:/ -c <container> /tmp/forensic && kubectl logs <pod> --previous
C.kubectl exec <pod> -- cat /proc/1/cmdline && kubectl exec <pod> -- ls -la /
D.kubectl exec -it <pod> -- bash && kubectl exec <pod> -- cat /var/log/syslog
AnswerB

Correct. Copying the entire container filesystem preserves evidence without altering the running container, and --previous logs capture the terminated container's output.

Why this answer

Using 'kubectl exec' with '--' to run commands inside the container is invasive and may alter state. Using 'kubectl cp' to copy the container's filesystem out allows offline analysis without changing the running container. Option C is the most forensically sound approach.

35
Multi-Selecthard

Which THREE of the following are recommended steps during incident response for a compromised pod?

Select 3 answers
A.Apply a NetworkPolicy to isolate the pod
B.Restart the pod by deleting and recreating it
C.Delete the pod immediately to stop the attack
D.Use kubectl exec to collect running processes and network connections
E.Preserve the pod and its logs for investigation
AnswersA, D, E

Isolation prevents further damage.

Why this answer

Isolating the pod via NetworkPolicy, preserving evidence by not deleting the pod, and collecting forensic data using kubectl exec are recommended. Deleting the pod immediately and restarting it are not recommended as they destroy evidence.

36
MCQhard

A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?

A.kubectl label pod pod-name isolate=true
B.kubectl cordon node-name && kubectl drain node-name
C.kubectl apply -f networkpolicy.yaml (deny all ingress/egress) && kubectl exec -it pod-name -- bash
D.kubectl delete pod pod-name
AnswerC

Applies a NetworkPolicy to isolate the pod and uses exec to collect evidence.

Why this answer

Option A correctly isolates the pod by applying a NetworkPolicy that denies all ingress and egress, and then uses 'kubectl exec' to collect forensic data. Options B, C, and D either do not preserve evidence or fail to isolate the pod.

37
MCQhard

You need to detect any unexpected outbound connections from pods in the 'production' namespace. Which Falco rule condition is MOST appropriate?

A.evt.type=sendto and fd.sip != "0.0.0.0"
B.evt.type=connect and container.id != host and not fd.snet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
C.container.id != host and evt.type=accept
D.proc.name = curl and evt.type=connect
AnswerB

This checks for connect syscalls from containers to non-private IPs, indicating outbound connections to the internet.

Why this answer

The condition should check for outbound connections (evt.type=connect) from a container (container.id != host) to external IPs (not RFC 1918 private IPs or loopback). Option A matches this.

38
MCQeasy

Which crictl command is used to view logs from a specific container?

A.crictl exec <container-id>
B.crictl inspect <container-id>
C.crictl ps
D.crictl logs <container-id>
AnswerD

Why this answer

crictl logs <container-id> fetches logs from a container.

39
MCQmedium

A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?

A.spawned_process and container and proc.name in (bash, sh, zsh)
B.evt.type=open and fd.name contains /bin/bash
C.evt.type=execve and container and proc.name in (bash, sh, zsh)
D.proc.name = bash and container
AnswerA

Correctly uses 'spawned_process' to detect new process creation and filters on shell binaries within containers.

Why this answer

Falco uses syscall events. Container spawning a shell is detected by looking for spawned processes with a shell binary, excluding the container's own entrypoint. The condition 'spawned_process and container and proc.name in (bash, sh, zsh)' is correct.

40
MCQeasy

Which audit policy level logs the request metadata and the request body?

A.None
B.Metadata
C.RequestResponse
D.Request
AnswerD

Request logs request metadata and request body.

Why this answer

The `Request` level logs metadata (like user, timestamp) and the request body. `Metadata` logs only metadata. `RequestResponse` logs metadata, request body, and response body. `None` logs nothing.

41
MCQmedium

You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerD

Metadata logs request metadata, which is appropriate for logging all requests.

Why this answer

Metadata level logs request metadata (user, timestamp, verb, resource) but not the request or response body. It is suitable for logging all requests without exposing sensitive data.

42
MCQeasy

Which Kubernetes resource is used to define audit logging configuration?

A.A YAML file specified via `--audit-policy-file`
B.PodSecurityPolicy
C.ConfigMap in kube-system
D.AuditPolicy CRD
AnswerA

The audit policy is configured as a file on the apiserver's filesystem, specified by the `--audit-policy-file` flag.

Why this answer

The audit policy is defined in a YAML file and passed to the kube-apiserver via the `--audit-policy-file` flag. There is no CRD or ConfigMap standard; it's a plain file.

43
MCQhard

An incident responder needs to isolate a compromised pod immediately without deleting it. Which action should they take?

A.Modify the pod's labels to prevent it from receiving traffic
B.Delete the pod to stop its activity
C.Apply a NetworkPolicy that denies all traffic to and from the pod's labels
D.Scale down the deployment to zero replicas
AnswerC

Correct: A NetworkPolicy with empty podSelector and policyTypes: [Ingress, Egress] denies all traffic.

Why this answer

Applying a NetworkPolicy that denies all ingress and egress traffic to the pod isolates it from network communication while preserving the pod for forensic analysis. Option B (deleting the pod) removes evidence. Option C (scaling down) is not immediate.

Option D (changing labels) may not be sufficient.

44
Multi-Selecthard

Which TWO Falco priority levels are correctly ordered from lowest to highest severity? (Choose two correct sequences)

Select 3 answers
A.WARNING, ERROR, CRITICAL, ALERT, EMERGENCY
B.DEBUG, INFORMATIONAL, NOTICE, WARNING
C.INFORMATIONAL, NOTICE, DEBUG, WARNING
D.ALERT, CRITICAL, ERROR, WARNING
E.NOTICE, WARNING, ERROR, CRITICAL
AnswersA, B, E

This is correct ascending order from WARNING to EMERGENCY.

Why this answer

The correct order from lowest to highest: DEBUG, INFORMATIONAL, NOTICE, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY. Sequences must be in ascending order. Option B is correct order.

Option D is also correct because NOTICE < WARNING < ERROR < CRITICAL.

45
MCQeasy

Falco detects a shell being opened inside a container. Which Falco rule field is used to specify the syscall condition for detection?

A.condition
B.priority
C.output
D.rule
AnswerA

condition contains the syscall filter expression.

Why this answer

The 'condition' field in a Falco rule defines the syscall filter expression that triggers the alert.

46
MCQhard

An administrator wants to set an immutable root filesystem for a container in a Pod. Which securityContext field should be set to true?

A.allowPrivilegeEscalation
B.readOnlyRootFilesystem
C.runAsNonRoot
D.privileged
AnswerB

Setting readOnlyRootFilesystem to true makes the root filesystem immutable.

Why this answer

The 'readOnlyRootFilesystem' field, when true, mounts the container's root filesystem as read-only, preventing writes.

47
MCQhard

You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?

A.Panic
B.ResponseComplete
C.ResponseStarted
D.RequestReceived
AnswerB

Correct. This stage fires after the entire response is sent, capturing the full response.

Why this answer

To capture both request and response for successful requests, you want events after the response is complete. The 'ResponseComplete' stage fires after the response is sent. 'RequestResponse' is not a stage; it's a level.

48
MCQmedium

You need to configure a Kubernetes Pod to have an immutable root filesystem. Which field should you set in the Pod spec?

A.spec.hostPID: true
B.securityContext.allowPrivilegeEscalation: false
C.securityContext.runAsUser: 1000
D.securityContext.readOnlyRootFilesystem: true
AnswerD

Correct: This setting makes the root filesystem read-only, preventing writes.

Why this answer

The 'securityContext.readOnlyRootFilesystem' field, when set to true, makes the container's root filesystem read-only. Option B is for running as a specific user. Option C is about privilege escalation.

Option D is for sharing the host's PID namespace.

49
MCQmedium

A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} egress: - to: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Egress
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: matchLabels: app: myapp egress: - to: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Egress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} ingress: - from: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Ingress
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} egress: - to: - ipBlock: cidr: 192.168.1.100/32 ports: - port: 3306 protocol: TCP policyTypes: - Egress
AnswerD

Why this answer

The NetworkPolicy must allow egress to the specific IP and port. Option B uses podSelector: {} to apply to all pods in the namespace, egress rules to destination IP and port. Option A is missing the port specification.

Option C applies to pods with label 'app', not all. Option D uses both ingress and egress incorrectly.

50
MCQeasy

You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?

A.--audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml
B.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
C.--audit-log-path=/var/log/audit.log
D.--authorization-mode=RBAC
AnswerB

Correct: This flag specifies the audit policy file.

Why this answer

The --audit-policy-file flag tells the API server to use a specific audit policy file. The other options are incorrect: --audit-log-path is for the log file location, --audit-webhook-config-file is for webhook configuration, and --authorization-mode is for authorization.

51
MCQeasy

You want to run crictl to list all running containers on a node. Which command should you execute?

A.crictl ps
B.crictl stats
C.crictl images
D.crictl pods
AnswerA

Why this answer

crictl ps lists containers. By default it shows only running ones. Option A is correct.

Option B shows images; Option C shows pods; Option D shows stats.

52
MCQmedium

You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?

A.kubectl exec -it pod-name -- cat /var/log/audit/audit.log
B.kubectl get events
C.kubectl logs --audit
D.kubectl describe pod pod-name
AnswerA

This reads the audit log file from the pod's node if the log is accessible, but audit logs are typically on the API server node. However, among the options, this is the most direct way to view audit log content.

Why this answer

The kubectl logs command fetches logs from a pod, but audit logs are stored on the API server. To view audit logs, you typically read the audit log file (e.g., /var/log/audit/audit.log on the master node) or use a log aggregation tool. kubectl get events shows Kubernetes events, not audit logs.

53
MCQeasy

Which stage of the Kubernetes API request processing should be audited to capture the final response sent to the client?

A.ResponseStarted
B.Panic
C.ResponseComplete
D.RequestReceived
AnswerC

This stage occurs after the full response has been sent.

Why this answer

ResponseComplete is the stage after the response has been sent.

54
MCQhard

A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?

A.Deploy Falco with a rule to detect outbound connections
B.Create a NetworkPolicy to deny all egress traffic
C.Run 'kubectl exec <pod> -- tcpdump -i eth0' to capture packets
D.Check the pod's logs using 'kubectl logs <pod>'
AnswerC

Correct: tcpdump inside the pod provides detailed network traffic capture.

Why this answer

Using 'kubectl exec' with tools like tcpdump or netstat allows you to inspect network connections from within the pod. Option B is plausible but not as direct. Option C (Falco) is for runtime security but not specifically for network traffic analysis.

Option D is about blocking, not investigation.

55
MCQhard

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

A.container.name=shadow and evt.type=open
B.evt.type=read and fd.name=/etc/shadow
C.proc.name=cat and fd.name=/etc/shadow
D.evt.type=open and fd.name=/etc/shadow
AnswerD

The open syscall is used to open files, and fd.name contains the file path. This correctly detects attempts to open /etc/shadow.

Why this answer

Falco uses `evt.type` for syscall type (e.g., open, openat, read) and `fd.name` for the file path. The `open` syscall is typically used to open files; reading can also happen via `openat` or `read`. Option B is correct because it checks for the open syscall and the file path.

Option A checks for the `read` syscall but `fd.name` may not be available for read events. Option C uses `proc.name` which is process name, not file. Option D uses `container.name` which is not relevant.

56
MCQmedium

An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?

A.falco --load /path/to/rules.yaml
B.falco --rules /path/to/rules.yaml
C.falco -r /path/to/rules.yaml
D.falco --config /path/to/rules.yaml
AnswerC

Why this answer

Use the -r flag to load a custom rules file.

57
MCQmedium

You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?

A.kubectl exec -it pod-name -- /bin/bash
B.kubectl debug pod-name --image=busybox
C.kubectl run -it --image=busybox sh
D.kubectl attach pod-name
AnswerA

This starts an interactive shell inside the running container.

Why this answer

kubectl exec with -it and -- /bin/bash gives an interactive shell without modifying the container's filesystem.

58
MCQeasy

Which kubectl command can be used to exec into a running container for forensic analysis during an incident response?

A.kubectl exec -it <pod> -- /bin/sh
B.kubectl run --stdin --tty --image=busybox
C.kubectl logs <pod>
D.kubectl attach <pod>
AnswerA

Why this answer

The correct command is kubectl exec -it <pod> -- /bin/sh, which starts an interactive shell in the container.

59
MCQeasy

A security team wants to detect any attempt to open /etc/shadow in a container. Which Falco rule condition field is MOST appropriate?

A.proc.name contains 'shadow'
B.container.id != host and fd.name=/etc/shadow
C.evt.type in (open, openat) and fd.name=/etc/shadow
D.evt.type=read and fd.name=/etc/shadow
AnswerC

This checks for open or openat syscalls on the file /etc/shadow, which is the standard way to detect file access.

Why this answer

Falco uses the 'evt.type' field to match system call events, and 'fd.name' to match the file descriptor name. Option A correctly checks for openat or open syscalls with target file name containing /etc/shadow.

60
MCQmedium

A security policy requires that all pods in a namespace must run with a read-only root filesystem. Which admission controller can enforce this?

A.ResourceQuota
B.MutatingAdmissionWebhook
C.PodSecurityPolicy
D.ValidatingAdmissionPolicy
AnswerD

Correct. This is a built-in admission controller that can enforce custom policies including read-only filesystem.

Why this answer

PodSecurityPolicy is deprecated. The modern approach is to use a ValidatingAdmissionPolicy or an OPA/Gatekeeper policy. Among the options, only 'ValidatingAdmissionPolicy' is a built-in admission controller that can enforce such policies.

61
MCQmedium

You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?

A.Exec into the container and delete suspicious files
B.Restart the kubelet on the node
C.Use kubectl cp to copy files from the container to a safe location
D.Immediately delete the pod to stop the attack
AnswerC

Correct. This preserves the filesystem for analysis.

Why this answer

To preserve evidence, you should not delete the pod immediately. Instead, use kubectl cp or a sidecar to copy files, or create a snapshot. But the simplest non-destructive step is to copy files from the container using 'kubectl cp' before deletion.

62
MCQhard

During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?

A.crictl pods and then crictl ps -a
B.crictl images and then crictl run <image>
C.crictl ps and then crictl exec <container-id> ps aux
D.crictl ps and then crictl inspect <container-id>
AnswerC

This lists running containers and then executes ps aux inside a specific container to snapshot processes.

Why this answer

crictl ps lists containers, then crictl exec (or crictl exec -i -t) runs a command in a container. However, crictl does not have a 'top' command; you would use ps inside the container. The question asks for a command sequence.

Option C is the most direct: list containers, then exec ps aux.

63
MCQmedium

Which crictl command is used to view the logs of a specific container in a node?

A.crictl logs <container-id>
B.crictl exec -it <container-id> sh
C.crictl pods
D.crictl ps -a
AnswerA

Correct: This command fetches logs.

Why this answer

'crictl logs <container-id>' retrieves the logs of a container. Option A lists pods, option B lists containers, option D executes a command in a container.

64
MCQmedium

An audit policy is configured with level: Request. Which operations are recorded in the audit log?

A.Nothing, only the fact that a request occurred
B.Request metadata and the request body
C.Request and response metadata and bodies
D.Only metadata about the request
AnswerB

Request level includes metadata and request body.

Why this answer

Request level logs only the request metadata and request object, not the response.

65
MCQmedium

Which crictl command can you use to view the logs of a specific container?

A.crictl inspect <container-id>
B.crictl exec <container-id> cat /var/log/syslog
C.crictl ps
D.crictl logs <container-id>
AnswerD

Correct. crictl logs retrieves the logs of the specified container.

Why this answer

crictl logs is the equivalent of 'kubectl logs' but uses the container ID. It outputs the container's stdout/stderr.

66
MCQmedium

A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?

A.Apply an egress rule on the target pod with 'to' podSelector matching 'app: frontend'
B.Apply an egress rule on the source pods with 'to' podSelector matching the target pod
C.Apply an ingress rule on the source pods with 'from' podSelector matching the target pod
D.Apply an ingress rule on the target pod with 'from' podSelector matching 'app: frontend'
AnswerD

Correct. Ingress rules on the target pod control which sources can send traffic to it.

Why this answer

This scenario requires allowing ingress to the target pod from sources with label 'app: frontend'. A NetworkPolicy with podSelector matching the target and an ingress rule from pods with label 'app: frontend' in the same namespace would work. However, the question asks for egress rule on source pods.

Typically, you apply an ingress rule on the target. Option A is correct: an ingress rule on the target pod with 'from' selector for 'app: frontend'.

67
Multi-Selecthard

Which THREE of the following are recommended incident response steps when a container is compromised?

Select 3 answers
A.Ignore the incident and monitor for further activity
B.Copy the container's filesystem using kubectl cp for offline analysis
C.Capture the container logs using kubectl logs
D.Apply a NetworkPolicy to isolate the pod
E.Immediately terminate the pod to contain the threat
AnswersB, C, D

Correct. This preserves evidence without altering the running container.

Why this answer

Isolating the pod via NetworkPolicy, preserving evidence by copying the filesystem, and capturing logs are key steps. Terminating the pod immediately may lose evidence, and ignoring is not recommended.

68
MCQeasy

You need to configure the Kubernetes API server to log all requests at the Metadata level. Which flag should you use when starting kube-apiserver?

A.--audit-log-level=Metadata
B.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
C.--audit-webhook-mode=Metadata
D.--audit-log-path=/var/log/audit.log
AnswerB

Why this answer

The --audit-policy-file flag points to a YAML file that defines the audit policy. The policy file specifies the level for different resources. Option B is correct.

Option A is not a valid flag; Option C sets a different level; Option D is used to set the audit log path.

69
MCQhard

During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?

A.kubectl run networkpolicy --image=nginx --restart=Never
B.kubectl delete pod malicious-pod
C.kubectl apply -f networkpolicy.yaml
D.kubectl create networkpolicy isolate --pod-selector=app=malicious --policy-types=Ingress,Egress
AnswerC

Correct. You must write a NetworkPolicy YAML that selects the malicious pod and denies all traffic, then apply it.

Why this answer

Pod isolation is achieved by applying a NetworkPolicy that denies ingress/egress traffic. 'kubectl apply -f networkpolicy.yaml' applies the policy. The policy must be written to deny all traffic.

70
MCQmedium

A security admin needs to audit all API requests to the Kubernetes API server. Which audit policy level logs the request body and response body?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerC

RequestResponse logs both request and response bodies.

Why this answer

The RequestResponse level logs both request and response bodies. Metadata only logs metadata, Request logs request body, and None disables audit logging.

71
Multi-Selectmedium

Which TWO of the following are valid Falco output fields?

Select 2 answers
A.%pod.name
B.%fd.name
C.%k8s.ns
D.%evt.type
E.%proc.name
AnswersD, E

Valid field for event type.

Why this answer

Falco output fields include %evt.type, %proc.name, %container.id, %fd.name etc.

72
MCQmedium

A Falco rule is configured to detect privilege escalation via setuid binaries. Which syscall is commonly associated with this activity?

A.connect
B.setuid
C.open
D.execve
AnswerB

Why this answer

The setuid and setgid syscalls are used to change user/group IDs, a common privilege escalation vector. Option D is correct. Option A is file operations.

Option B is network. Option C is process execution.

73
MCQmedium

You suspect a pod is making unexpected outbound connections. Which tool can you use to inspect network connections from within the container?

A.kubectl port-forward
B.crictl exec
C.falco
D.kubectl logs
AnswerB

crictl exec can run ss or netstat inside the container.

Why this answer

crictl exec allows running commands inside a container using the container runtime interface.

74
MCQeasy

Which Kubernetes resource can be used to enforce that a container's filesystem is read-only?

A.ResourceQuota
B.PodSecurityPolicy
C.SecurityContext
D.NetworkPolicy
AnswerC

SecurityContext with readOnlyRootFilesystem: true makes the container filesystem read-only.

Why this answer

The SecurityContext at the container level has a 'readOnlyRootFilesystem' field. When set to true, the container's root filesystem is read-only.

75
MCQmedium

You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?

A.evt.type=clone and proc.name = 'shell'
B.evt.type=execve and proc.name contains 'sh'
C.proc.name in (sh, bash)
D.container.id != host and proc.name = shell
AnswerC

Correct: Falco conditions check process names to detect shell execution.

Why this answer

Falco uses syscalls to detect events. The condition 'proc.name=sh' or 'proc.name=bash' matches processes named sh or bash, which are common shells. Option B is incorrect because 'container.id' is not a typical field; Falco uses 'container.id' but the condition is about process name.

Option C is too broad. Option D is not the typical way to detect shell execution.

Page 1 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Monitoring, Logging and Runtime Security questions.