CKS · topic practice

Monitoring, Logging and Runtime Security practice questions

Practise Certified Kubernetes Security Specialist CKS Monitoring, Logging and Runtime Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Monitoring, Logging and Runtime Security

What the exam tests

What to know about Monitoring, Logging and Runtime Security

Monitoring, Logging and Runtime Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Monitoring, Logging and Runtime Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Monitoring, Logging and Runtime Security questions

20 questions · select your answer, then reveal the explanation

You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?

A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?

You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?

Which Kubernetes resource is used to define audit logging configuration?

A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?

You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?

You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?

Which audit policy level logs the request metadata and the request body?

Which TWO of the following are valid audit stages in Kubernetes? (Select 2)

Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)

Which TWO are valid stages in a Kubernetes audit event? (Select 2)

An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?

A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?

You run 'crictl ps' and see no output, but the node has running pods. What is the most likely cause?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Monitoring, Logging and Runtime Security sessions

Start a Monitoring, Logging and Runtime Security only practice session

Every question in these sessions is drawn from the Monitoring, Logging and Runtime Security domain — nothing else.

Related practice questions

Related CKS topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CKS exam test about Monitoring, Logging and Runtime Security?
Monitoring, Logging and Runtime Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Monitoring, Logging and Runtime Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Monitoring, Logging and Runtime Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CKS topics?
Use the topic links above to move to related areas, or go back to the CKS question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CKS exam covers. They are not copied from any real exam or dump site.