CCNA Cks Monitoring Runtime Questions

22 of 172 questions · Page 3/3 · Cks Monitoring Runtime topic · Answers revealed

151
Multi-Selecthard

Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)

Select 3 answers
A.fd.name contains /dev/tcp
B.proc.name in (su, sudo)
C.proc.uid=0
D.evt.type=execve
E.evt.type=open
AnswersB, C, D

Common setuid binaries for privilege escalation.

Why this answer

Falco detects privilege escalation by monitoring the 'execve' syscall, the process name (e.g., 'su', 'sudo'), and the user ID changes (e.g., 'proc.uid'). Options A, B, and E are relevant. Option C (network) is not directly related.

Option D (file modification) is not directly about execution.

152
MCQmedium

A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?

A.Add an exception to the rule to exclude known admin commands
B.Modify the rule condition to add `and not user.name in (admin, root)`
C.Change the rule priority to `INFO`
D.Disable the rule
AnswerA

Falco rule exceptions allow you to specify conditions under which the rule should not trigger, effectively filtering out known good activity.

Why this answer

Falco supports rule exceptions to filter out specific conditions. Adding an exception allows you to exclude known legitimate commands without disabling the rule entirely. Option B modifies the rule condition to ignore certain users, but exceptions are more flexible.

Option C changes priority, but does not reduce noise. Option D disables the rule entirely.

153
MCQmedium

You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?

A.kubectl attach <pod>
B.kubectl exec <pod> -- ps aux
C.kubectl cp /proc <pod>:/tmp
D.kubectl exec -it <pod> -- /bin/sh
AnswerB

This runs ps aux non-interactively, collecting process list without modifying the container.

Why this answer

kubectl exec with -- ps aux runs the ps command inside the container, capturing processes without altering the container state.

154
MCQmedium

You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?

A.Use 'kubectl cp' to copy files from the container to a secure location, and 'kubectl logs' to capture log output
B.Install forensic tools inside the container using apt-get
C.Run 'kubectl exec' to capture memory dumps
D.Delete the pod and create a new one for analysis
AnswerA

Why this answer

To preserve evidence, you should first capture the container's filesystem and logs before making changes. Option D creates a tar archive of the container's filesystem from the host. Option A might alter the container state if you install tools.

Option B uses exec which can change in-memory state. Option C would reset the container, losing evidence.

155
MCQeasy

You are using crictl to debug a container. Which command lists all running containers on the node?

A.crictl containers
B.crictl ps
C.crictl get pods
D.crictl list
AnswerB

Correct. crictl ps lists containers.

Why this answer

crictl ps lists containers managed by the CRI runtime. It's analogous to 'docker ps'.

156
MCQhard

You need to ensure a container's filesystem is immutable at runtime except for a temporary volume. Which Pod spec configuration achieves this?

A.containers: - name: app securityContext: runAsNonRoot: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch emptyDir: {}
B.containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch emptyDir: {}
C.containers: - name: app securityContext: readOnlyRootFilesystem: false
D.containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch hostPath: path: /tmp
AnswerB

readOnlyRootFilesystem makes rootfs read-only; emptyDir provides writable tmpfs.

Why this answer

Setting readOnlyRootFilesystem: true and mounting an emptyDir volume for writes allows immutability with a writable scratch space.

157
Multi-Selecthard

Which THREE of the following are valid Falco rule priorities? (Select THREE.)

Select 3 answers
A.CRITICAL
B.EMERGENCY
C.ALERT
D.HIGH
E.MEDIUM
AnswersA, B, C

Correct.

Why this answer

Falco defines priorities: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. 'HIGH', 'MEDIUM', 'LOW' are not standard Falco priorities.

158
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging? (Choose two)

Select 2 answers
A.ResponseStarted
B.RequestReceived
C.ResponseFinished
D.RequestProcessing
E.AuthorizationChecked
AnswersA, B

Valid audit stage.

Why this answer

The valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. Options B and D are correct.

159
MCQhard

An audit policy is configured with the following rule: - level: Metadata resources: - group: "" resources: ["secrets"] What does this rule log for requests to the Secrets API?

A.The full request and response body
B.Metadata about the request, excluding the body
C.Nothing, because secrets are excluded by default
D.The request body only
AnswerB

Correct: Metadata level logs metadata only.

Why this answer

The 'Metadata' level logs request metadata (user, timestamp, resource) but not the request or response body. Option A is RequestResponse level. Option C is Request level.

Option D is None.

160
MCQeasy

You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?

A.--feature-gates=Auditing=true
B.--audit-log-path=/var/log/audit.log
C.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
D.--audit-log-maxsize=100
AnswerC

Correct. The audit policy file is required to enable audit logging and define levels.

Why this answer

Audit logging is enabled by specifying --audit-policy-file pointing to a policy file. The policy file defines the level. The flag itself is --audit-policy-file.

161
MCQmedium

A pod has securityContext.readOnlyRootFilesystem: true. What happens if a process inside the container tries to write to the root filesystem?

A.The write will succeed because tmpfs is used
B.The write will fail with an error
C.The kernel will allow the write but log it
D.The pod will be restarted
AnswerB

Why this answer

The write will fail because the root filesystem is read-only.

162
MCQhard

You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?

A.filter
B.output
C.format
D.priority
AnswerD

Why this answer

Falco rules have an 'output' field for message, but the 'priority' field allows you to set the severity (e.g., WARNING, CRITICAL). Changing the priority helps filter alerts. Option C is correct.

Option A is about the message text. Option B is not a standard field. Option D is used to specify the rule output format.

163
Multi-Selecteasy

Which TWO tools can be used to directly interact with a container runtime on a Kubernetes node without using kubectl?

Select 2 answers
A.systemctl
B.kubectl
C.ctr
D.docker
E.crictl
AnswersC, E

ctr is a CLI for containerd.

Why this answer

crictl and ctr are CLI tools for interacting with CRI-compatible container runtimes. kubectl and docker are not available on nodes by default; docker is not always the runtime.

164
MCQmedium

Which audit stage in Kubernetes audit logging captures the stage after a request is processed and before a response is sent?

A.ResponseComplete
B.Panic
C.RequestReceived
D.ResponseStarted
AnswerD

Why this answer

ResponseStarted captures the stage after the request is processed but before the response body is sent.

165
MCQeasy

Which kubectl command can be used to view the live logs of a container in a pod named 'my-pod'?

A.kubectl attach my-pod
B.kubectl logs my-pod --tail 10
C.kubectl logs -f my-pod
D.kubectl exec my-pod -- journalctl
AnswerC

Correct: -f follows log output.

Why this answer

The correct command is 'kubectl logs -f my-pod'. The -f flag streams logs in real time.

166
MCQmedium

A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?

A.NetworkPolicy with podSelector: {} and egress: [{to: [{ipBlock: {cidr: 0.0.0.0/0}}]}]
B.NetworkPolicy with podSelector: matchLabels: app: compromised and policyTypes: ["Ingress"]
C.NetworkPolicy with podSelector: matchLabels: app: compromised and egress: []
D.NetworkPolicy with podSelector: matchLabels: app: compromised and egress: [{to: [{podSelector: {}}]}]
AnswerC

Correct: empty egress list denies all egress from the selected pod.

Why this answer

To deny all egress traffic, a NetworkPolicy must have podSelector matching the pod and an empty egress rules list (or a rule with no to). Option B matches the pod and has no egress rules, defaulting to deny.

167
MCQmedium

Which Falco rule condition would detect an attempt to read the /etc/shadow file in a container?

A.evt.type=open and fd.name=/etc/shadow
B.evt.type=write and fd.name=/etc/shadow
C.evt.type=read and fd.name=/etc/shadow
D.evt.type=execve and proc.name=shadow
AnswerA

This condition correctly matches open syscalls on /etc/shadow.

Why this answer

Falco uses conditions like 'evt.type=open' and 'fd.name=/etc/shadow' to detect file access. The open syscall is used for opening files.

168
MCQmedium

A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?

A.kubectl get svc <service-name> -o yaml
B.kubectl get pods -l <selector>
C.kubectl describe service <service-name>
D.kubectl get endpoints <service-name>
AnswerD

This command shows the endpoints (pod IPs) associated with the service.

Why this answer

kubectl get endpoints lists the endpoints for a service, showing the IPs and ports of the pods backing the service. If endpoints are missing, the service won't route traffic.

169
MCQmedium

An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?

A.open
B.connect
C.execve
D.bind
AnswerB

The connect syscall is used to initiate a connection to a remote socket, making it appropriate for detecting outbound connections.

Why this answer

Falco monitors system calls. Establishing an outbound TCP connection involves the `connect` syscall. Other syscalls like `open`, `execve`, `bind` are not directly related to initiating outbound connections.

170
Multi-Selecthard

Which THREE of the following are recommended steps when responding to a compromised pod?

Select 3 answers
A.Immediately delete the pod to stop the attack
B.Scale the deployment replicas to zero to stop the pod
C.Run kubectl exec to investigate the container's state
D.Isolate the pod using a NetworkPolicy that denies all egress
E.Capture a snapshot of the container's filesystem using kubectl cp
AnswersB, D, E

Scaling to zero stops the pod without deleting it, preserving evidence.

Why this answer

Isolating the pod via NetworkPolicy, capturing a forensic snapshot (e.g., using kubectl cp), and scaling replicas to zero are all valid steps. Deleting the pod immediately may destroy evidence. Running commands inside the pod could alter state.

171
MCQmedium

You are investigating a compromised pod. You need to capture the contents of a file in the container without modifying the container. Which kubectl command should you use?

A.kubectl logs <pod>
B.kubectl cp <pod>:/etc/passwd ./passwd
C.kubectl exec <pod> -- cat /etc/passwd
D.kubectl describe pod <pod>
AnswerB

kubectl cp copies the file from the container to the local machine without executing anything inside the container.

Why this answer

kubectl cp copies files/folders between a container and the local filesystem, allowing you to extract evidence without running commands inside the container.

172
Multi-Selecthard

Which THREE of the following are true about Kubernetes audit logging?

Select 2 answers
A.Audit logging can be enabled without restarting the API server
B.Audit stages include 'RequestReceived', 'ResponseStarted', 'ResponseComplete', and 'Panic'
C.The audit policy file is passed to the API server via the --audit-policy-file flag
D.The 'Request' level logs both request and response bodies
E.The 'Metadata' level logs the request body
AnswersB, C

Correct.

Why this answer

Audit policy levels are None, Metadata, Request, RequestResponse. Stages include RequestReceived, ResponseStarted, ResponseComplete, Panic. The audit policy file is specified via --audit-policy-file flag.

← PreviousPage 3 of 3 · 172 questions total

Ready to test yourself?

Try a timed practice session using only Cks Monitoring Runtime questions.