A security team wants to detect anomalous process executions in containers without modifying the container images or requiring agents inside containers. Which approach is most suitable?
Trap 1: Configure CRI-O to log all container process starts to syslog.
CRI-O does not provide process-level logging; would require runtime modification.
Trap 2: Enable Kubernetes audit logging and parse the logs for process…
Audit logs capture API requests, not container process syscalls.
Trap 3: Use OPA Gatekeeper to enforce allowed process lists in pod specs.
OPA/Gatekeeper validates admission, not runtime process execution.
- A
Configure CRI-O to log all container process starts to syslog.
Why wrong: CRI-O does not provide process-level logging; would require runtime modification.
- B
Deploy Falco as a DaemonSet using eBPF probe to monitor system calls.
Falco on the host can detect container process anomalies without modifying images.
- C
Enable Kubernetes audit logging and parse the logs for process events.
Why wrong: Audit logs capture API requests, not container process syscalls.
- D
Use OPA Gatekeeper to enforce allowed process lists in pod specs.
Why wrong: OPA/Gatekeeper validates admission, not runtime process execution.