Linux Foundation CKS Exam - Topic 1 Question 18 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 18
Topic #: 1

[All CKS Questions]

On the Cluster worker node, enforce the prepared AppArmor profile

#include

profile docker-nginx flags=(attach_disconnected,mediate_deleted) {

#include

network inet tcp,

network inet udp,

network inet icmp,

deny network raw,

deny network packet,

file,

umount,

deny /bin/** wl,

deny /boot/** wl,

deny /dev/** wl,

deny /etc/** wl,

deny /home/** wl,

deny /lib/** wl,

deny /lib64/** wl,

deny /media/** wl,

deny /mnt/** wl,

deny /opt/** wl,

deny /proc/** wl,

deny /root/** wl,

deny /sbin/** wl,

deny /srv/** wl,

deny /tmp/** wl,

deny /sys/** wl,

deny /usr/** wl,

audit /** w,

/var/run/nginx.pid w,

/usr/sbin/nginx ix,

deny /bin/dash mrwklx,

deny /bin/sh mrwklx,

deny /usr/bin/top mrwklx,

capability chown,

capability dac_override,

capability setuid,

capability setgid,

capability net_bind_service,

deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

# deny write to files not in /proc//** or /proc/sys/**

deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/

deny @{PROC}/sysrq-trigger rwklx,

deny @{PROC}/mem rwklx,

deny @{PROC}/kmem rwklx,

deny @{PROC}/kcore rwklx,

deny mount,

deny /sys/[^f]*/** wklx,

deny /sys/f[^s]*/** wklx,

deny /sys/fs/[^c]*/** wklx,

deny /sys/fs/c[^g]*/** wklx,

deny /sys/fs/cg[^r]*/** wklx,

deny /sys/firmware/** rwklx,

deny /sys/kernel/security/** rwklx,

}

Edit the prepared manifest file to include the AppArmor profile.

apiVersion: v1

kind: Pod

metadata:

name: apparmor-pod

spec:

containers:

- name: apparmor-pod

image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to use commandping, top, sh

AExplanation:

Show Suggested Answer

Suggested Answer: A

by Zona at May 06, 2022, 03:11 AM

Limited Time Offer

25%

5 months ago

I feel a bit lost on how to apply the manifest file correctly. I hope I can recall the syntax for including the AppArmor profile.

upvoted 0 times

...

The personas that will use the phone are definitely important to consider. We need to understand their needs and pain points to ensure the phone is designed and tested with the right user experience in mind.

upvoted 0 times

...

Nikita

5 months ago

This looks like a straightforward storage solution question for a SAP HANA deployment. I think I can handle this one.

upvoted 0 times

...

Lemuel

5 months ago

I'm not totally sure, but I have a feeling Link Availability might be involved too. It covers a lot of network details.

upvoted 0 times

...

Linux Foundation CKS Exam - Topic 1 Question 18 Discussion

Contribute your Thoughts:

Odette

Ahmed

Kara

Joaquin

Georgeanna

Lauran

Felicidad

Graciela

Daron

Ronald

Nikita

Lemuel