U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 1 Question 25 Discussion

You must complete this task on the following cluster/nodes:Cluster:traceMaster node:masterWorker node:worker1You can switch the cluster/configuration context using the following command:[desk@cli] $kubectl config use-context traceGiven: You may use Sysdig or Falco documentation.Task:Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat.Two tools are available to use:1. falco2. sysdigTools are pre-installed on the worker1 node only.Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.Store an incident file at/home/cert_masters/report, in the following format:[timestamp],[uid],[processName]Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.
A) Explanation: $vim /etc/falco/falco_rules.local.yaml - rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR $kill -1 <PID of falco> Explanation [desk@cli] $ssh node01 [node01@cli] $vim /etc/falco/falco_rules.yaml search for Container Drift Detected & paste in falco_rules.local.yaml [node01@cli] $vim /etc/falco/falco_rules.local.yaml - rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR [node01@cli] $vim /etc/falco/falco.yaml

Linux Foundation CKS Exam - Topic 1 Question 25 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 25
Topic #: 1
[All CKS Questions]

You must complete this task on the following cluster/nodes:

Cluster:trace

Master node:master

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context trace

Given: You may use Sysdig or Falco documentation.

Task:

Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat.

Two tools are available to use:

1. falco

2. sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at/home/cert_masters/report, in the following format:

[timestamp],[uid],[processName]

Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

Show Suggested Answer Hide Answer
Suggested Answer: A

by Nu at Jun 18, 2022, 08:54 PM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jaclyn
7 months ago
Don't forget to check the filters for newly spawning processes!
upvoted 0 times
...
Latanya
8 months ago
Wait, are we really storing the incident file on worker1? Seems risky!
upvoted 0 times
...
Keith
8 months ago
I think falco is better for detecting those anomalies.
upvoted 0 times
...
Reiko
8 months ago
Totally agree, that command is crucial for the task!
upvoted 0 times
...
Paris
8 months ago
Just a reminder, make sure to use the right context with `kubectl config use-context trace`.
upvoted 0 times
...
Willetta
8 months ago
I recall using Sysdig in a similar exercise, but I think Falco might be more suited for this task. I just need to remember how to analyze the container's behavior correctly.
upvoted 0 times
...
Ty
8 months ago
I feel a bit confused about where to store the incident file. I know it should be on the worker node, but I hope I don't mix it up with the master node.
upvoted 0 times
...
Theresia
8 months ago
I remember we practiced using Falco for detecting anomalies, but I'm not entirely sure about the exact command syntax for filtering processes.
upvoted 0 times
...
Billye
9 months ago
I think we need to set up the rules in Falco first, like we did in that practice question about container drift. I hope I can remember the right conditions to use.
upvoted 0 times
...
Hollis
9 months ago
The Expression Builder for if-then rules could be really helpful in crafting accurate condition expressions. I think that's a key advantage to keep in mind.
upvoted 0 times
...
Sabra
9 months ago
There was a practice question about the responsibilities outlined in contracts, and I thought the emphasis was on the provider's obligation being linked to receiving information from the health plan.
upvoted 0 times
...
Whitley
9 months ago
I'm a bit unsure about this one. I'll need to review my notes on troubleshooting SAN fabric issues.
upvoted 0 times
...
Brigette
9 months ago
I think this scenario might involve incidental teaching since it's a natural learning moment that wasn't planned.
upvoted 0 times
...
Guru Dayal Bhatt
4 years ago
How to get the container id
upvoted 1 times
...

Save Cancel