Linux Foundation CKS Exam - Topic 1 Question 75 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 75
Topic #: 1

[All CKS Questions]

You must complete this task on the following cluster/nodes: Cluster:trace Master node:master Worker node:worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at/home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

AExplanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ssh node01
[node01@cli] $vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $vim /etc/falco/falco.yaml

Show Suggested Answer

Suggested Answer: A

by Cherelle at Mar 03, 2025, 07:12 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Son

4 months ago

Are you sure the tools are pre-installed on worker1? Sounds sketchy!

upvoted 0 times

...

Audry

4 months ago

Totally agree, falco rules are super helpful for container security.

upvoted 0 times

...

Goldie

4 months ago

Wait, you have to store the report on the worker node? That's odd!

upvoted 0 times

...

Selene

4 months ago

I prefer sysdig for this kind of analysis, way more user-friendly.

upvoted 0 times

...

Johnna

5 months ago

Just a heads up, falco is great for detecting anomalies!

upvoted 0 times

...

Kristin

5 months ago

I think I saw something in the Sysdig documentation about filtering processes too. Should we use Sysdig instead of Falco, or is it better to stick with Falco for this task?

upvoted 0 times

...

Elke

5 months ago

I feel a bit confused about where to store the incident file. Is it really just on the worker node and not on the master node? I hope I remember that correctly.

upvoted 0 times

...

Angella

5 months ago

I think we had a similar question about process monitoring in containers. If I recall correctly, we need to set the right filters in Falco to catch those newly spawned processes.

upvoted 0 times

...

Edna

5 months ago

I remember we practiced using Falco to detect anomalies, but I'm not entirely sure about the exact command to analyze the container's behavior for 40 seconds.

upvoted 0 times

...

Arlette

5 months ago

I'm a bit confused about this one. I know we're supposed to use Falco or Sysdig, but I'm not sure how to set up the monitoring and filters to detect the specific anomalies they're looking for. I'll need to review the documentation carefully and make sure I have the right approach.

upvoted 0 times

...

Doug

5 months ago

Okay, let's see. I need to use Falco to monitor the container and look for any suspicious process activity. I'll need to set up the rules to capture the timestamp, user ID, and process name, and save that to the report file. Sounds straightforward, but I'll need to be careful with the syntax and filters.

upvoted 0 times

...

Mariann

5 months ago

Hmm, this seems a bit tricky. I'll need to review the Falco and Sysdig documentation to understand how to set up the monitoring and filters properly. Hopefully, I can get the right configuration to detect the anomalies in the container.

upvoted 0 times

...

Wynell

5 months ago

I think I can handle this question. The key is to use the Falco detection tool to monitor the container's behavior and look for any anomalies like new processes spawning or executing something unusual. I'll need to configure the Falco rules to capture that information and save it to the report file.

upvoted 0 times

...

Cassi

10 months ago

Haha, I wonder if the exam writers have a sense of humor. 'Newly spawning and executing processes' - it sounds like we're dealing with some kind of container breakout or malware scenario. Better bring my popcorn!

upvoted 0 times

Edna

9 months ago

Let's get started and see what anomalies we can detect in the container.

upvoted 0 times

...

Princess

9 months ago

I hope it's not too serious, but it's definitely going to be a fun task.

upvoted 0 times

...

Lamonica

10 months ago

I'm excited to use the detection tools and see what we can find.

upvoted 0 times

...

Arthur

10 months ago

I know, right? Sounds like we're in for an interesting challenge.

upvoted 0 times

...

Daniel

10 months ago

I'm a bit confused about the output format for the incident file. The task mentions a specific format, but the solution doesn't seem to address that. I'll need to double-check the requirements.

upvoted 0 times

...

Oliva

10 months ago

Hmm, the task mentions using either Falco or Sysdig, but the solution is focused on Falco. I wonder if Sysdig would be a viable alternative, or if Falco is the preferred tool for this scenario.

upvoted 0 times

Fairy

9 months ago

I think using Falco would be the best choice for this specific scenario.

upvoted 0 times

...

Meghan

9 months ago

Sysdig might work as well, but Falco is more focused on container security.

upvoted 0 times

...

Tomas

9 months ago

Falco is the recommended tool for this task.

upvoted 0 times

...

Annamae

11 months ago

Looks like we need to use Falco to detect any anomalies in the Tomcat container. The rules provided look good, but I'll need to check the Falco documentation to make sure I'm understanding everything correctly.

upvoted 0 times

Tammara

9 months ago

Falco's rules for detecting container drift seem thorough. I'll review the documentation to ensure we set it up correctly for monitoring the Tomcat container.

upvoted 0 times

...

Floyd

9 months ago

I think using Falco will give us the most accurate results. Let's make sure we follow the rules correctly to detect any anomalies in the container.

upvoted 0 times

...

Alex

10 months ago

User 3: Let's refer to the Falco documentation to ensure we set up the rules correctly for detecting anomalies.

upvoted 0 times

...

Denise

10 months ago

User 2: Yes, the rules for detecting new executables in a container using Falco seem detailed.

upvoted 0 times

...

Darnell

10 months ago

I agree, Falco seems like the best tool to use for this task. The rules provided are detailed, but it's always good to double-check with the documentation.

upvoted 0 times

...