U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 1 Question 75 Discussion

You must complete this task on the following cluster/nodes: Cluster:trace Master node:master Worker node:worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at/home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.
A) Explanation: $vim /etc/falco/falco_rules.local.yaml - rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR $kill -1 <PID of falco> Explanation [desk@cli] $ssh node01 [node01@cli] $vim /etc/falco/falco_rules.yaml search for Container Drift Detected & paste in falco_rules.local.yaml [node01@cli] $vim /etc/falco/falco_rules.local.yaml - rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR [node01@cli] $vim /etc/falco/falco.yaml

Linux Foundation CKS Exam - Topic 1 Question 75 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 75
Topic #: 1
[All CKS Questions]

You must complete this task on the following cluster/nodes: Cluster:trace Master node:master Worker node:worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at/home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

Show Suggested Answer Hide Answer
Suggested Answer: A

by Cherelle at Mar 03, 2025, 07:12 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Son
7 months ago
Are you sure the tools are pre-installed on worker1? Sounds sketchy!
upvoted 0 times
...
Audry
7 months ago
Totally agree, falco rules are super helpful for container security.
upvoted 0 times
...
Goldie
7 months ago
Wait, you have to store the report on the worker node? That's odd!
upvoted 0 times
...
Selene
7 months ago
I prefer sysdig for this kind of analysis, way more user-friendly.
upvoted 0 times
...
Johnna
8 months ago
Just a heads up, falco is great for detecting anomalies!
upvoted 0 times
...
Kristin
8 months ago
I think I saw something in the Sysdig documentation about filtering processes too. Should we use Sysdig instead of Falco, or is it better to stick with Falco for this task?
upvoted 0 times
...
Elke
8 months ago
I feel a bit confused about where to store the incident file. Is it really just on the worker node and not on the master node? I hope I remember that correctly.
upvoted 0 times
...
Angella
8 months ago
I think we had a similar question about process monitoring in containers. If I recall correctly, we need to set the right filters in Falco to catch those newly spawned processes.
upvoted 0 times
...
Edna
8 months ago
I remember we practiced using Falco to detect anomalies, but I'm not entirely sure about the exact command to analyze the container's behavior for 40 seconds.
upvoted 0 times
...
Arlette
8 months ago
I'm a bit confused about this one. I know we're supposed to use Falco or Sysdig, but I'm not sure how to set up the monitoring and filters to detect the specific anomalies they're looking for. I'll need to review the documentation carefully and make sure I have the right approach.
upvoted 0 times
...
Doug
8 months ago
Okay, let's see. I need to use Falco to monitor the container and look for any suspicious process activity. I'll need to set up the rules to capture the timestamp, user ID, and process name, and save that to the report file. Sounds straightforward, but I'll need to be careful with the syntax and filters.
upvoted 0 times
...
Mariann
8 months ago
Hmm, this seems a bit tricky. I'll need to review the Falco and Sysdig documentation to understand how to set up the monitoring and filters properly. Hopefully, I can get the right configuration to detect the anomalies in the container.
upvoted 0 times
...
Wynell
9 months ago
I think I can handle this question. The key is to use the Falco detection tool to monitor the container's behavior and look for any anomalies like new processes spawning or executing something unusual. I'll need to configure the Falco rules to capture that information and save it to the report file.
upvoted 0 times
...
Cassi
1 year ago
Haha, I wonder if the exam writers have a sense of humor. 'Newly spawning and executing processes' - it sounds like we're dealing with some kind of container breakout or malware scenario. Better bring my popcorn!
upvoted 0 times
Edna
12 months ago
Let's get started and see what anomalies we can detect in the container.
upvoted 0 times
...
Princess
1 year ago
I hope it's not too serious, but it's definitely going to be a fun task.
upvoted 0 times
...
Lamonica
1 year ago
I'm excited to use the detection tools and see what we can find.
upvoted 0 times
...
Arthur
1 year ago
I know, right? Sounds like we're in for an interesting challenge.
upvoted 0 times
...
...
Daniel
1 year ago
I'm a bit confused about the output format for the incident file. The task mentions a specific format, but the solution doesn't seem to address that. I'll need to double-check the requirements.
upvoted 0 times
...
Oliva
1 year ago
Hmm, the task mentions using either Falco or Sysdig, but the solution is focused on Falco. I wonder if Sysdig would be a viable alternative, or if Falco is the preferred tool for this scenario.
upvoted 0 times
Fairy
12 months ago
I think using Falco would be the best choice for this specific scenario.
upvoted 0 times
...
Meghan
12 months ago
Sysdig might work as well, but Falco is more focused on container security.
upvoted 0 times
...
Tomas
1 year ago
Falco is the recommended tool for this task.
upvoted 0 times
...
...
Annamae
1 year ago
Looks like we need to use Falco to detect any anomalies in the Tomcat container. The rules provided look good, but I'll need to check the Falco documentation to make sure I'm understanding everything correctly.
upvoted 0 times
Tammara
1 year ago
Falco's rules for detecting container drift seem thorough. I'll review the documentation to ensure we set it up correctly for monitoring the Tomcat container.
upvoted 0 times
...
Floyd
1 year ago
I think using Falco will give us the most accurate results. Let's make sure we follow the rules correctly to detect any anomalies in the container.
upvoted 0 times
...
Alex
1 year ago
User 3: Let's refer to the Falco documentation to ensure we set up the rules correctly for detecting anomalies.
upvoted 0 times
...
Denise
1 year ago
User 2: Yes, the rules for detecting new executables in a container using Falco seem detailed.
upvoted 0 times
...
Darnell
1 year ago
I agree, Falco seems like the best tool to use for this task. The rules provided are detailed, but it's always good to double-check with the documentation.
upvoted 0 times
...
Sherron
1 year ago
User 1: I think we should use Falco to detect anomalies in the Tomcat container.
upvoted 0 times
...
...
Yolande
1 year ago
That's a good point, sysdig might give us better insights into the container's behavior.
upvoted 0 times
...
Rochell
1 year ago
I prefer using sysdig because it provides more detailed information.
upvoted 0 times
...
Yolande
1 year ago
I think I will use falco for this task.
upvoted 0 times
...

Save Cancel