Linux Foundation Exam CKS Topic 1 Question 75 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 75
Topic #: 1

[All CKS Questions]

You must complete this task on the following cluster/nodes: Cluster:trace Master node:master Worker node:worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at/home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

AExplanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ssh node01
[node01@cli] $vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $vim /etc/falco/falco.yaml

Show Suggested Answer

Suggested Answer: A

by Cherelle at Mar 03, 2025, 07:12 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Cassi

2 months ago

Haha, I wonder if the exam writers have a sense of humor. 'Newly spawning and executing processes' - it sounds like we're dealing with some kind of container breakout or malware scenario. Better bring my popcorn!

upvoted 0 times

Edna

19 days ago

Let's get started and see what anomalies we can detect in the container.

upvoted 0 times

...

Princess

28 days ago

I hope it's not too serious, but it's definitely going to be a fun task.

upvoted 0 times

...

Lamonica

1 months ago

I'm excited to use the detection tools and see what we can find.

upvoted 0 times

...

Arthur

2 months ago

I know, right? Sounds like we're in for an interesting challenge.

upvoted 0 times

...

Daniel

2 months ago

I'm a bit confused about the output format for the incident file. The task mentions a specific format, but the solution doesn't seem to address that. I'll need to double-check the requirements.

upvoted 0 times

...

Oliva

2 months ago

Hmm, the task mentions using either Falco or Sysdig, but the solution is focused on Falco. I wonder if Sysdig would be a viable alternative, or if Falco is the preferred tool for this scenario.

upvoted 0 times

Fairy

24 days ago

I think using Falco would be the best choice for this specific scenario.

upvoted 0 times

...

Meghan

26 days ago

Sysdig might work as well, but Falco is more focused on container security.

upvoted 0 times

...

Tomas

30 days ago

Falco is the recommended tool for this task.

upvoted 0 times

...

Annamae

3 months ago

Looks like we need to use Falco to detect any anomalies in the Tomcat container. The rules provided look good, but I'll need to check the Falco documentation to make sure I'm understanding everything correctly.

upvoted 0 times

Tammara

1 months ago

Falco's rules for detecting container drift seem thorough. I'll review the documentation to ensure we set it up correctly for monitoring the Tomcat container.

upvoted 0 times

...

Floyd

1 months ago

I think using Falco will give us the most accurate results. Let's make sure we follow the rules correctly to detect any anomalies in the container.

upvoted 0 times

...

Alex

1 months ago

User 3: Let's refer to the Falco documentation to ensure we set up the rules correctly for detecting anomalies.

upvoted 0 times

...

Denise

1 months ago

User 2: Yes, the rules for detecting new executables in a container using Falco seem detailed.

upvoted 0 times

...

Darnell

2 months ago

I agree, Falco seems like the best tool to use for this task. The rules provided are detailed, but it's always good to double-check with the documentation.

upvoted 0 times

...