CKS Question #23: Real Exam Question with Answer & Explanation

Question

Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx. store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in

Explanation

This question tests your ability to use Falco, a cloud-native runtime security tool, to monitor and capture process execution events inside a specific container and persist those findings to a file. It is commonly seen in the CKS (Certified Kubernetes Security Specialist) exam.

Approach. The correct approach is to first identify the running Nginx container name (e.g., via 'docker ps' or 'kubectl get pods'), then run Falco with the '-M' flag (minimum seconds to run, e.g., '-M 45' for safety margin over 20s), apply a filter scoping to the Nginx container and process-spawn events (syscall type execve/execveat), and redirect output to /opt/falco-incident.txt. A representative command is: 'sudo falco -M 45 --filter "evt.type in (execve, execveat) and container.name contains "nginx"" > /opt/falco-incident.txt 2>&1'. Each detected incident line is written by Falco's default output format - one event per line - satisfying the file requirement. If a custom rule file is needed, pass it with '-r /path/to/rules.yaml'.

Concept tested. Falco runtime security monitoring - using syscall-level event filtering (execve/execveat) scoped to a specific container to detect newly spawned and executed processes, then persisting those runtime incident logs to disk for forensic evidence.

Reference. Falco official docs: https://falco.org/docs/ | CKS exam domain: System Hardening & Runtime Security | Falco filter syntax: https://falco.org/docs/reference/rules/supported-fields/

No community discussion yet for this question.