CKS Question #33: Real Exam Question with Answer & Explanation

Question

You must complete this task on the following cluster/nodes: Cluster: trace Master node: master Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at /home/cert_masters/report, in the following format: [timestamp],[uuid],[processName] Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

Explanation

Explanation: $ vim /etc/falco/falco_rules.local.yaml

• rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR $kill -1 <PID of falco>

Explanation [desk@cli] $ ssh node01 [node01@cli] $ vim /etc/falco/falco_rules.local.yaml search for Container Drift Detected & paste in falco_rules.local.yaml [node01@cli] $ vim /etc/falco/falco_rules.local.yaml

• rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR [node01@cli] $ vim /etc/falco/falco.yaml file_output: enabled: true keep_alive: false filename: /home/cert_masters/report send HUP signal to falco process to re-read the configuration [root@node01 ~]# ps -ef | grep falco root 10127 1 5 17:13 ? 00:00:05 /usr/bin/falco -pidfile=/var/run/falco.pid -c /etc/falco/falco.yaml root 10283 10168 0 17:14 pts/1 00:00:00 grep --color=auto falco [root@node01 ~]# kill -1 10127

No community discussion yet for this question.