Domain 5: Monitoring, Logging and Runtime Security
Overview
Monitoring, Logging and Runtime Security is the final technical domain of the CKS exam. It accounts for 15% of the total exam weight and focuses on detecting, investigating, and responding to security threats in a running Kubernetes cluster. This domain bridges the gap between preventive security (covered in other domains) and detective/responsive security.
Exam Weight
This domain carries 15% of the CKS exam score. While equal in weight to other domains, runtime security is often where candidates struggle most because it requires hands-on familiarity with tools like Falco, audit logging, and system-level investigation techniques.
Topic Mindmap
What to Expect in the Exam
The CKS exam is performance-based, meaning you will work directly on live Kubernetes clusters. For this domain, expect tasks such as:
| Task Type | Likelihood | Difficulty |
|---|---|---|
| Configure audit logging on the API server | High | Hard |
| Write or modify audit policy rules | High | Medium |
| Investigate Falco alerts and identify violations | High | Medium |
| Write custom Falco rules | Medium | Hard |
| Enforce container immutability | High | Medium |
| Investigate a compromised container | Medium | Hard |
| Analyze audit logs for suspicious activity | Medium | Medium |
| Use runtime tools to trace container behavior | Low-Medium | Medium |
Time Management
You have 2 hours for the entire CKS exam. Runtime security questions often involve multi-step investigation tasks. Practice the complete workflow: detect the issue, identify the cause, and apply the fix. Do not spend too long reading through verbose audit logs or Falco output -- learn to filter efficiently.
Key Tools and Commands
Falco
The primary runtime security tool for detecting anomalous behavior.
# Check Falco service status
systemctl status falco
# View Falco logs/alerts
journalctl -u falco
# View Falco alerts from output file
cat /var/log/falco/falco_alerts.log
# Run Falco with a specific rules file
falco -r /etc/falco/custom_rules.yaml
# Validate Falco rules
falco -V /etc/falco/custom_rules.yaml
# Run Falco in dry-run mode
falco --dry-runAudit Logging
# Check API server audit configuration
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep audit
# View audit logs
cat /var/log/kubernetes/audit/audit.log | jq .
# Filter audit logs by verb
cat /var/log/kubernetes/audit/audit.log | jq 'select(.verb=="delete")'
# Filter audit logs by user
cat /var/log/kubernetes/audit/audit.log | jq 'select(.user.username=="system:admin")'
# Filter audit logs by resource
cat /var/log/kubernetes/audit/audit.log | jq 'select(.objectRef.resource=="secrets")'sysdig and strace
# Trace syscalls for a specific container
sysdig -cl container.name=<name>
# Monitor file opens in a container
sysdig evt.type=open and container.name=<name>
# Monitor network connections
sysdig evt.type=connect and container.name=<name>
# Trace a running process
strace -p <PID> -f
# Monitor file access of a process
strace -e trace=file -p <PID>Container Investigation
# List containers with crictl
crictl ps
# Inspect a container
crictl inspect <container-id>
# Execute in a container
crictl exec -it <container-id> sh
# View container logs
crictl logs <container-id>
# Check container filesystem changes
docker diff <container-id>Topics in This Domain
| # | Topic | Key Focus |
|---|---|---|
| 1 | Audit Logging | Audit policy, levels, stages, API server config |
| 2 | Falco Runtime Security | Rules, architecture, detection, custom rules |
| 3 | sysdig and strace | Syscall monitoring, container tracing, /proc |
| 4 | Container Immutability | readOnlyRootFilesystem, enforcement, detection |
| 5 | Behavioral Analytics | Anomaly detection, attack patterns, threat detection |
| 6 | Container Forensics | Investigation, evidence collection, crictl |
| 7 | Practice Questions | 20 hands-on questions covering all topics |
| 8 | Solutions | Step-by-step solutions with explanations |
Study Strategy
Recommended Approach
- Master audit logging first -- it is the most likely topic to appear and carries the most configuration complexity
- Get comfortable with Falco -- know the rule syntax, default rules, and how to write custom rules
- Practice container immutability -- readOnlyRootFilesystem questions are straightforward points
- Learn to investigate -- the exam may present a compromised scenario and ask you to find indicators
- Know your tools -- be able to use crictl, jq (for audit logs), and basic Linux investigation commands
Common Mistakes
- Forgetting to create volume mounts for the audit log file and audit policy in the API server manifest
- Not restarting the API server after enabling audit logging (static pod manifest changes are picked up by kubelet, but you must wait)
- Writing Falco rules with incorrect YAML syntax -- Falco rules have a unique structure that is not standard Kubernetes YAML
- Confusing audit levels: Metadata does NOT include request/response bodies, only Request and RequestResponse do
- Not using
readOnlyRootFilesystem: truetogether with required writableemptyDirmounts for application temp directories