skip to main content

Jan 14, 2021

CKS Certification Study Guide: Monitoring, Logging, and Runtime Security

By: Michael Foster

Other Sections

This is the third installment in our six-part CKS Certification series. Don’t forget to check out all the posts in the series:

This blog references tools to set up a Kubernetes version 1.19 cluster and review the CKS — Cluster Setup section. There is the ability to create a Kubernetes cluster from our GitHub repository using Terraform and Rancher Kubernetes Engine (RKE) in Google Cloud Platform (GCP) or Amazon Web Services (AWS). This cluster environment will help to simulate a real Kubernetes environment instead of a local cluster. To get the cluster up and running, follow the readme.md that outlines what applications you will need and the repository’s general structure.

Section 6: Monitoring, Logging, and Runtime Security

Our study guide’s sixth and final section focuses on monitoring, logging, and runtime security within the cluster. The Linux Foundation highlights the following core concepts in its course outline.

  1. Perform behavioral analytics on syscall process and file activities at the host and container level to detect malicious activities
  2. Detect threats within a physical infrastructure, apps, networks, data, users, and workloads
  3. Detect all phases of attack regardless of where it occurs and how it spreads
  4. Perform deep analytical investigation and identification of bad actors within the environment
  5. Ensure immutability of containers at runtime
  6. Use audit logging to monitor access

This section takes up 20% of the point total, and it is reasonable to assume 3–5 questions revolving around monitoring, logging, and runtime security. Each of the questions will also need to be completed in about 5–6 minutes on average during the exam. Below is an overview of the various concepts that the CKS will highlight in the monitoring, logging, and runtime security.

Core Concepts and Topics

Perform behavioral analytics on syscall process and file activities at the host and container level to detect malicious activities

To perform behavioral analysis of syscall and file activities, you will need to implement a tool to detect threats. Falco is a CNCF incubating project listed in the course documentation as a resource available during the exam. I assume that you will have to use Falco to detect some malicious activity and output it to a file, similar to questions from the CKA.

Detect threats within a physical infrastructure, apps, networks, data, users, and workloads

This concept generalizes a lot of previous topics that we have covered in past blogs. Assuming that each of the questions takes an average of 5-6 minutes, it is doubtful the exam will have complicated problems that cannot be solved relatively quickly. One possibility might require you to fully assess a deployment in the cluster and write any vulnerabilities that are found in a file. The exam seeks to determine your knowledge of Kubernetes security threats and how to mitigate them. This concept seems overly broad to narrow down any specific topic.

Detect all phases of attack regardless of where it occurs and how it spreads

Another somewhat broad concept, however, does highlight various methods of exploitation. Mounted volumes, downloading packages, or using malicious running containers on the host show a significant attack surface that you need to be aware of. There is an excellent blog series focused on the MITRE ATT&CK Framework, which is a great resource for reviewing relevant threats for various attack phases.

Perform deep analytical investigation and identification of bad actors within the environment

This is another vague concept that encompasses a variety of techniques and topics that have been covered in previous blogs. Anticipate questions that give you actionable information that you will have to correct. These questions may call for you to changed config files, remove any misconfigurations, or protecting secrets. Audit logging will help to identify bad actors and changes in Kubernetes environments as well.

Ensure immutability of containers at runtime

The principle of container immutability means that the containers you have deployed are never changed once they are running — only their images are updated. You want to ensure that the cluster’s containers do not execute malicious code added through a download or mounted volume. Students should also be aware of the sidecar pattern and how a volume can be mounted to both containers simultaneously.

Use audit logging to monitor access

Audit logging will make up a significant amount of this section points. The audit policy feature in Kubernetes is another admission controller that allows users to specify what events should be recorded and what data is included. You will most likely need to set up an audit policy during the exam. This question may also tie into identifying bad actors as an audit policy is a helpful way to discover users who are making malicious or unqualified requests in the cluster. Lastly, the log backend might be utilized to output the audit logs to a specific file location.

Learn More

The StackRox CKS study guide contains a list of more resources and the ability to create a Kubernetes 1.19 cluster. In the GitHub repository, six folders contain mock exam questions and answers. Make sure to star and watch the repository for new updates as you begin your quest to becoming a Certified Kubernetes Security Specialist.