【CKS最新模拟真题】Falco 的运行时安全性
系列文章目录
【CKS最新模拟真题】获取多个集群的上下文名称并保存到指定文件中
参考地址
CKS考试允许打开falco的地址
https://falco.org/docs/reference/rules/supported-fields/
一、TASK
英文题目要求
Solve this question on: ssh cks7262
Falco is installed on worker node cks7262-node1. Connect using ssh cks7262-node1 from cks7262. There is file /etc/falco/rules.d/falco_custom.yaml with rules that help you to:
Find a Pod running image httpd which modifies /etc/passwd.
Scale the Deployment that controls that Pod down to 0.
Find a Pod running image nginx which triggers rule Package management process launched.
Change the rule log text after Package management process launched to only include:
time-with-nanosconds,container-id,container-name,user-name
Collect the logs for at least 20 seconds and save them under /opt/course/2/falco.log on cks7262.
Scale the Deployment that controls that Pod down to 0.
中译
在以下位置解决此问题:ssh cks7262
Falco 安装在 worker node cks7262-node1上。使用 from 进行连接 。有一些 包含规则的文件可帮助您:
ssh cks7262-node1
/etc/falco/rules.d/falco_custom.yaml
1、找到一个pod镜像为httpd的然后 修改 /etc/passwd
将 控制该 Pod 的 Deployment 缩减为 0。
2、找到触发 规则 的 Pod 运行镜像 。nginxPackage management process launched
将规则日志文本Package management process launched更改为 only include:
time-with-nanosconds,container-id,container-name,user-name
收集日志至少 20 秒,并将其保存在cks7262节点的 /opt/course/2/falco.log中
将 控制该 Pod 的 Deployment 缩减为 0。
二、解题过程
1、问题一解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks7262
#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks7262:~$ sudo -i
#连接到指定的node1节点上
root@cks7262:~# ssh cks7262-node1
#检查所提到的falco_custom.yaml 文件
root@cks7262:~# ll /etc/falco/rules.d/
#获取pod镜像为httpd的然后将副本数修改为0
root@cks7262:~# kubectl get deployment -oyaml |grep 'cks7262-node1'|grep httpd
root@cks7262:~# kubectl scale deployment -n team-purple --replicas=0 rating-service
2、问题二解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks7262
#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks7262:~$ sudo -i
#连接到指定的node1节点上
root@cks7262:~# ssh cks7262-node1
#检查所提到的falco_custom.yaml 文件
root@cks7262:~# cd /etc/falco/rules.d/
#修改题目中提到的falco_custom.yaml 文件
root@cks7262:rules.d# cp - p falco_custom.yaml falco_custom.yaml_bak
root@cks7262:rules.d# vim falco_custom.yaml
- rule: Launch Package Management Process in Container
desc: Package management process ran inside container
condition: >
spawned_process
and container
and user.name != "_apt"
and package_mgmt_procs
and not package_mgmt_ancestor_procs
output: >
Package management process launched %evt.time,%container.id,%container.name,%user.name #change
priority: ERROR
tags: [process, mitre_persistence]
#收集20秒日志,然后将日志复制到 cks7262节点中的/opt/course/2/falco.log文件中
root@cks7262-node1:rules.d# falco -M 20
root@cks7262-node1:rules.d# exit
root@cks7262:~# vim /opt/course/2/falco.log #粘贴日志
#根据日志产生的容器id找对应的pod及命名空间
root@cks7262:~# crictl ps -id 819f9 #如果没有则在node1上找
root@cks7262-node1:rules.d# crictl ps -id 819f9
root@cks7262-node1:rules.d# crictl pods -id 23e88 #取得日志文件中容器id对应的pod名称和命名空间名称
#将查找出来的pod删除
root@cks7262:~# kubectl scale deployment --replicas=0 -n team-blue webapi
原文地址:https://blog.csdn.net/weixin_50902636/article/details/144315537
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!