Add 60 new questions: Security + Storage

README.md

@@ -108,6 +108,11 @@ The goal is to help candidates:
 * [Describe and demonstrate how to configure RBAC with UCP.](data/5_Security/ucp_rbac_config.yaml)
 * [Describe and demonstrate how to integrate UCP with LDAP/AD.](data/5_Security/ucp_ldap_ad_integration.yaml)
 * [Describe and demonstrate how to create UCP client bundles.](data/5_Security/ucp_client_bundle.yaml)
+* [Describe Docker Bench for Security.](data/5_Security/docker_bench_security.yaml)
+* [Describe seccomp profiles.](data/5_Security/seccomp_profiles.yaml)
+* [Describe AppArmor and SELinux with Docker.](data/5_Security/apparmor_selinux.yaml)
+* [Describe Docker secrets management.](data/5_Security/docker_secrets.yaml)
+* [Describe read-only containers.](data/5_Security/readonly_containers.yaml)
 
 ### Domain 6: Storage and Volumes (10% of exam)
 
@@ -120,6 +125,10 @@ The goal is to help candidates:
 * [Describe and demonstrate how storage can be used across cluster nodes.](data/6_storage_and_volumes/volume_cluster.yaml)
 * [Describe how to provision persistent storage to a Kubernetes pod using persistentVolumes.](data/6_storage_and_volumes/peristent_volumes.yaml)
 * [Describe the relationship between container storage interface drivers, storageClass, persistentVolumeClaim and volume objects in Kubernetes.](data/6_storage_and_volumes/relationship_storage_volume.yaml)
+* [Describe tmpfs mounts.](data/6_storage_and_volumes/tmpfs_mounts.yaml)
+* [Compare storage drivers.](data/6_storage_and_volumes/storage_driver_comparison.yaml)
+* [Describe docker system df and prune commands.](data/6_storage_and_volumes/system_cleanup.yaml)
+* [Describe volume plugins and NFS.](data/6_storage_and_volumes/volume_plugins_nfs.yaml)
 
 ## Contributions
 

data/5_Security/apparmor_selinux.yaml

@@ -0,0 +1,54 @@
+questions:
+  - uuid: b4d2e8a1-c5f3-4976-9d07-6b1a3e7f2c89
+    question: What type of access control do AppArmor and SELinux provide for Docker containers?
+    answers:
+      - { value: 'Discretionary Access Control (DAC)', correct: false }
+      - { value: 'Role-Based Access Control (RBAC)', correct: false }
+      - { value: 'Mandatory Access Control (MAC)', correct: true }
+      - { value: 'Attribute-Based Access Control (ABAC)', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: e7f1c3b5-a2d4-4868-b9e0-8d6a1f5c4b27
+    question: What is the name of the default AppArmor profile that Docker applies to containers?
+    answers:
+      - { value: 'docker-apparmor', correct: false }
+      - { value: 'container-default', correct: false }
+      - { value: 'docker-default', correct: true }
+      - { value: 'apparmor-docker-profile', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: 9a5b1d8e-f4c2-4637-a0b3-7e6d3c1f9a45
+    question: Which flag is used to specify a custom AppArmor profile when running a Docker container?
+    answers:
+      - { value: '--apparmor-profile=<profile>', correct: false }
+      - { value: '--security-opt apparmor=<profile>', correct: true }
+      - { value: '--cap-add apparmor=<profile>', correct: false }
+      - { value: '--mac-profile=<profile>', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: 2c8f4a6d-b1e3-4d59-87b0-5e9a3d7c1f62
+    question: How do you apply SELinux label options to a Docker container at runtime?
+    answers:
+      - { value: '--selinux=<label>', correct: false }
+      - { value: '--security-opt label=<option>', correct: true }
+      - { value: '--mac-opt selinux=<label>', correct: false }
+      - { value: '--label-security=<option>', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 6e3d1b7a-c8f2-4a15-9d04-0b5f8e2c4a93
+    question: What is the key difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
+    answers:
+      - { value: 'DAC policies are enforced by the kernel and cannot be overridden by users', correct: false }
+      - { value: 'MAC policies are enforced by the system regardless of user permissions, while DAC allows resource owners to set permissions', correct: true }
+      - { value: 'MAC is only available on Windows systems, while DAC is Linux-specific', correct: false }
+      - { value: 'There is no difference; they are interchangeable terms', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: f1a9c5d3-e2b4-4786-b0e8-4d7a6f3c8b12
+    question: What happens when you run a Docker container with --security-opt apparmor=unconfined?
+    answers:
+      - { value: 'The container uses the docker-default AppArmor profile', correct: false }
+      - { value: 'The container runs without any AppArmor profile applied', correct: true }
+      - { value: 'The container is blocked from starting', correct: false }
+      - { value: 'AppArmor applies the most restrictive profile available', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/

data/5_Security/docker_bench_security.yaml

@@ -0,0 +1,72 @@
+questions:
+  - uuid: 7a3e1f4b-92d8-4c6a-b5e7-1d8f3a2c9b04
+    question: What is Docker Bench for Security?
+    answers:
+      - { value: 'A Docker image scanning tool for CVEs', correct: false }
+      - { value: 'A script that checks for best practices around deploying Docker containers in production based on the CIS Docker Benchmark', correct: true }
+      - { value: 'A firewall configuration utility for Docker networks', correct: false }
+      - { value: 'A performance benchmarking tool for Docker containers', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 3b2d8e6f-a1c4-4f9b-87e5-6c0d4a3f1e28
+    question: How is the docker-bench-security tool typically executed?
+    answers:
+      - { value: 'By installing it as a Docker plugin', correct: false }
+      - { value: 'By running it as a Docker container with access to the Docker socket and system directories', correct: true }
+      - { value: 'By compiling it from source on the host', correct: false }
+      - { value: 'By enabling it in the Docker daemon configuration file', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: d4f6a8c2-5b1e-4d93-a0f7-9e3c2b8d1a56
+    question: Which of the following is NOT one of the audit categories checked by Docker Bench for Security?
+    answers:
+      - { value: 'Host Configuration', correct: false }
+      - { value: 'Docker Daemon Configuration', correct: false }
+      - { value: 'Container Runtime', correct: false }
+      - { value: 'Application Source Code Quality', correct: true }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 1e9b7c3a-8d4f-42a6-b5c1-0f6e2d8a4b79
+    question: What standard does Docker Bench for Security use as its baseline for security checks?
+    answers:
+      - { value: 'NIST SP 800-53', correct: false }
+      - { value: 'CIS Docker Benchmark', correct: true }
+      - { value: 'OWASP Top 10', correct: false }
+      - { value: 'PCI DSS v3.2', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 8c5f2d1a-b3e7-4a69-9d06-7f4e1c8b3a25
+    question: What does a WARN result in Docker Bench for Security output indicate?
+    answers:
+      - { value: 'The check was skipped because it does not apply', correct: false }
+      - { value: 'The check passed with minor observations', correct: false }
+      - { value: 'The configuration does not meet the CIS benchmark recommendation and should be remediated', correct: true }
+      - { value: 'The Docker daemon needs to be restarted', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 5a4e9b7d-c2f1-4683-b8d0-3e6f1a8c2d47
+    question: Which Docker Bench for Security section audits settings such as restricting network traffic between containers and configuring TLS authentication?
+    answers:
+      - { value: 'Container Images and Build File', correct: false }
+      - { value: 'Host Configuration', correct: false }
+      - { value: 'Docker Daemon Configuration', correct: true }
+      - { value: 'Docker Swarm Configuration', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: f2c8b1d6-4a3e-4975-8e09-5d7a6c1f0b93
+    question: What type of checks does Docker Bench for Security classify as "manual" rather than "automated"?
+    answers:
+      - { value: 'Checks that require human judgment or organizational policy review', correct: true }
+      - { value: 'Checks that must be run on Windows hosts only', correct: false }
+      - { value: 'Checks that require the Docker daemon to be stopped', correct: false }
+      - { value: 'Checks that are only available in Docker Enterprise', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 6d1a3f8e-b5c2-4d07-9a4b-2e7c0f9d5b16
+    question: Which of the following is a host configuration recommendation checked by Docker Bench for Security?
+    answers:
+      - { value: 'Ensure that the Docker socket is exposed on TCP port 2375', correct: false }
+      - { value: 'Ensure containers run with the --privileged flag', correct: false }
+      - { value: 'Ensure auditing is configured for Docker files and directories', correct: true }
+      - { value: 'Ensure all containers use the host network mode', correct: false }
+    help: https://docs.docker.com/engine/security/

data/5_Security/docker_secrets.yaml

@@ -0,0 +1,72 @@
+questions:
+  - uuid: 4b7e2d1a-c8f3-4a56-9e0b-5d6a1f3c8e27
+    question: In which Docker mode are Docker secrets available?
+    answers:
+      - { value: 'Standalone mode only', correct: false }
+      - { value: 'Docker Compose standalone only', correct: false }
+      - { value: 'Docker Swarm mode', correct: true }
+      - { value: 'Any Docker mode without restrictions', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 8d3a6f1e-b5c2-4e79-a4d0-2c9b7e5f1a38
+    question: Where are Docker secrets mounted inside a container by default?
+    answers:
+      - { value: '/etc/secrets/', correct: false }
+      - { value: '/var/lib/docker/secrets/', correct: false }
+      - { value: '/run/secrets/', correct: true }
+      - { value: '/opt/docker/secrets/', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: e1c5b9a3-d4f2-4867-80b1-6e3a7d2f5c94
+    question: What is the maximum size of a Docker secret?
+    answers:
+      - { value: '256 KB', correct: false }
+      - { value: '500 KB', correct: true }
+      - { value: '1 MB', correct: false }
+      - { value: '5 MB', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 3f9d7b2e-a1c4-4538-b6e0-8d5a2c7f1e43
+    question: Which command is used to create a Docker secret from a file?
+    answers:
+      - { value: 'docker secret add my_secret ./secret.txt', correct: false }
+      - { value: 'docker secret create my_secret ./secret.txt', correct: true }
+      - { value: 'docker secret new my_secret --file ./secret.txt', correct: false }
+      - { value: 'docker swarm secret create my_secret ./secret.txt', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 7a2e4c8b-d6f1-4359-b0a7-1e5d3f9c2b76
+    question: Why are Docker secrets considered more secure than environment variables for sensitive data?
+    answers:
+      - { value: 'Environment variables are encrypted while secrets are not', correct: false }
+      - { value: 'Secrets are stored encrypted in the Raft log and only mounted in-memory to authorized services, while environment variables can be exposed via inspect commands and logs', correct: true }
+      - { value: 'Secrets can only be accessed by manager nodes', correct: false }
+      - { value: 'There is no security difference between them', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: c5b1d8f3-e2a4-4796-9d07-4a6e3b7c1f58
+    question: How do you grant a running Swarm service access to a new secret?
+    answers:
+      - { value: 'docker secret attach <secret> <service>', correct: false }
+      - { value: 'docker service update --secret-add <secret> <service>', correct: true }
+      - { value: 'docker service secret add <secret> <service>', correct: false }
+      - { value: 'docker secret grant <secret> --service <service>', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 9e4a2f6d-b3c1-4857-a0e8-7d5b1c8f3a29
+    question: What happens to a Docker secret when you run docker secret inspect on it?
+    answers:
+      - { value: 'It displays the full secret value in plaintext', correct: false }
+      - { value: 'It shows metadata about the secret such as ID, name, and creation date, but not the secret data itself', correct: true }
+      - { value: 'It decrypts and prints the secret in base64', correct: false }
+      - { value: 'It removes the secret from the Swarm cluster', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 2d8f5b1c-a3e7-4694-b0d2-6e9a4c7f3b15
+    question: How is secret rotation typically handled in Docker Swarm?
+    answers:
+      - { value: 'Secrets are automatically rotated every 24 hours', correct: false }
+      - { value: 'You create a new version of the secret, update the service to remove the old secret and add the new one', correct: true }
+      - { value: 'You edit the secret in-place using docker secret update', correct: false }
+      - { value: 'Secrets cannot be rotated once created', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret

data/5_Security/readonly_containers.yaml

@@ -0,0 +1,54 @@
+questions:
+  - uuid: d6b3e1f8-c4a2-4957-8d0b-7e5a3c9f1b24
+    question: What does the --read-only flag do when used with docker run?
+    answers:
+      - { value: 'Prevents the container from reading environment variables', correct: false }
+      - { value: 'Blocks all network read operations', correct: false }
+      - { value: "Mounts the container's root filesystem as read-only", correct: true }
+      - { value: 'Makes all mounted volumes read-only', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: a2f8d4b1-e6c3-4a75-9b07-1d5e8c3f7a92
+    question: How can you allow a read-only container to write to a specific directory?
+    answers:
+      - { value: 'Use --writable-dir to specify the directory', correct: false }
+      - { value: 'Use --tmpfs to mount a writable tmpfs filesystem at that path', correct: true }
+      - { value: 'Read-only containers cannot write to any directory', correct: false }
+      - { value: 'Use --read-only=partial to allow selective writes', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 5c9e1a7d-b2f4-4386-80d3-6a8b3e1f5c47
+    question: Which command runs a container with a read-only root filesystem and a writable /tmp directory?
+    answers:
+      - { value: 'docker run --read-only --writable /tmp myimage', correct: false }
+      - { value: 'docker run --read-only --tmpfs /tmp myimage', correct: true }
+      - { value: 'docker run --immutable --allow-write /tmp myimage', correct: false }
+      - { value: 'docker run --filesystem ro --exception /tmp myimage', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 8b4f2d6a-c1e3-4a58-97b0-3e7d5a9c1f82
+    question: What is a key security benefit of running containers with a read-only root filesystem?
+    answers:
+      - { value: 'It encrypts the container filesystem', correct: false }
+      - { value: 'It prevents attackers from modifying the container filesystem, such as installing malware or altering binaries', correct: true }
+      - { value: 'It automatically enables AppArmor for the container', correct: false }
+      - { value: 'It disables all Linux capabilities inside the container', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 1e7c3a5d-f8b2-4d96-a0b4-9d6e2f4c8b31
+    question: What happens when a process inside a read-only container attempts to write to the root filesystem?
+    answers:
+      - { value: 'The write is silently discarded', correct: false }
+      - { value: 'The container is automatically stopped', correct: false }
+      - { value: 'The process receives a read-only filesystem error', correct: true }
+      - { value: 'The write is redirected to a temporary overlay', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 4a9d6f2b-e3c1-4875-b8d0-5c7e1a3f9b64
+    question: Which combination of flags provides a read-only container with writable directories for /tmp and /var/run?
+    answers:
+      - { value: 'docker run --read-only --tmpfs /tmp --tmpfs /var/run myimage', correct: true }
+      - { value: 'docker run --read-only --volume /tmp --volume /var/run myimage', correct: false }
+      - { value: 'docker run --read-only --writable /tmp,/var/run myimage', correct: false }
+      - { value: 'docker run --immutable --except /tmp,/var/run myimage', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only

data/5_Security/seccomp_profiles.yaml

@@ -0,0 +1,54 @@
+questions:
+  - uuid: a9d3e7b1-4c6f-4285-b0e8-2f5a1d8c3e97
+    question: What does seccomp stand for in the context of Docker security?
+    answers:
+      - { value: 'Secure Composition', correct: false }
+      - { value: 'Security Compliance', correct: false }
+      - { value: 'Secure Computing Mode', correct: true }
+      - { value: 'Secure Container Management Protocol', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 2f8c4b6e-d1a3-4e57-9b0d-7a5e3c1f8d29
+    question: What does Docker's default seccomp profile do to containers?
+    answers:
+      - { value: 'It blocks all network access by default', correct: false }
+      - { value: 'It restricts the set of system calls available to the container process', correct: true }
+      - { value: 'It encrypts all filesystem operations', correct: false }
+      - { value: 'It prevents containers from using environment variables', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 74e1a5c8-b3d2-4f96-80a7-9d6f2e4b1c53
+    question: Which flag is used to apply a custom seccomp profile when running a Docker container?
+    answers:
+      - { value: '--cap-add seccomp', correct: false }
+      - { value: '--seccomp-profile', correct: false }
+      - { value: '--security-opt seccomp=<profile.json>', correct: true }
+      - { value: '--profile seccomp=<profile.json>', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: c3b7d9e2-1f5a-4c68-b4d0-8e6a2f3c7b15
+    question: How do you disable the default seccomp profile for a Docker container?
+    answers:
+      - { value: '--security-opt seccomp=disabled', correct: false }
+      - { value: '--security-opt seccomp=unconfined', correct: true }
+      - { value: '--security-opt no-seccomp', correct: false }
+      - { value: '--disable-seccomp', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 5e2a8d4f-c6b1-4397-a0e3-1b9f7d5c3a68
+    question: Which of the following system calls is blocked by Docker's default seccomp profile?
+    answers:
+      - { value: 'read', correct: false }
+      - { value: 'write', correct: false }
+      - { value: 'clone (with CLONE_NEWUSER flag)', correct: true }
+      - { value: 'open', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 18f6c4a9-d2e3-4b75-8c1a-0d7b5e9f2a46
+    question: What format is used to define a custom seccomp profile for Docker?
+    answers:
+      - { value: 'YAML', correct: false }
+      - { value: 'XML', correct: false }
+      - { value: 'JSON', correct: true }
+      - { value: 'TOML', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/