Agent Configuration for Monitor

The Sysdig configuration library lists all the major configurations required to enable Sysdig Secure features.

Configure Malware Control (Controlled Availability)

To enable this feature, reach out to Sysdig Support. Once enabled, no further configuration is required. To optionally enable malware for host detections, see the configuration given below:

Sysdig Agent v12.17.0+

Requires Linux kernel v5.0+

malware_control

Disable or enable the malware feature.

Configuration
malware_control:
  enabled: true
Helm Command
--set sysdig.settings.malware_control.enabled=true
enable_for_host

Disable or enable malware control for host detection.

Configuration
protections:
  malware_control:
    enabled_for_host: true
Helm Command
--set agent.sysdig.settings.protections.malware_control.enable_for_host=true

Configure Drift Control

Sysdig Agent v12.15.0+

Drift is enabled by default on agent versions v12.15.0 and later.

Optional Values

Enable detections from mounted/persistent volumes

Configuration
drift_deny_execution_from_volumes: true
Helm Command
--set agent.sysdig.settings.drift_deny_execution_from_volumes=true

Sysdig Agent v12.14.0

Deprecated configuration for newer agent versions.

Configuration
drift_killer:
  enabled: true
Helm Command
 --set agent.sysdig.settings.drift_killer.enabled=true

Configure Falco Rule Matching Strategy

Prerequisites: Sysdig agent v.12.18+

From Sysdig agent v12.18.0+, the agent evaluates an event against all the rules, potentially triggering multiple alerts. In previous versions, the agent stopped evaluating rules after the first match.

To control this behavior, a new option has been added to dragent.yaml: security.falco_match_strategy

security:
  falco_match_strategy: all

To evaluate all rules for every event; set it to all. This is the default option.

To stop evaluation after the first match; set it to first.

Report Actions in Kubernetes Events

For a full description of the feature, see Threat Detection Policies.

Prerequisites

Sysdig agent v.12.18+

Permissions

  • Helm: If you deploy the agent using Helm, the permissions to enable create and patch actions for events on all APIs are automatically granted.

  • Manual: If you deploy manually, you must set up a Kubernetes cluster role with those permissions enabled. Example without cluster role binding:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: sysdig-agent
    rules:
    - apiGroups:
      - ""
      resources:
      - events
      verbs:
      - create
      - patch
    

    Example with cluster role binding:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: sysdig-agent
    rules:
    - apiGroups:
      - ""
      resources:
      - events
      verbs:
      - create
      - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: sysdig-agent
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: sysdig-agent
    subjects:
    - kind: ServiceAccount
      name: sysdig-agent
      namespace: sysdig-agent
    ---
    

Learn More