Image profiling consists of two main parts:
- Fingerprint Collection (General availability)
- Profile visualization and policy creation (Controlled availability)
The fingerprint collection and aggregation starts from the agent, which observes the behavior of your workloads and periodically sends them to Sysdig Secure, which aggregates them into profiles. Profiles are also used to provide Sysdig’s Machine Learning detection capabilities, as well as showing which vulnerabilities are in use in your workloads.
Then, using the web interface, you are able to look at the content of those profiles and create policies that trigger whenever the container shows a behavior that was not present in the profile.
Availability and Enablement
- To enable fingerprint collection and aggregation, enable the ‘Profiling’ switch in the Sysdig Labs section by yourself.
- To use the Profile visualization and policy creation section please contact Sysdig Support (for SaaS) or ask your administrator (for Sysdig On-Prem).
How Image Profiles Work
Once the feature is enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the image profiler will collect and combine system activity into an image profile.
Internal algorithms determine two aspects of behavior:
Length of time observed: Related to the image being in a learning/done learning state
Consistency of behavior: Related to the confidence level of the observed behavior and related policy rule suggestions
A container image profile is a collection of data points related to:
TCP ports (in/out)
UDP ports (in/out)
File system (informational only)
System calls detected
If the containers run consistently, the learning phase lasts about 24 hours.
(Note that containers, for example, that are triggered for a job that lasts an hour and then are re-triggered a week later, would have a much longer learning phase.)
When enough samples are collected for observation, the image status is designated as Done learning. At this point, you can create a policy based on the profile.
The confidence level is a smart statistical indicator calculated based on behavioral consistency, both temporal and across different containers, for a given image. Low, Medium, and High confidence levels are displayed in the UI with 1, 2, or 3 squares.
Policies should only be created from profiles with HIGH confidence levels. In this case, the container behaves very predictably across the cluster and you can create a policy to whitelist the observed behavior and trigger notifications on any anomalous activity.
Using Image Profiles UI (Controlled Availability)
To use the Image Profile tool, follow these basic steps:
- Contact Sysdig (SaaS) or the Sysdig administrator (On-Prem) to enable the feature.
- Allow the agents to collect information for at least 24 hours.
- Review the collected profiles details, selecting those that are Done Learning and have High Confidence.
- Use the checkboxes to include details and create per-image policies.
Review Profiles and Create Policies
Log in to Sysdig Secure and select
Policies > Image Profiles.
Filter the list by
Done Learningto see the actionable profiles. Focus on those with
High Confidencelevels (three squares).
Select an image title to review and expand the elements in the Details panel. Select an individual element to see the specific data collected.
Check the boxes for the items you want to include and click
Create Policy from Profiles.
The Create a Scanning Policy page is displayed.
By default, the:
Titleis “Image Policy - <image name>”
Descriptionis “Policy automatically generated by Sysdig Profiler”
Scopeis limited to that image
Actionis Notify only
Edit any defaults as desired and click
The new policy appears in the Runtime list.
Additional Profile Options
From the Image Profiles page, there are two additional actions you can
Delete Profile. Restart purges the profile for the
image and resets it to the initial learning state. Delete completely
removes the profile from the database.
Click Restart Profile to begin the learning process again. Restart is useful when the previously created policy generates false positives due to changed behavior of the containers.
If you click Delete Profile, then:
The profile is deleted from the list. If the agent continues to detect activity on this image, the profile will be created again.
If you have already created a policy based on this profile, you should remove it as no longer useful.
This option is useful for deleting profiling for images that are no longer used.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.