Image Profiles

Overview

Image profiling consists of two main parts:

  • Fingerprint Collection (General availability)
  • Profile visualization and policy creation (Controlled availability)

The fingerprint collection and aggregation starts from the agent, which observes the behavior of your workloads and periodically sends them to Sysdig Secure, which aggregates them into profiles. Profiles are also used to provide Sysdig’s Machine Learning detection capabilities, as well as showing which vulnerabilities are in use in your workloads.

Then, using the web interface, you are able to look at the content of those profiles and create policies that trigger whenever the container shows a behavior that was not present in the profile.

Availability and Enablement

  • To enable fingerprint collection and aggregation, enable the ‘Profiling’ switch in the Sysdig Labs section by yourself.

This enables a feature on the agent that will increase its resource demand, both in memory and CPU. Please also consider that, if the agent starts using too many resources, it will automatically disable this feature temporarily, to avoid impacting its basic functionality.
  • To use the Profile visualization and policy creation section please contact Sysdig Support (for SaaS) or ask your administrator (for Sysdig On-Prem).

How Image Profiles Work

Once the feature is enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the image profiler will collect and combine system activity into an image profile.

Internal algorithms determine two aspects of behavior:

  • Length of time observed: Related to the image being in a learning/done learning state

  • Consistency of behavior: Related to the confidence level of the observed behavior and related policy rule suggestions

Profile Contents

A container image profile is a collection of data points related to:

  • Network activity

    • TCP ports (in/out)

    • UDP ports (in/out)

  • Processes detected

  • File system (informational only)

    • Files (read/write)

    • Directories (read/write)

  • System calls detected

Learning/Done Learning

If the containers run consistently, the learning phase lasts about 24 hours.

(Note that containers, for example, that are triggered for a job that lasts an hour and then are re-triggered a week later, would have a much longer learning phase.)

When enough samples are collected for observation, the image status is designated as Done learning. At this point, you can create a policy based on the profile.

Confidence Levels

The confidence level is a smart statistical indicator calculated based on behavioral consistency, both temporal and across different containers, for a given image. Low, Medium, and High confidence levels are displayed in the UI with 1, 2, or 3 squares.

Policies should only be created from profiles with HIGH confidence levels. In this case, the container behaves very predictably across the cluster and you can create a policy to whitelist the observed behavior and trigger notifications on any anomalous activity.

Using Image Profiles UI (Controlled Availability)

To use the Image Profile tool, follow these basic steps:

  1. Contact Sysdig (SaaS) or the Sysdig administrator (On-Prem) to enable the feature.
  2. Allow the agents to collect information for at least 24 hours.
  3. Review the collected profiles details, selecting those that are Done Learning and have High Confidence.
  4. Use the checkboxes to include details and create per-image policies.

Review Profiles and Create Policies

  1. Log in to Sysdig Secure and select Policies > Image Profiles.

  2. Filter the list by Done Learning to see the actionable profiles. Focus on those with High Confidence levels (three squares).

  3. Select an image title to review and expand the elements in the Details panel. Select an individual element to see the specific data collected.

  4. Check the boxes for the items you want to include and click Create Policy from Profiles.

    The Create a Scanning Policy page is displayed.

    By default, the:

    • Title is “Image Policy - <image name>

    • Description is “Policy automatically generated by Sysdig Profiler

    • Severity is Medium

    • Scope is limited to that image

    • Action is Notify only

  5. Edit any defaults as desired and click Save.

    The new policy appears in the Runtime list.

Additional Profile Options

From the Image Profiles page, there are two additional actions you can take: Restart or Delete Profile. Restart purges the profile for the image and resets it to the initial learning state. Delete completely removes the profile from the database.

Restart Profile

Click Restart Profile to begin the learning process again. Restart is useful when the previously created policy generates false positives due to changed behavior of the containers.

Delete Profile

If you click Delete Profile, then:

  • The profile is deleted from the list. If the agent continues to detect activity on this image, the profile will be created again.

  • If you have already created a policy based on this profile, you should remove it as no longer useful.

  • This option is useful for deleting profiling for images that are no longer used.



Last modified September 23, 2022