The image profiling tool in Sysdig Secure takes advantage of the agent’s ability to observe the behavior of an image during runtime. It learns what is common behavior for the container and then suggests a customized policy of Falco rules to match the observed behaviors.
This feature enhances and automates Sysdig Secure’s ability to detect anomalies at enterprise scale.
Compared with manual creation of rules and policies, image profiles have the following advantages:
Actionable accuracy: Profiling provides deep visibility into the application behavior
Automation: Profiling uses machine learning and automated rule creation, allowing busy administrators to secure images quickly and easily
Security enhancement: Explicitly stating what is allowed provides better security than stating what is forbidden
How Image Profiles Work
Once the feature is enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the image profiler will collect and combine system activity into an image profile.
Internal algorithms determine two aspects of behavior:
Length of time observed: Related to the image being in a learning/done learning state
Consistency of behavior: Related to the confidence level of the observed behavior and related policy rule suggestions
A container image profile is a collection of data points related to:
TCP ports (in/out)
UDP ports (in/out)
File system (informational only)
System calls detected
If the containers run consistently, the learning phase lasts about 24 hours.
(Note that containers, for example, that are triggered for a job that lasts an hour and then are re-triggered a week later, would have a much longer learning phase.)
When enough samples are collected for observation, the image status is designated as Done learning. At this point, you can create a policy based on the profile.
The confidence level is a smart statistical indicator calculated based on behavioral consistency, both temporal and across different containers, for a given image. Low, Medium, and High confidence levels are displayed in the UI with 1, 2, or 3 squares.
Policies should only be created from profiles with HIGH confidence levels. In this case, the container behaves very predictably across the cluster and you can create a policy to whitelist the observed behavior and trigger notifications on any anomalous activity.
Using Image Profiles
To use the Image Profile tool, follow these basic steps:
Contact Sysdig (SaaS) or the Sysdig administrator (On-Prem) to enable the feature.
Allow the agents to collect information for at least 24 hours.
Review the collected profiles details, selecting those that are Done Learning and have High Confidence.
Use the checkboxes to include details and create per-image policies.
Review Profiles and Create Policies
Log in to Sysdig Secure and select
Policies > Image Profiles.
Filter the list by
Done Learningto see the actionable profiles. Focus on those with
High Confidencelevels (three squares).
Select an image title to review and expand the elements in the Details panel. Select an individual element to see the specific data collected.
Check the boxes for the items you want to include and click
Create Policy from Profiles.
The Create a Scanning Policy page is displayed.
By default, the:
Titleis “Image Policy - <image name>”
Descriptionis “Policy automatically generated by Sysdig Profiler”
Scopeis limited to that image
Actionis Notify only
Edit any defaults as desired and click
The new policy appears in the Runtime list.
Additional Profile Options
From the Image Profiles page, there are two additional actions you can
Delete Profile. Restart purges the profile for the
image and resets it to the initial learning state. Delete completely
removes the profile from the database.
Click Restart Profile to begin the learning process again. Restart is useful when the previously created policy generates false positives due to changed behavior of the containers.
If you click Delete Profile, then:
The profile is deleted from the list. If the agent continues to detect activity on this image, the profile will be created again.
If you have already created a policy based on this profile, you should remove it as no longer useful.
This option is useful for deleting profiling for images that are no longer used.