Review Understanding Sysdig Secure Policies, if needed. Remember that rules are not actionable until they are added to a runtime policy. At minimum, this means:
Using a default or creating a policy, either manually or using one of the optional tools to help automate policy creation
Defining the basic parameters, such as scope and severity levels
Defining the policy actions to be taken when rules are breached, such as: sending an event to a notification channel (PagerDuty, Slack, email..); triggering a capture file; and/or taking action on the container
Understanding How Policy Actions Are Triggered
Policy actions occur asynchronously. If a policy has a container action
and matched activity, the agent asks the Docker/Cri-o daemon to perform
stop/kill/pause action. This process takes a few minutes, during
which the container still runs and the
connect/accept etc. still
Deploy a Default Policy
The first time you access the Policies tab, you will be prompted to load the Sysdig default policies.
The policies are loaded with pre-defined enabled/disabled status, based
on most common usage, but you can
disable, copy, edit, or
delete each one as needed.
Create a Policy
There are a variety of optional tools to help automate the creation of policies. See also:
To create a policy manually:
Log in to Sysdig Secure and select
Policies > Runtime Policies.
On the Runtime Policies list page, select
Select the policy type and define the policy parameters. **Note:**The
Scopeavailable will differ by policy type.
Add the rules and the actions to be taken if the policy rules are breached.
Select the Policy Type
When you click
+Add Policy, you are prompted to choose the Policy Type
List-Matching Policies: Policies using a simple matching or not-matching for containers, syscalls, processes, etc. See Understanding List Matching Rules for more context.
AWS CloudTrail Policies: Provide a way to filter AWS CloudTrail events using falco-compatible condition expressions. You need to have Sysdig Secure for cloud installed to transmit your AWS CloudTrail events. See: Threat Detection with AWS CloudTrail.
Scopes and Actions for Policy Types
The scopes and actions available differ by type:
Define the Basic Parameters
The Policy parameters differ mainly by the Scope and Actions available on the type selected.
Name and Description: Provide meaningful, searchable descriptors
Enabled/Disabled: Once enabled, the policy will begin to generate events.
Severity: Choose the appropriate severity level as you would like to see it in the
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
NOTE: There is no inheritance between the underlying
rule prioritiesand the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
You can select existing rules from the Library or create new rules on the fly and add them to a policy.
The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.
See also: Manage Rules
Import from Library
From the New Policy (or Edit Policy) page, click
Import from Library.
The Import from Rules Library page is displayed.
Select the checkboxes by the rules to import.
You can pre-sort a collection of rules by searching for particular keywords or tags, or clicking a colored Tag icon (e.g. ).
Click Mark for Import.
appears to the right of the selected rules and the
Import Rulesbutton is activated.
The Policy page is displayed with the selected rules listed.
You can remove a rule from a Policy by clicking the X next to the rule in the list.
Create a Rule from the Policy Editor
If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.
Determine what should be done if a Policy is violated. See also: Understanding How Policy Actions Are Triggered.
Select what should happen to affected containers if the policy rules are breached:
Nothing (alert only):Do not change the container behavior; send a notification according to Notification Channel settings.
Kill:Kills one or more running containers immediately.
Stop:Allows a graceful shutdown (10-seconds) before killing the container.
Pause:**Suspends all processes in the specified containers.
For more information about stop vs kill command, see Docker’s documentation.
Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.
See also: Captures.
Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Copy, Edit or Delete a Policy
Select a row in the Runtime Policies list to expand the policy details
and access the icons to
Delete the policy.
Note that policies are only auto-installed when the default policies are loaded first time. If you delete a default policy and subsequently upgrade, that policy will not be recreated.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.