Manage TD Policies

Overview

Review Understanding Sysdig Secure Policies, if needed. Remember that rules are not actionable until they are added to a runtime policy. At minimum, this means:

  • Using a default or creating a policy, either manually or using one of the optional tools to help automate policy creation

  • Defining the basic parameters, such as scope and severity levels

  • Adding rules

  • Defining the policy actions to be taken when rules are breached, such as: sending an event to a notification channel (PagerDuty, Slack, email..); triggering a capture file; and/or taking action on the container (stop/kill/pause).

Understanding How Policy Actions Are Triggered

Policy actions occur asynchronously. If a policy has a container action and matched activity, the agent asks the Docker/Cri-o daemon to perform the stop/kill/pause action. This process takes a few minutes, during which the container still runs and the connect/accept etc. still occur.

Deploy a Default Policy

The first time you access the Policies tab, you will be prompted to load the Sysdig default policies.

The policies are loaded with pre-defined enabled/disabled status, based on most common usage, but you can enable, disable, copy, edit, or delete each one as needed.

Reload Default Policies

You can use the sdc-cli to fetch any new runtime policies that Sysdig has released since you installed, or to overwrite any of your existing runtime policies with the current Sysdig defaults.

  • To fetch new policies, run:

    sdc-cli policy update-default

    This will not overwrite any of your existing runtime policies.

  • To revert selected existing policies to the Sysdig default:

    1. Delete the policy.

    2. Run sdc-cli policy update-default

  • To revert all existing policies to the Sysdig defaults:

    1. Delete all policies with

      sdc-cli policy del `sdc-cli policy list | awk 'NR>1 {print $1}'`

    2. Run sdc-cli policy update-default

Create a Policy

There are a variety of optional tools to help automate the creation of policies. See also:

To create a policy manually:

  1. Log in to Sysdig Secure and select Policies > Runtime Policies.

  2. On the Runtime Policies list page, select +Add Policy.

    Select the policy type and define the policy parameters. Note: The Scope available will differ by policy type.

  3. Add the rules and the actions to be taken if the policy rules are breached.

  4. Enable and Save the policy.

Select the Policy Type

When you click +Add Policy, you are prompted to choose the Policy Type desired. See also: Review Policy Types

Define the Basic Parameters

The Policy parameters differ mainly by the Scope and Actions available on the type selected.

  • Name and Description: Provide meaningful, searchable descriptors

  • Enabled/Disabled: Once enabled, the policy will begin to generate events.

  • Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI.

    Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

    NOTE: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

  • Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Additional Parameters for Drift Policy Type

The Drift policy differs from the other policy types in a few ways:

  • 1:1 Policy:Rule Drift includes only one rule.
  • Prevent You can toggle the Prevent action to stop the binary ever from starting.
  • Dynamic Deny List When enabled, the policy evaluates and tracks any downloaded executable on the container. If that executable attempts to run, Sysdig will create an alert, or the executable is denied from running if Prevent is enabled.
  • Exceptions A user-defined list that can allow a downloaded executable to not trigger an alert
  • Always Deny A user-defined list that will always block the executable from running even if it was built with the image

Additional Parameters for Machine Learning Policy Type

The Machine Learning policy differs from the other policy types in a few ways:

  • Detection types You can what type of Machine Learning based detections you want enable in your policy. We support only Crypto Mining Detection at this time.
  • Confidence level You can fine-tune the policy to choose at which certainty level the detection should trigger an event.
  • Severity defined at detection level, so that you can have a different severity for each detection type.

Add Rules

You can select existing rules from the Library or create new rules on the fly and add them to a policy.

The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.

See also: Manage Rules

Import from Library

  1. From the New Policy (or Edit Policy) page, click Import from Library.

    The Import from Rules Library page is displayed.

  2. Select the checkboxes by the rules to import.

    You can pre-sort a collection of rules by searching for particular keywords or tags, or clicking a colored Tag icon (e.g. ).

  3. Click Mark for Import.

    A blue Import icon

    appears to the right of the selected rules and the Import Rules button is activated.

  4. Click Import Rules.

    The Policy page is displayed with the selected rules listed.

    You can remove a rule from a Policy by clicking the X next to the rule in the list.

Create a Rule from the Policy Editor

If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.

Define Actions

Determine what should be done if a Policy is violated. See also: Understanding How Policy Actions Are Triggered.

Containers

Select what should happen to affected containers if the policy rules are breached:

  • Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.

  • Kill: Kills one or more running containers immediately.

  • Stop: Allows a graceful shutdown (10-seconds) before killing the container.

  • Pause: Suspends all processes in the specified containers.

For more information about stop vs kill command, see Docker’s documentation.

Capture

Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents. Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy defintion.

See also: Captures.

Notification Channels

Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.

See also: Set Up Notification Channels.

Copy, Edit or Delete a Policy

Select a row in the Runtime Policies list to expand the policy details and access the icons to Edit, Copy, or Delete the policy.

Note that policies are only auto-installed when the default policies are loaded first time. If you delete a default policy and subsequently upgrade, that policy will not be recreated.



Last modified June 23, 2022