Posture Controls

With the Posture Controls library, you can see the logic behind the compliance results by drilling into the control details:

  • To ensure that this compliance product is fit for your organization’s needs
  • To know precisely what has been or will be evaluated
  • To review a specific control to see its logic and remediation
  • To edit control parameters to tune your compliance results and personalize evaluation parameters

The features are under development.

Prerequisites

This feature requires the new Compliance component.

If necessary, review:

How Controls are Structured

Sysdig controls are built on the Open Policy Agent (OPA) engine, using OPA’s policy language, Rego. The Posture Controls library exposes the code used to create the controls and the inputs they evaluate, providing full visibility into their logic. You can download the code as a JSON file.

  1. Select Policies > Posture|Controls.

  2. Select a specific control to open it in the right panel and work with it.

Filter the List

Use the filters on the left side to limit the control list by:

  • Free text search: Enter free text on any word or part of a word in the name
  • Severity: Choose the severity level(s) assigned to the control(s) - H, M, L
  • Type: Choose an infrastructure type from the drop-down list (Cluster, Host, Identity, Resource)
  • Target: The specific platforms, distributions and supported version(s) (if relevant) that a control will evaluate resources against. Online cloud platforms such as AKS/AWS/GCP/Azure do not have versioning but always relate to the latest version

Add multiple parameters to create more specific filter expressions.

Review Control Logic and Remediation

  1. Select a specific control.

  2. Review basic attributes. At the top of the right panel you can see:

    • Control title

    • Severity H, M, L

    • Type Cluster, Host, Identity, Resource

    • Author (e.g. Sysdig for out-of-the-box controls)

    • Description

    • Policies to which the control is linked.

      Hover over the policy names to get full details, such as the exact requirement number for the particular compliance standard.

  3. Code: Use the provided code snippets.

    At this time, the code provides visibility into the precise objects that are evaluated and how the evaluation rules are structured. The display includes Inputs (where applicable) and the evaluation code written in Rego.

    You can copy and/or download the code as a .json file.

  4. Remediation Playbook: Follow the recommended steps in the Remediation Playbook to resolve failing controls.

    In some cases, you will need to provide the applicable input in the provided remediation code.

  5. Configure Parameters: Edit the assigned Severity of a control, and for some controls, edit evaluation parameters values.

Configure Parameters

Sysdig is incrementally adding the ability to configure parameters defined within posture controls.

Configure Severity

By default, Sysdig assigns an opinionated severity level to the posture controls it delivers.

To edit the Severity assignment:

  1. Select a specific control and select the Parameters tab.

  2. Select Customize.

  3. Choose the Severity level, and click Save.

    A success message is displayed and the Compliance results will be updated on the next evaluation.

Configure Evaluation Parameters

  1. Select a specific control and select the Parameters tab.

  2. Select Customize.

  3. Customize an evaluation parameter and click Save.

The following controls are now customizable (this list will update incrementally), and have evaluation parameters that could be configured to personalize posture controls for specific use cases:

AWS

  • API Gateway - Gateway with VPC_LINK connection type
  • API Gateway - REST API Gateway Stage with unencrypted cache
  • API Gateway - Rest API Gateway Stage without required tag
  • API Gateway - Rest API Gateway without required tag
  • API Gateway - Stage without required ACL
  • AutoScaling - App-Tier Auto Scaling Group with associated Elastic Load Balancer
  • AutoScaling - Auto Scaling Group Cooldown Period
  • CloudFront - Use CloudFront Content Distribution Network
  • ECR - Restricted User Access
  • ElastiCache - Valid Node Type
  • ElastiCache - Latest MemCached Engine Version
  • ElastiCache - Latest Redis Engine Version'
  • ElastiCache - Latest Instance Generation
  • ElastiCache - Appropriate Cluster Cache Nodes Count
  • ElastiCache - Expiration of Lease for Reserved Cache Node
  • ElastiCache - Recent Acquisitions of Reserved Cache Nodes
  • IAM - Appropriate Access Key Rotation
  • IAM - Appropriate Password Minimum Length
  • IAM - Appropriate Password Reuse
  • IAM - No Unused Passwords
  • IAM - No Unused Access Keys
  • IAM - Unused Root Account
  • Lambda - Function Uses Supported Runtime
  • Lambda - Lambda Cross Account Access
  • Networking - Defined Compliant destination-cidr-block in Routing Tables
  • Resource Contains Required Labels
  • SNS - Appropriate Subscribers
  • SNS - Cross Account Access
  • S3 - Enabled Encryption At Rest

GCP

  • GCR - Restricted User Access
  • Project - Corporate Credentials

Azure

  • ACR - Restricted User Access
  • AppService - Enabled Java Autoupdate
  • AppService - Required Latest PHP Version
  • AppService - Required Latest Python Version
  • AppService - Required Latest TLS Version
  • Compute - Installed Endpoint Protection
  • Logging - Appropriate Diagnostic Setting
  • Networking - Appropriate Flow Retention Setting
  • PostgreSQL - Appropriate Log Retention Setting
  • SQL Server - Appropriate Auditing Retention

Kubernetes

  • ACR - Approved Registries
  • API Server - Access to Pod Spec (OCP4)
  • API Server - Defined audit-log-maxage
  • API Server - Defined audit-log-maxbackup
  • API Server - Defined audit-log-maxsize
  • API Server - Owner of Pod Spec (OCP4)
  • Approved Registries
  • Container Contains Required Labels (new control)
  • Container with Forbidden Capabilities (new control)
  • GCR - Approved Registries
  • Kubelet - Appropriate event-qps Level