Profiling

Image profiling in Sysdig enhances the data collection capabilities of the Sysdig agent and is a building block for Machine Learning policies and Risk Spotlight.

Profiling enables you to:

Create Machine Learning policies, such as the Workload ML policy.
View prioritized vulnerabilities in the In Use column of Vulnerability Runtime results, as described in Understand the In Use Column.
Export prioritized runtime vulnerabilities from Sysdig to third-party vulnerability management software, as described in Risk Spotlight Integrations.

How Image Profiles Work

With image profiling enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off the same image, running on different nodes, the profiler will collect and combine system activity into an image profile.

Internal algorithms determine these aspects of behavior:

Length of time observed: Related to the image being in a learning/done learning state
Consistency of behavior: Related to the confidence level of the observed behavior

Profile Contents

A container image profile is a collection of data points related to:

Network activity
- TCP ports (in/out)
- UDP ports (in/out)
Processes detected
File system (informational only)
- Files (read/write)
- Directories (read/write)
System calls detected

Disable or Enable Profiling

From Sysdig agent v.12.15+, the Profiling feature, the Helm chart parameters for the In Use and the Risk Spotlight Integration features are all automatically enabled.

You can disable or enable each of these manually, as described below.

When Profiling is enabled, the agent consumes more resources, both in memory and CPU. When the agent starts to use too many resources, it automatically and temporarily disables this feature, to avoid impacting its basic functionality.

Log in to Sysdig Secure as Admin and navigate to Settings > User Profile.
Toggle the Profiling switch in the Sysdig Labs section.

Disable or Enable Helm Chart Parameters

If you disable Profiling, the best practice is to update your Helm charts to disable the In Use and Risk Spotlight Integration parameters.

Disable the In Use Parameter

The In Use column is displayed in the Vulnerabilities Runtime results in Sysdig Secure and requires an additional parameter for the Sysdig Agent.

See Risk Spotlight (In Use) for details.

To disable the In Use parameter, set the following in your sysdig-deploy Helm chart:

nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false

Disable the Risk Spotlight Parameters

Risk Spotlight integrations are used to enrich the vulnerability findings of external platforms with Sysdig’s runtime “in-use” insights. There are two integration models:

In-cluster: For Snyk
API-based: All others

See Risk Spotlight Integrations for details

Disable Risk Spotlight for Snyk

To disable Risk Spotlight for Snyk, set the following in your sysdig-deploy Helm chart:

-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false
-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=false

Disable Risk Spotlight for Other Integrations

To disable Risk Spotlight for all other integrations, set the following in your sysdig-deploy Helm chart:

-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.