Profiling
Profiling enables you to:
- Create Machine Learning policies, such as the Workload ML policy.
- View prioritized vulnerabilities in an “In Use” column in Vulnerability Runtime results, as described in Understanding the In Use Column.
- Allow third-party vulnerability management software to consume and display the prioritized runtime vulnerabilities from Sysdig, as described in Risk Spotlight Integrations.
How Image Profiles Work
With image profiling enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off the same image, running on different nodes, the profiler will collect and combine system activity into an image profile.
Internal algorithms determine these aspects of behavior:
- Length of time observed: Related to the image being in a learning/done learning state
- Consistency of behavior: Related to the confidence level of the observed behavior
Profile Contents
A container image profile is a collection of data points related to:
- Network activity
- TCP ports (in/out)
- UDP ports (in/out)
- Processes detected
- File system (informational only)
- Files (read/write)
- Directories (read/write)
- System calls detected
Enablement
From Sysdig agent v.12.15+, the Profiling feature is automatically enabled, and the Helm chart parameters for the In Use and Risk Spotlight Integration features are automatically enabled.
You can disable/enable each of these manually, as described below.
Enabling Profiling triggers a feature on the agent that will increase its resource demand, both in memory and CPU. If the agent starts using too many resources, it will automatically and temporarily disable this feature, to avoid impacting its basic functionality.
Disable/Enable Profiling
Log in to Sysdig Secure as Admin and navigate to Settings > User Profile.
Toggle the Profiling switch in the Sysdig Labs section.
NOTE: If you disable Profiling, the best practice is to update your Helm charts to disable the In Use and Risk Spotlight Integration parameters.
Disable/Enable Helm Chart Parameters
In Use
The In Use column is displayed in the Vulnerabilities Runtime results in Sysdig Secure and requires an additional parameter for the Sysdig Agent.
See Risk Spotlight (In Use) for details.
To disable the In Use Parameter
Set the following in your sysdig-deploy Helm chart:
nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false
Risk Spotlight Integrations
Risk Spotlight integrations are used to enrich the vulnerability findings of external platforms with Sysdig’s runtime “in-use” insights. There are two integration models: in-cluster (for Snyk) and API-based (all others).
See Risk Spotlight Integrations for details
To Disable the Risk Spotlight Parameters
For Snyk:
Set the following in your sysdig-deploy Helm chart:
-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false
-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=false
For all other integrations:
Set the following in your sysdig-deploy Helm chart:
-- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=false
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.