Drift Control

Drift is the change in an environment that differs from the expected state checked into a version control system. For example, software that was introduced, updated, or upgraded into a live environment. Sysdig’s Drift Control feature uses various detection techniques, such as watching the system for when new executables are downloaded, updated, or modified inside a container which was not part of the container image before the container started. Use the Drift Control Policy to enable it.

Key Features

Drift Control helps you:

  • Prevent attacks by blocking container drift in production: Drift Control automatically flags and denies deviations from the original container, blocking malicious executables before damage is done.
  • Enforce immutability best practice: Drift Control ensures that container software is not modified during its lifetime, driving good practices, consistency from source to run, and preventing actions that could be part of an attack.
  • Enable easy and effective security: Teams are often overwhelmed by cloud-native complexity and blind to container drift, especially at scale. With Drift Control, security teams and IT can just enable it on the entire container environment and immediately start protecting runtime.

Use Drift Control

The Drift Control policy has the following unique attributes:

  • It includes only one pre-confgured rule, which cannot be edited and no other rules can be added to Drift Control policies.
  • It is a custom policy, not a managed policy.

Configure Sysdig Agent Setting (Optional)

There is no special setting required for agent version 12.15 and above, the required settings will be done by the backend. You can skip to the next section.

For agent 12.14.x release, the drift_killer flag must be set for drift detection to send events at all. It is recommended to upgrade to agent 12.15+.

For agent version < 12.14 With the default agent configuration, a Drift Control policy/rule will stop a detected executable after it has begun. If it is necessary to ensure that a particular task should be blocked from ever starting, you can enable the following configuration in the agent config file:

drift_killer:
        enabled: true

Or if using Helm, add the --set agent.sysdig.settings.drift_killer.enabled=true flag.

Configure Drift Control Custom Policy

In the Sysdig Secure UI:

  1. Select Policies > Threat Detection|Runtime Policies to display the Runtime Policies page.

  2. Click + Add Policy (at the top right of the page).

  3. Select Container Drift policy type.

  4. Configure the policy:

    Basic Parameters

    Name: Enter a policy name

    Description: Provide a meaningful and searchable description

    Enabled/Disabled: Toggle to enable the policy so that it generates events.

    Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info

    Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

    Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

    Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

    Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.

    If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.

    Detect Parameters

    Drifted Binaries: A drifted binary is any binary that was not part of the original image of the container. It is typically downloaded or compiled into a running container.

    Click the toggle to dynamically detect execution of drifted binaries. If a detected binary attempts to run, Sysdig will create an alert, or the binary is denied from running if Prevent is enabled.

    Note: The Drifted Binaries option was formerly called dynamic deny list.

    Exception: A user-defined list for which the detection is skipped even if it has drifted. Provide a full path of binaries separated by commas.

    Prohibited Binaries: A user-defined list of binaries whose execution is blocked even if it was built with the image. Provide a full path of binaries separated by commas.

    Note: The Prohibited Binaries option was formerly called always deny.

    Actions

    Prevent: Toggle the Prevent action to stop the detected new executables from running.

    Notify: Select a notification channel from the drop-down list for sending notification of events to appropriate personnel.

    See also: Set Up Notification Channels.

Check Events

When the policy is enabled, you can check for any detected events:

  1. Log in to Sysdig Secure and select Events.

  2. Type Drift in the filter bar to find where the Drift policy was triggered and drill down to examine the event details.