Workload

Sysdig Secure delivers a variety of workload policies out of the box. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.

Search for Existing Policies

To review the existing Workload policies:

  1. Log in to Sysdig Secure and select Policies > Threat Detction Policies.

  2. Filter for Managed Policy and Workload.

  3. You can edit a managed policy, duplicate it to create a custom policy, or click + Add Policy, choose the Workload Policy Type, and configure it from scratch.

Configure a Workload Policy

Basic Parameters

Name: Enter a policy name

Description: Provide a meaningful and searchable description

Enabled/Disabled: Toggle to enable the policy so that it generates events.

Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info

Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.

If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.

Policy Rules

Add or edit policy rules as needed.

Define Actions

Determine what should be done if a Policy is violated.

Containers

Select what should happen to affected containers if the policy rules are breached:

Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.

Kill: Kills one or more running containers immediately.

Stop: Allows a graceful shutdown (10-seconds) before killing the container.

Pause: Suspends all processes in the specified containers.

For more information about stop vs kill command, see Docker’s documentation.

If you have agent 12.10.0+, the agent can be configured to prevent kill/pause/stop actions, regardless of the policy.

To enable this, edit the following parameter in dragent.yaml: (default is false)

security:
  ignore_container_action: true

See also: Understanding Agent Configuration.

Capture

Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents. Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy defintion.

See also: Captures.

Notify

Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.

See also: Set Up Notification Channels.