Manage Policies

Rules are not actionable until they are added to a runtime policy.

Create a Policy

  1. Select Policies and click +Add Policy.

  2. Fill out the form as described below, and click Save.

    The instructions below are divided into Basic Parameters, Rules, and Actions.


Define Basic Parameters

  • Name and Description: Provide meaningful, searchable descriptors

  • Policy Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI.

    Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

    NOTE: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

  • Policy Scope: Define the scope to which the policy will apply. Examples:


It may be useful to duplicate a policy and assign a different scope, to simplify policy handling.

Note that Kubernetes audit rules are processed as a separate data source and policy scope does not apply to rules from these scopes. To limit the scope of where these rules fire, update the rule condition to include Kubernetes resources.

Add Rules

You can select existing rules from the Library or create new rules on the fly and add them to a policy.

The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.

See also: Manage Rules

Import from Library

  1. From the New Policy (or Edit Policy) page, click Import from Library.

    The Import from Rules Library page is displayed.

  2. Select the checkboxes by the rules to import.


    You can pre-sort a collection of rules by searching for particular keywords or tags, or clicking a colored Tag icon (e.g. 374670129.png).

  3. Click Mark for Import.


    A blue Import icon


    appears to the right of the selected rules and the Import Rules button is activated.

  4. Click Import Rules.

    The Policy page is displayed with the selected rules listed.



    You can remove a rule from a Policy by clicking the X next to the rule in the list.

Create a Rule from the Policy Editor

If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.

Define Actions

Determine what should be done if a Policy is violated.

  • Containers: Select what should happen to affected containers if the policy rules are breached:

    - Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.

    - Kill: Kills one or more running containers immediately.

    - Stop: Allows a graceful shutdown (10-seconds) before killing the container.

    - Pause:Suspends all processes in the specified containers.

    For more information about stop vs kill command, see Docker's documentation.

  • Capture: Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

    See also: Captures.

  • Notification Channels: Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.

    See also: Set Up Notification Channels.

Edit a Policy

Both default and user-defined policies can be edited freely. Select the Policy to view the details, as defined above.

Delete a Policy

Policies are only auto-installed when Sysdig Secure is installed the first time. If you delete a default policy and subsequently upgrade, that policy will not be recreated.