Sysdig Documentation

Policies

This page introduces Sysdig policies and the rules that comprise them, providing the conceptual background needed to create, edit, and apply security policies in your own environment.

Understanding Sysdig Secure Policies

A Sysdig Secure policy is a combination of rules about activities an enterprise wants to detect in an environment, the actions that should be taken if the policy rule is breached, and-- potentially-- the notifications that should be sent. A number of policies are delivered out-of-the-box and can be used as-is, duplicated, or edited as needed. You can also create policies from scratch, using either predefined rules or creating custom rules.

Reviewing the Runtime Policies UI

Select Policies > Runtime Policies to see the default Policies included with Sysdig Secure.

384402044.png

From this overview, you can:

See at a Glance

  • Severity LevelDefault policies are assigned High, Medium, Low, or Info level severity, which can be edited.

  • Enabled/Not Enabled Viewed by toggle position.

  • Policy Summary

    Includes Update status, the number of Rules, assigned Actions to take on affected containers ( Stop | Pause | Notify ), and Capture details, if any.

Take Action

From this panel you can also:

  • Drill down to policy details(and potentially Edit them)

  • Search and filter policies by name, policy name, or severity level

  • Enable/Disable a policy using the toggle

  • Create a new policy using the +Add Policy button

Understanding Sysdig Secure Rules

Rules are the fundamental building blocks you will use to compose your security policies. A rule is any type of activity that an enterprise would want to detect in its environment.

Rules can be expressed in two formats:

  • Falco rules syntax

  • Fast rules syntax, which is simply whitelist/blacklist.

    Fast rules are grouped into five types: Container Image, File System, Network, Process, and Syscall.

The Sysdig Secure UI groups rules into the different types and provides appropriate rule-creation entry screens for each type. (See also: Create a Rule.)

384402048.png

Note

Default rules appear in the Published By column from Sysdig. Self-created rules will show Published By the Secure UI.

Default rules cannot be deleted and have limitations on what can be edited. See Edit a Rule for details.

Falco Rules

See Using Falco within Sysdig Secure for a Falco overview.

Note that Falco rules can be more complex and nuanced than the Fast rule types.

Fast Rules

Fast rules provide for simple detections of processes, network connections, and other operations. For example:

  • If this process is detected, alert me.

    Or

  • If a network connection on x port is detected, alert me.

Unlike Falco rules, the Fast rule types do not permit complex rule combinations, such as "If a connection on x port from y IP address is detected..."

The five Fast Rule Types are described below.

Container Rules

These rules are used to notify if a specific image name is running in an environment.

File System Rules

These rules are used to notify if there is write activity to a specific directory/file.

Network Rules

These rules are used to:

  • Detect activity on ports outside a trusted list on a specific list

  • Notify in case of unexpected inbound/outbound connections

Process Rules

These rules are used to detect if a specific process, such as SSH, is running in a particular area of the environment.

Syscall Rules

Note

The syscall rule type is almost never deployed in user-created policies; the definitions below are for information only.

These rules are used (internally) to:

  • Notify if a specific syscall happens in a list

  • Notify if a syscall outside this trusted list happens in the environment

Understanding the Rules Library

The Rules Library includes all created rules which can be referenced in policies. Out of the box, it provides a comprehensive runtime security library with container-specific rules (and predefined policies) developed by Sysdig's threat-research teams, Falco's open-source community rules, and international security benchmarks such as CIS or MITRE ATT&CK.

384402052.png

Audit-Friendly Features

In the Rules Library interface, you can see at a glance:

  • Published By:

  • Last Updated

for enhanced traceability and audit.

Tags

Rules are categorized by tags, so you can group them by functionality, security standard, target, or whatever schema makes sense for your organization.

Various tags are predefined and can help you organize rules into logical groups when creating or editing policies.

Search

Use the search boxes at the top to search by rule name or by tag.

Using Falco within Sysdig Secure

What is Falco

Falco is an open-source intrusion detection and activity monitoring project. Designed by Sysdig, the project has been donated to the Cloud Native Computing Foundation, where it continues to be developed and enhanced by the community. Sysdig Secure incorporates the Falco Rules Engine as part of its Policy and Compliance modules.

Within the context of Sysdig Secure, most users will interact with Falco primarily through writing or customizing the rules deployed in the policies for their environment.

Falco rules consist of aconditionunder which an alert should be generated and anoutput stringto send with the alert.

Conditions
  • Falco rules use the Sysdig filtering syntax.

    (Note that much of the rest of the Falco documentation describes installing and using it as a free-standing tool, which is not applicable to most Sysdig Secure users.)

  • Rule conditions are typically made up of macros and lists.

    • Macros are simply rule condition snippets that can be re-used inside rules and other macros, providing a way to factor out and name common patterns.

    • Lists are (surprise!) lists of items that can be included in rules, macros, or other lists. Unlike rules/macros, they can not be parsed as Sysdig filtering expressions.

Behind the scenes, the falco_rules.yaml file contains the raw code for all the Falco rules in the environment, including Falco macros and lists.

Anatomy of a Falco Rule

All Falco rules include the following base parameters:

  • rule name: default or user-assigned

  • condition: the command-line collection of fields and arguments used to create the rule

  • output:

  • source:

  • description:

  • tags: for searching and sorting

  • priority

Select a rule from the Rules Library to see or edit its underlying structure. The same structure applies when creating a new Falco rule and adding it to the library.

Existing Rule

384402056.png

Create a Rule

384402060.png

About Falco Macros

Many of the Falco rules in the Rules Library contain Falco macros in their condition code.

You can browse the Falco Macros list, examine a macro's underlying code, or create your own macro. The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user-defined rule sets.

384402064.png

To override the behavior of the default macros included in Sysdig Secure policies and rules, use the Rules Editor.

384402068.png

About Falco Lists

Default Falco lists are added to improve the user experience around writing custom rules for the environment.

For example, the list allow.inbound.source.domains can be customized and easily referenced within any rule.

(On-Prem Only) Upgrading Falco Rules with the Rules Installer

Sysdig Secure SaaS is always using the most up-to-date Falco rules set.

Sysdig Secure On-Prem accounts should upgrade their Falco rules set regularly.

Rules Installer

Use the Docker pull command and instructions for the Rules Installer, here.

Getting Started