Runtime Policy Tuning [Beta]

The Runtime Policy Tuning feature assists in reducing noisy false positives in the Sysdig Secure Events feed. Built on top of the Falco Rules Tuner, it automatically adds Exceptions to rules, thereby removing particularly noisy sets of policy events and leaving the lower-volume events for later analysis.

The tuner may be especially helpful when deploying Sysdig Secure runtime policies in a new environment. Your environment may include applications that legitimately perform actions such as running Docker clients in containers, changing namespaces, or writing below binary directories, but which trigger unwanted floods of related policy events in the default policies and rules provided by Sysdig.

tuner_basic.png

Note

Earlier versions of Sysdig used the The Falco Rules Tuner (Legacy) .

Using Runtime Policy Tuner

Prerequisites

  • Sysdig agent 11.0.0+

  • Sysdig SaaS

Please contact Sysdig Support to make this feature available in your environment.

Enable, View, Edit Exceptions, Disable

The tuner is enabled and disabled as needed to tame false positives and optimize the use of the Events feed. By default, it is disabled.

  1. Log in to Sysdig Secure as Admin and choose Policies > Runtime Policy Tuning.

    tuner_menu.png
  2. Enable the feature with the Tuning Engine toggle.

    It may take up to 24 hours to see the initial Applied Tuning Exceptions listed in the left panel.

    tuner_basic.png

    In the background, the tuner will evaluate policy events as they are received by the Sysdig backend, find applicable exceptions values, and add them. The AppliedTuning Exceptions file is passed along to all Sysdig agents, along with the rules and policies.

  3. If needed, you can edit the Exceptions created directly in the left-hand panel.

    Any changes will be retained as the tuner evaluates additional events.

  4. Toggle the Tuning Engine off when you feel the feature has addressed the most commonly occurring (unwanted) policy events.

    NOTE: Any exceptions in the Applied Tuning Exceptions panel will still be passed along to agents.

    To start over from scratch, clear the Applied Tuning Exceptions text and re-enable with the Tuning Engine toggle.

Understanding How the Tuning Engine Works

When Does the Tuner Add Exceptions?

The Policy Tuning feature is conservative, only adding exceptions for commonly occurring events for a single rule with similar attributes.

All three of the following conditions must be met:

  • The rule has generated at least 100 policy events

  • The average rate of events over the measurement period is greater than 1 event per second

  • A candidate set of exception values is applicable to at least 50% of the events in that period

This ensures the tuning feature only adds exceptions for high-volume sets of events that can be easily addressed with a single set of exception values.

Exceptions Behind the Scenes

If you want to understand the process of exception insertion by the tuner, consider a sample rule:

- rule: Write below root  
  desc: an attempt to write to any file  
   directly below / or /root  
  condition: root_dir and evt.dir = < and 
   open_write  
  exceptions:  - name: proc_writer    
  fields: [proc.name, fd.filename]

And a stream of policy events with outputs such as:

File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest 

Then the tuner would add the following exception values to address the false positives:

- rule: Write below root  
  exceptions:  
  - name: proc_writer    
    values:
       - [my-app-server, /state.txt]    
   append: true

See the Falco proposal for more background information on using exceptions.