Rapid Response
Rapid Response team members have access to a full shell from the Sysdig Secure UI. Responsibility for the security of this powerful feature rests with you, your enterprise, and your designated employees.
See also: Rapid Response.
Note: You can also install Rapid Response on Kubernetes.
Prerequisites
Retrieve your access key to use for
SYSDIG_ACCESS_KEY=<your-access-key>
Check your Sysdig Secure endpoint by region to use for
SYSDIG_API_URL=https://<sysdig-url>
(SaaS)- This value is custom for on-prem installations.
Ensure that you have the password used to encrypt all traffic between the user and the host.
Sysdig cannot recover this password. If lost, you will not be able to start a session, nor will any session logs be recoverable.
Installation
Run the following Docker command to mount the host directories and binaries to gain access to the host:
docker run --hostname $HOST_NAME -d quay.io/sysdig/rapid-response-host-component:latest --endpoint $API_ENDPOINT --access-key $ACCESS_KEY --password $PASSWORD
This command will start the Rapid Response Host Component container, passing in environment variables for the hostname, Sysdig API endpoint, access key, and password.
To customize the container, you can create a Dockerfile that installs more scripts or command-line utilities. For example, you can add the
kubectl
orgcloud
command-line utilities by installing them in the Dockerfile.Since the Alpine Linux distribution used by the Sysdig container doesn’t support bash by default, you need to install it in the Dockerfile using the
apk
package manager. You can also add any custom scripts or directives at this point.FROM quay.io/sysdig/rapid-response-host-component:latest AS base-image FROM alpine:3.13 COPY --from=base-image /usr/bin/host /usr/bin/host RUN apk update && \ apk add bash && \ rm -rf /var/cache/apk/* # add custom scripts and other directives ENTRYPOINT ["host"]
Once you’ve built the custom Docker image, you can use it to start the Sysdig Rapid Response Host Component container. Make sure to set the ENTRYPOINT directive to the command that you want the container to execute when it starts up.
After you install Rapid Response, configure team(s) to use it.
Configure Log Storage
To save session logs, you must configure Rapid Response custom storage.
If you are using the default storage for Capture files, configure an AWS or custom S3 bucket to store Rapid Response log files after a session. If you have already configured an S3 bucket for Captures, then Rapid Response logs are routed there automatically, into their own folder.
For SaaS Users with Sysdig Secure Only: Contact Sysdig Support for help to create a custom S3 bucket for rapid response logs.
Next Steps
Install the Agent as a container
Install the Host Scanner as a container
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.