Among many other features Sysdig Secure version 2.4 introduces a new and improved runtime policy editor, along with a comprehensive library combining out-of-the-box run-time policies from our threat research teams, container-specific compliance standards, Kubernetes security and Falco opensource community rules. This UX overhaul brings three major improvements for every Sysdig Secure user:
- Runtime policies can import any number of security rules and auto-generated image profiles. You can scope the security policy using container, cloud and Kubernetes metadata.
- Tighter Falco integration, directly from the web UI. You will be able to define a new trigger condition or append to the list of forbidden external IPs just clicking on the rule.
- A more structured way to group, classify and lookup rules, following the standard Cloud native procedure: tags and labels.
- **Where this rule comes from **(Published By). The security team can instantly recognize whether a rule came from a specific Sysdig update, from a custom rules file created within the organization or from an external rules source (like the Falco community rules).
- When was the last time it was updated (Last Updated). You can use this information to audit your rules or if you schedule periodic updates, to confirm when last happened.
- Rule tags: An effective method for organizing your rules. You can use these tags to describe the targeted entity (host, k8s, process), the compliance standard it belongs to (MITRE, PCI, CIS Kubernetes) or any other criteria you want to use to annotate your rules.
- Falco macro conditions
- List elements
- Click on the rule once to display a side panel containing the Falco rule syntax. This rule uses macros and lists to define desired trigger conditions and exceptions.
- These macros and lists are highlighted, signaling that you can click on them to pop-up an inline editing dialog. Through this form, you can add your container image name to the
Creating a new runtime security ruleIn addition to visualizing and editing existing rules, you can, of course, create new runtime security rules. If your rule needs to whitelist or blacklist a set of:
- Container images
- File system operations (read/write directories, read directories)
- TCP/UDP ports, or inbound / outbound network connections
- Spawned processes
- System calls
kevt, namespace, kcreate) and a list of
allowed_namespaces. Updating the list of allowed / forbidden elements related with a security rule is an extremely common task (i.e. adding a new valid namespace). This new version of the interface also allows you to create and edit Falco Lists and Falco Macros, making these kind of iterative updates a breeze:
The new Sysdig Secure policy editorRules need to be included as part of a policy to become an actionable item. These policies can be listed, created or edited from the new Sysdig Secure policy interface: Using the new Secure policy editor interface you can:
- Import one or several rules that will trigger this policy, directly from the Rules Library or creating new rules from this interface.
- **Scope the policy **using labels and tags. Enforcing this rule over a Kubernetes namespace or the hosts in a specific availability zone, to give you an example.
- Configure automated remediation actions: stop the container, create a capture to enable advanced container forensics or forward the event to a SIEM platform.
Wrapping upThe policy editor overhaul released in Sysdig Secure 2.4 goes beyond the productivity and usability improvements, enabling a new set of features for you:
- Falco rules, macros and lists, tightly integrated with the interface.
- Out of the box runtime compliance standards, tagged using the different sections of the standard.
- Multiple runtime rules and image profiles per runtime policy.