Sysdig Platform CLI - Runtime Policies

This section explains concepts and notations in the set of the Secure Runtime Policies commands provided.

Usage

The Policies section contains the following subcommands:

$ sdc-cli policy --help
Usage: sdc-cli policy [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  add             Add a policy
  add-json        Add a policy from a json file
  del             Delete policies
  events          Get policy events
  events_old      Get policy events (Use only on old onprem installations)
  falco-list      Sysdig Secure policy falco list operations
  falco-macro     Sysdig Secure policy falco macro operations
  get             Get policy
  get-falco       Get a falco rules file
  list            List all policies
  rule            Sysdig Secure policy rule operations
  set-falco       Set a falco rules file
  update          Update a policy
  update-default  Create default policies using the current system falco rules
  update-json     Update a policy form a json file

List Runtime Policies

You can list all the existing policies in Secure with:

sdc-cli policy list
id            name                                                                  severity        enabled       
157883        Disallowed Network Activity                                           4               True          
157884        Suspicious Filesystem Changes                                         0               True          
157885        Notable Filesystem Changes                                            0               True          
157886        Suspicious Package Management Changes                                 0               True          
157887        Suspicious Filesystem Reads                                           4               True          
157888        Unexpected Spawned Processes                                          4               True          
157889        Unexpected Process Activity                                           4               True          
157890        Inadvised Container Activity                                          4               False         
157891        Suspicious Container Activity                                         0               False         
157909        Terminal shell in container                                           0               True          

Display more information from a Policy

You can view the details of a policy if you exeucte:

$ sdc-cli policy get 157883
id:                       157883
name:                     Disallowed Network Activity
description:              Identified network activity outside of an explicitly defined set
severity:                 4
enabled:                  False
ruleNames:                ['Disallowed SSH Connection', 'Unexpected outbound connection destination', 'Unexpected inbound connection source']
actions:                  []
notificationChannelNames: []

Create a policy

You can create policies using the sdc-cli with the following options:

$ sdc-cli policy add --help           
Usage: sdc-cli policy add [OPTIONS] NAME DESCRIPTION

  NAME: the name of the new policy.

  DESCRIPTION: Description of policy

Options:
  --rule TEXT          Rule name. It must be name instead of id, as the rules
                       list view is by name, to account for multiple rules
                       having the same name.
  --action TEXT        It can be a stop, pause and/or capture action
  --scope TEXT         Where the policy is being applied- Container, Host
                       etc.. (example: 'container.image.repository =
                       sysdig/agent')
  --severity INTEGER   How severe is this policy when violated. Range from 0
                       to 7 included.
  --notenabled         If the policy should not be considered
  --notification TEXT  Notification channel id to subscribe to the policy.
  --help               Show this message and exit.

You can specify multiple --rule, --action and --notification. For example, if you want to create a copy of the policy previously shown, you could execute:

$ sdc-cli policy add \
    --rule 'Disallowed SSH Connection' \
    --rule 'Unexpected outbound connection destination' \
    --rule 'Unexpected inbound connection source' \
    --severity 4 \
    'Disallowed Network Activity (copy)' \
    'Identified network activity outside of an explicitly defined set'
id:                       162448
name:                     Disallowed Network Activity (copy)
description:              Identified network activity outside of an explicitly defined set
severity:                 4
enabled:                  True
ruleNames:                ['Disallowed SSH Connection', 'Unexpected outbound connection destination', 'Unexpected inbound connection source']
actions:                  []
notificationChannelIds:   []

Update a policy

The policies can be updated with the following options:

$ sdc-cli policy update --help        
Usage: sdc-cli policy update [OPTIONS] ID

  ID: the id of the policy to update

Options:
  --name TEXT          A short name for the policy
  --description TEXT   Description of policy
  --rule TEXT          Rule name. It will replace the rules defined in the
                       policy
  --action TEXT        It can be a stop, pause and/or capture action. It will
                       replace the actions defined in the policy
  --scope TEXT         Where the policy is being applied- Container, Host
                       etc.. (example: 'container.image.repository =
                       sysdig/agent')
  --severity INTEGER   How severe is this policy when violated. Range from 0
                       to 7 included.
  --notenabled         If the policy should not be considered
  --notification TEXT  Notification channel id to subscribe to the policy.
  --help               Show this message and exit.

For example, if we want to disable the previously created policy:

$ sdc-cli policy update 162448 --notenabled
id:                       162448
name:                     Disallowed Network Activity (copy)
description:              Identified network activity outside of an explicitly defined set
severity:                 4
enabled:                  False
ruleNames:                ['Disallowed SSH Connection', 'Unexpected outbound connection destination', 'Unexpected inbound connection source']
actions:                  []
notificationChannelIds:   []

Delete policy

In case we want to remove the policy we have just created, we can remove it easily with:

$ sdc-cli policy del 162448  
Success

Create default policies

There’s a set of default policies available in Sysdig Secure. If you want to create them, you can execute:

$ sdc-cli policy update-default

The current default policies created are the following:

Access Cryptomining Network
All K8s Activity
All K8s Object Modifications
All K8s User Modifications
Create Privileged Pod
Disallowed Container Activity
Disallowed K8s Activity
Disallowed Network Activity
Inadvised Container Activity
Inadvised K8s Activity
Inadvised K8s User Activity
Notable Filesystem Changes
Suspicious Container Activity
Suspicious Filesystem Changes
Suspicious Filesystem Reads
Suspicious K8s Activity
Suspicious K8s User Activity
Suspicious Network Activity
Suspicious Package Management Changes
Unexpected Process Activity
Unexpected Spawned Processes
User Management Changes

List all events in the event feed

For more information about how to work with the runtime policy events, visit: sdc-cli policy events

Work with Falco Lists

For more information about how to work with Falco Lists, visit: sdc-cli policy falco-list.

Work with Falco Macros

For more information about how to work with Falco Lists, visit: sdc-cli policy falco-macro.

Work with Rules

For more information about how to work with Falco Lists, visit: sdc-cli policy rule.