zPET - IBM Z and z/OS Platform Evaluation and Test - Group home

Sysdig Secure Installation and Alert Management Guide

By Zechariah Castillo

Overview:

Sysdig Secure is part of Sysdig’s container intelligence platform. Sysdig uses a unified platform to deliver security, monitoring, and forensics in a cloud, container and microservices-friendly architecture integrated with Docker and Kubernetes. Sysdig Secure takes a services-aware approach to protect workloads while bringing deep cloud and container visibility, posture management (compliance, benchmarks, CIEM), vulnerability scanning, forensics and threat detection and blocking.

To begin the installation process, you will need an openstack or Kubernetes cluster that you are monitoring to install the agent on.

Installation:

1. Go to the sysdig website and sign up for your free trial ( https://sysdig.com/ )
2. Once you are signed in go to the “Events” tab and see the helm install for the sysdig agent
3. Based on your type of installation use the corresponding installation commands to install the sysdig agent onto your Openstack or Kubernetes cluster.
4. NOTE IF INSTALLING ON S390x ARCH to include this in your –set portion of the last command (--set daemonset.arch=s390x \)
5. If your installation works properly, you should be able to return to the “Events” tab and create custom policies and rules.

Custom Policies:

Sysdig provides policies that are comprised of rules under the following categories:

• Vulnerability Management Policies and Rules for scanning pipeline and runtime images for vulnerabilities
• Threat Detection Policies and Rules for all types of security threats such as disallowed actions, excessive permissions, suspicious changes, etc.
• Multiple rules can be part of a single policy and each policy can be customized to alert the user upon the trigger of a security event.

There are also variety of optional tools to help automate the creation of policies, such as:

• Runtime Policy Tuning (Threat Detection) for reducing noisy false positives in the events feed
• Image Profiles to automate creation of image-specific policies
• Network Security Policy Tool to author and fine-tune Kubernetes network policies

How to Create a Custom Policy:

• Go to the policy tab
• Click on “Add Policy” 

• Select the type of policy you want to create
• Fill in the information about the policy you are creating
• Select the scope of your project to determine what the policy will monitor specifically
• Add custom or existing rules to your newly created policy
• To add existing rules select “Import from Library” and check the rules you would like to add and import them.
• To create a custom rule there are a few options
  • You can create a rule from scratch
  • The fields that need to be filled in are done as so. The condition, output, and exceptions are done using open-source falco
  • You can also edit this easier if you select “Copy Rule as Code” and go to the Rules Editor                           
  • Inside the rules editor you can paste your code
  • The easiest way to add exceptions is through the rules editor
  • Once your rules are created or imported you can click “save” to save your new policy and then return to the “Policy” tab and enable it

Notifications:

• Notifications can be enabled and send Sysdig Alerts to you in multiple ways. Go to your user settings and select “Notifications”
• Select add Notification Channel and choose your form of notification
• Note that you must be an admin in your slack workspace to allow notifications from sysdig

Sysdig Events:

• Once you have your policies and notifications set up you can see the sysdig alerts come in to your notification channel

IBM CNSA Spectrum Scale Testing:

• Looking to “ignore” alerts from specific processes that don’t need to set them off. For example, a process in the IBM-Spectrum-Scale namespace wants to create a root shell an alert would be sent but it is unnecessary since it is part of the normal process.
• First create a custom policy and fill in the information needed for the scope of your policy
• Custom rules can also be created and added to your policy during this process by using the “new rule” button or editing a rule from the library of previously existing rules
• When creating a custom rule to filter out the processes you want to ignore you need to make exceptions to include your process. There are exceptions built into most rules, but you can add onto them to include your own processes, files, namespaces, etc. To do this it is much easier to go to the rule editor after copying your rule as code using the option on the rule page and editing it from there. The example below is an edit of a previously existing rule but made to include additional processes that are to be ignored in the ibm-spectrum-scale namespace.
• Exceptions have a specific structure when being created. It will use the following modules, but some do not need to be included (See Falco Syntax to determine which modules do not need to be included)
• Name (This is just simply the name of your exception)
• Comps (This is the comparison module; you can use things like comparison operators.
• Fields (This is to determine which field you are checking. There are many different types of fields which can be found in the Falco Syntax but in the example above the field being looked at is the command line for the process that is issuing commands)
• Values (This is to insert the names of the processes or items you wish to ignore or build your exception around)

Helpful Links:

• Falco Syntax: https://falco.org/docs/rules/supported-fields/#field-class-evt
• Threat Detection Policies: https://docs.sysdig.com/en/docs/sysdig-secure/policies/threat-detect-policies/