Difficulty: medium
Estimated Time: 30 minutes

Sysdig Baseline Image Profiles allows you to create strict whitelist-based runtime rules for every container in my environment.

If you run hundreds of different images, automating the process is a must. Baselining provides a level of visibility and runtime insight that is far more accurate than the average manual rule.

Conclusions and takeaways

Additional and valuable source of runtime security events Sysdig Secure has full visibility over the API activity Always lead with simple examples: Anonymous Request Allowed Attach to cluster-admin Role Extensive set of OOTB k8s audit rules covering common security use cases Ability to define any trigger condition using the power and flexibility of the Falco language Plus JSON pointers

Baseline Image Profiles

Step 1 of 3

What are Baseline Image Profiles

Considering the container density and turnover rate for any non-trivial deployment, the SecOps team cannot realistically produce runtime rules for every image. Sysdig automates away that process out of the box.

Sysdig kernel-level instrumentation generates runtime profiles that are much more detailed and accurate than the average manual rule. This translates into more strict runtime controls, where everything that is not explicitly allowed will be flagged.

Generated profiles are divided into different runtime sections (network, filesystem, etc). Sysdig allows the user to cherry-pick the sections of the profile that look more relevant and automatically generate a runtime policy that imports them.