What’s new in Sysdig - April 2022

Welcome to another iteration of What’s New in Sysdig in 2022! Before starting, once again Happy Easter, Happy Passover, Happy Rama Navami, and Ramadan Mubarak! In general, happy spring break, and we hope you recovered from the chocolate egg drop.

This month, I have the pleasure of writing the “What’s new in Sysdig” blog! Hi, I’m Balaji Thirunavukkarasu, a Sales Engineer based out of the San Francisco Bay Area and a part of the Sysdig US West Enterprise team. My journey into the software industry started as a Support Engineer, then forayed into Technical account management and recently transitioned to Sales. My areas of interest have always been around distributed systems, cloud computing, Security, and OSS tools. On a personal front, I love to spend time with my kids, play professional cricket, golf with friends, and mountain bike.

Continuing with the usability improvements with new navigation from previous months, we are excited to announce a few additional features and improvements to the Sysdig Platform, which we will highlight below.

Sysdig Monitor

Metrics Explorer

Metrics Explorer has been rebuilt from the ground up to focus on advanced metric exploration and querying.

Improvements to Metrics Explorer include:

Simple querying that builds PromQL queries under the hood. Metrics Explorer is the easiest way to build PromQL queries.
Graph multiple metrics at once for correlation. For example, CPU usage vs. Kubernetes limits.
Queries are ungrouped by default, showing the individual time series for a metric. This allows you to spot problems faster. For example, one of 50 Cassandra nodes with high pending compactions. Instead of segmenting, you now group by one or more labels. For example, workload, pod and container.
When selecting a scope in the tree, only those metrics that are applicable to that entity are displayed.
Metrics are now more logically categorized by metric namespace (prefix).
Resolution has been improved. For example a one-hour view now shows 10 seconds of data. Additionally, the concept of time realignment has been removed.

For more information, see Explorer.

As always, please go check out our own Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.

Sysdig Secure

New Image Scanning Engine

This month, we are announcing the release of our new image scanning engine! The new scanning engine is developed 100% in-house and provides super fast scanning capabilities. Complete with a new UI, The new scanning engine makes it easy to prioritize vulnerabilities and focus on what matters most.

For now, both the old scanning engine and the new one are available. To enable the new scanning engine, navigate to Settings->Sysdig Labs and enable “New Vulnerabilities engine” to start using it.

Announcing Risk Spotlight

Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight. Most of the vulnerabilities reported in container environments are actually noise. Containers are loaded with packages that are never used. Risk spotlight focuses on vulnerabilities in packages that are active at runtime, allowing you to focus on what matters.

Key Benefits of Risk Spotlight

Reduce vulnerability noise by up to 95%. Risk Spotlight eliminates the noise from vulnerabilities that pose no immediate risk by identifying the packages not used at runtime.
Manage risk with actionable insights. Risk Spotlight delivers rich vulnerability details – such as the CVSS vector from multiple sources, the fix version, and link to publicly available exploits – and a package-centric view that facilitates remediation and managing vulnerability risk at scale.
Comprehensive vulnerability management for containers from source to run. Risk Spotlight provides a single view of vulnerability risk across the container lifecycle, from build to runtime. Developers can take immediate actions to mitigate the few vulnerabilities that pose real risks and also apply security best practices early by removing unused packages during the build process.

Read all about Risk Spotlight in the blog post Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight.

Falco Rules

v0.63.0 is the latest version. Here there are some highlights of the changes from v0.50.5, which we covered in January.

Added the following rules:

Modify ld.so.preload
Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)
Privileged Shell Spawned Inside Container
Debugfs Launched in Privileged Container
Mount Launched in Privileged Container
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Launch Ingress Remote File Copy Tools in Container
Suspicious Cron Modification

Further details and the full changelog can be found on Sysdig documentation.

Sysdig Agents

The latest Sysdig Agent release is v12.4.0. Below is a diff of updates since v12.3.1, which we covered in our last update.

Support for New Architectures: ARM (aarch64) and s390x (zLinux)
Custom-Metrics-Only Mode
Prevent Processing Policy Updates

Please refer to our v12.4.0 Release Notes for further details.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.3 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

v0.5.37 is the newest release.

Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs

Github link – https://github.com/sysdiglabs/terraform-provider-sysdig

Terraform Modules

AWS Sysdig Secure for Cloud: v0.8.2

GCP Sysdig Secure for Cloud: v0.8.5

Azure Sysdig Secure for Cloud: v0.8.0

Note: Azure Sysdig Secure for Cloud includes a breaking change to align to the new v3.0 version of the AzureRM Provider

Falco VS Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

Sysdig Cloud Connector has been updated to v0.16.7.

Features include:

Restore segment tracking using customer ID instead of random UUID
List last images from ECR, EKS, and Lambda

Check the full list of changes to get the full details.

Admission Controller

Sysdig Admission Controller has been updated to v3.9.1.

Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/

Runtime Vulnerability Scanner

The new vuln-runtime-scanner has been released to GA state with `v1.0.0`.

Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime

Sysdig CLI Scanner

Sysdig CLI Scanner has been released to `v1.0.0`.

Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Image Analyzer

Sysdig Image analyzer is still set to `v0.1.16`.

Host Analyzer

Sysdig Host Analyzer is still set to v0.1.6.

Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation

Sysdig Secure Inline Scan for Github Actions

v3.2.0 is still the latest release, which we covered in our November edition.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.12 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations:

feat: Updated helm charts with new exporters image tags for security updates
fix: Optimized Portworx metrics in Prometheus job
fix: Added label kube_namespace_name correctly to kubelet PVC metrics
feat: Updated the exporter image tags in the helm charts
Dashboards and alerts:
- feat: Added Kubernetes scope to troubleshooting dashboard templates
- feat: Deprecated the legacy troubleshooting dashboard templates for MongoDB and SQL
- fix: Removed non-useful disks from ‘Kubernetes Node Status & Performance’ dashboard
- fix: Added filter to exclude containers FS in ‘File System Usage & Performance’ dashboard template. Also added cluster scope and changed table panel position.

Exporter images

Security updates in UBI images of the following exporters:
- JMX:
  - quay.io/sysdig/promcat-jmx-exporter:v0.16.5-ubi
  - quay.io/sysdig/promcat-jmx-exporter:v0.16.5
- MySQL:
  - quay.io/repository/sysdig/mysql-exporter:v0.13.4-ubi
  - quay.io/repository/sysdig/mysql-exporter:v0.13.4
- Memcached:
  - quay.io/repository/sysdig/memcached-exporter:v0.9.2-ubi
  - quay.io/repository/sysdig/memcached-exporter:v0.9.2
- Nginx:
  - quay.io/repository/sysdig/nginx-exporter:v0.9.3-ubi
  - quay.io/repository/sysdig/nginx-exporter:v0.9.3
- MongoDB:
  - quay.io/repository/sysdig/mongodb-exporter:v0.11.6-ubi
  - quay.io/repository/sysdig/mongodb-exporter:v0.11.6
- ElasticSearch:
  - quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2-ubi
  - quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2
- PostgreSQL:
  - quay.io/repository/sysdig/postgresql-exporter:v0.10.6-ubi
  - quay.io/repository/sysdig/postgresql-exporter:v0.10.6
- Apache:
  - quay.io/repository/sysdig/apache-exporter:v0.10.5-ubi
  - quay.io/repository/sysdig/apache-exporter:v0.10.5
- Redis
  - quay.io/repository/sysdig/redis-exporter:v1.31.6-ubi
  - quay.io/repository/sysdig/redis-exporter:v1.31.6

Sysdig On-Premise

The 5.1.0 On-Premise minor release is now official. Here are some highlights for this minor release:

Added support for Kubernetes versions 1.22 and 1.23
Added a pre-flight check to verify the kubectl and K8s versions of the cluster with the context provided by the customer
API documentation for Sysdig Secure is now enabled by default
Feature Enhancement: Falco Exceptions – Create Exception Objects to a Default Rule
Various bug fixes

What’s new in Sysdig – April 2022