Published:
March 2, 2015
Table of contents
falco feeds by sysdig
Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.
learn more
Bug Fixes
- Many minor bugfixes
New and updated features
- Container support: sysdig now supports Docker, LXC and libvirt-lxc containers, with several sub-features described below and in the documentation
- supports to an alternate
/procfile system tree (useful in containers) by setting the environment variableSYSDIG_HOST_ROOT - supports parsing network connections from
/procfrom a network namespace different than the global one - container information is available in the chisel API (thread table)
-pcand-pcontainerwill use a container-friendly output format for events- Automated Docker builds for running sysdig:https://registry.hub.docker.com/u/sysdig/sysdig/
sysdig-probe-loader: new script included with sysdig to facilitate loading thesysdig-probemodule in atypic environments such as containersbuild-sysdig-probe-binaries: new script to prebuildsysdig-probebinaries for a specific set of kernel configurations (currently CoreOS) and upload them to S3 so that they can be downloaded at runtime on environments that don't ship kernel headers
New and updated chisels
lscontainers: List the running containers.topcontainers_cpu: Top containers by CPU usage.topcontainers_error: Top containers by number of errors.topcontainers_file: Top containers by R+W disk bytes.topcontainers_net: Top containers by network I/O.echo_fds: container-aware (with-pc).fileslower: container-aware (with-pc).list_login_shells: container-aware (with-pc).netlower: container-aware (with-pc).proc_exec_time: container-aware (with-pc).scallslower: container-aware (with-pc).spy_logs: container-aware (with-pc).spy_syslog: container-aware (with-pc).spy_users: container-aware (with-pc).stderr: container-aware (with-pc).topconns: container-aware (with-pc).topfiles_bytes: container-aware (with-pc).topfiles_errors: container-aware (with-pc).topfiles_time: container-aware (with-pc).topports_server: container-aware (with-pc).topprocs_cpu: container-aware (with-pc).topprocs_errors: container-aware (with-pc).topprocs_file: container-aware (with-pc).topprocs_net: container-aware (with-pc).topscalls: container-aware (with-pc).topscalls_time: container-aware (with-pc).
New and updated filter fields
thread.cgroups: all the cgroups the thread belongs to, aggregated into a single string.thread.cgroup: the cgroup the thread belongs to, for a specific subsystem. E.g.thread.cgroup.cpuacct.thread.vtid: the id of the thread generating the event as seen from its current PID namespace.proc.vpid: the id of the process generating the event as seen from its current PID namespace.container.id: the container id.container.name: the container name.container.image: the container image.
New and Updated events
clone,execve,fork,vfork: addcgroups,vtidandvpidto the events to correctly report control group and PID namespaces information.
A blog post with an in-depth look at this new functionality will be published very soon. Stay tuned!
Downloads
Resources
Release detailsUpdate instructionsInstallation instructionsSource code
Support
Community support is available on the sysdig mailing list.Bugs and issues can be submitted through github.
featured resources