“What’s New in Sysdig” is back with the March 2024 edition! My name is Jonathon Cerda, based in Dallas, Texas, and the Sysdig team is excited to share our latest feature releases with you.
March doesn’t just signify the arrival of spring showers and blooming flowers, but also the arrival of Women’s History Month, a time to celebrate and honor the contributions and achievements by women in the United States.
International Women’s Day is also celebrated during March, a day which celebrates the achievements of women from all across the world.
Stay tuned for more updates from Sysdig, and let’s get started!
Sysdig Secure
View Cloud Host Vulnerabilities in Inventory
Inventory now lets you search for vulnerable resources on your AWS and GCP cloud hosts (EC2 Instance, Compute Instance).
Furthermore, each cloud host’s resource-360 drawer includes vulnerability findings through a new tab.
You can also search on Package Name-Version. Note that Azure VM Hosts are out of scope at this time. See Inventory for details.
Inventory UI Updates
You can now search by Host Image ID for AWS EC2 Instance and GCP Compute Instance.
Monitor Objects in S3 Buckets
Agentless AWS Cloud Threat Detection (CDR) coverage is extended to monitor operations performed on objects stored in Simple Storage Service (S3) buckets through S3 notifications.
AWS CloudTrail integration now supports:
- ReadOnly management events (whose verb starts with Get/List/Describe).
- Coverage for S3 notifications to monitor S3 buckets and extend our AWS Agentless CDR coverage.
For details, see the AWS Agentless instructions to connect a cloud account.
Risks Module Released in Technical Preview
We are excited to release Risks in Technical Preview. The Risks feature correlates findings from CSPM, KSPM, cloud log ingestion, CIEM, Vulnerability Management, and Agent-Based Threat Detection. By combining the most critical security issues, we prioritize the biggest risks for security teams to focus on.
For details, see Risks.
Kill Process in Workload
In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.
Improved Azure Cloud Account onboarding
Sysdig has launched an improved onboarding experience for Azure Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.
In addition, Sysdig’s Agentless CDR now supports threat detection on Azure. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their Azure accounts effortlessly while benefiting from robust event processing.
For details, see Connect Cloud Account | Azure.
Global Service Accounts
Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system level permissions. Admins can create a global service account through the API. See Global Service Accounts
CISA KEV
You can now check if a vulnerability, reported by pipeline, registry, or runtime scanning, is registered in the CISA KEV catalog and filter images by CISA KEV. This allows you to view details such as the date added and due date for CISA KEV vulnerabilities. Drill down into scan results to view the CISA KEV information associated with an image. For more information, see Key Vulnerability Management Terminology.
Platform-Based Scanning
Sysdig has extended the Vulnerability Management scanning capabilities to conduct platform scanning by default. The scanning tools analyze images and host filesystems to extract the Software Bill of Materials (SBOM) and send them to the Sysdig backend for evaluation. Vulnerability matching and policy evaluation now occur within the Sysdig platform rather than on the client side.
Platform-based scanning aims to optimize computing resources, conserve data transfer, improve response time by eliminating client-side evaluation of images, and enhance the robust tracking of images across the user environment. For more information, see Platform-Based Scanning.
Improved GCP Cloud Account Onboarding
Sysdig has launched an improved onboarding experience for GCP Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.
In addition, Sysdig’s Agentless CDR now supports threat detection on GCP. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their GCP accounts effortlessly while benefiting from robust event processing.
For details, see Connect Cloud Accounts | GCP.
Sysdig Monitor
Global Service Accounts
Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system-level permissions. Admins can create a global service account through the API. See Global Service Accounts
Deactivate User Option
Sysdig has added the ability to configure a period of inactivity for a user, after which the user is deactivated. This helps large enterprises manage users automatically rather than manually deleting users from Sysdig.
This feature is deactivated by default. Currently, it can be enabled via API only.
For details, access the API documentation under User-Deactivation.
Sysdig Agents
13.0.2 March 20, 2024
This hotfix addresses the following:
- Vulnerability fixes:
- The issue in the legacy_ebpf driver that impacted the RHEL kernel v5.14 with the RHEL subversion 4.10 or higher has been fixed.
- Kernel module build failure on linux kernel 6.8 has been fixed.
13.0.1 March 11, 2024
This hotfix fixed an issue where the Sysdig Agent could retain allocated UDP ports until reaching port saturation, occurring under specific combinations of the driver used and enabled features.
13.0.0 March 06, 2024
We strongly recommend you to skip v13.0.0 and upgrade to Sysdig Agent v13.0.1. See Breaking Changes for more information.
Feature enhancements
Updated Docker Image to UBI9
Sysdig Agent’s Universal Base Image has been upgraded from UBI8 to UBI9.
Added Agent health metrics in secure_light Mode
Added the following health metrics when the agent is running in secure_light mode:
- sysdig_agent_analyzer_num_evts
- sysdig_agent_analyzer_dropped_evts
Support for TLS and basic authentication in Agent Prometheus Exporter
Agent Prometheus Exporter now supports TLS and basic authentications.
Ability to collect subattributes from JMX metrics
Added the ability to collect individual subattributes from CompositeData JMX metrics.
Availability of promscrape in ARM64 in FIPS Mode
Sysdig Agent now includes FIPS-mode promscrape binary previously missing for ARM platforms.
Kill process in Workload
In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.
Breaking changes
As part of Sysdig Agent 13.0.0 release, and as anticipated in the release notes for the 12.20.0, Sysdig dropped the support for:
- logwatcher
- RHEL6 and CentOS6
All Sysdig users affected by these changes have been notified. If you haven’t received any communication from Sysdig, it means there is no impact on your usage.
Defect fixes
Updated ssl_shim configuration
The ssl_shim configuration has been changed to fix an issue where openssl.cnf bundled with the agent expected ssl_shim to select the FIPS or non-FIPS providers at startup time. This configuration broke other programs that are dynamically linked against OpenSSL v3.
Added a openssl_conf configuration flag to allow users to specify a custom openssl.cnf file for use with the agent. To include a custom OpenSSL v3 library, you need to set the custom openssl_conf and your library path. This configuration is required when openssl_lib points the agent to a custom OpenSSL v3.x library. See openssl_lib for more information.
Support for universal eBPF on 1-vcore machines
Universal eBPF is now supported on 1-vcore machines.
Scoping events to containers on specific Kubernetes clusters
The host scope resolution now works correctly when additional scope predicates are specified along with the standard contauner_id="". For example, contauner_id="" and kubernetes.cluster.name=my_cluster.
Fixed misleading collector reconnection attempts logs
Fixed an issue where agents report a large number of logs with “No further retries left for attachment to container.
Sysdig Cluster Shield Release Notes
Here are the most recent release notes for Sysdig Cluster Shield. Review the entries to learn about the latest features, defect fixes, and known issues.
0.7.0 March 18, 2024
Enhancements
- Added new Kubernetes Metadata Collector (Technical Preview).
- Added the ability to run in single process mode.
- Updated configuration for the Container Vulnerability Management feature.
- Enabled Platform Services by default. Added the ability to disable it through an additional helm chart value containing the current on premise version.
- Removed configuration for Offline Analyzer.
- Refactored the configuration for the registry certificate verification.
Defect fixes
Fixed a memory leak issue in the supervisor process.
0.1.0 March 07, 2024
Sysdig Cluster Shield released as controlled availability
Sysdig is delighted to announce the controlled availability of Sysdig Cluster Shield. This solution consolidates multiple agent deployments into a single containerized component, marking a significant advancement in simplifying the deployment, management, and configuration of the Sysdig suite of security and compliance tools at the cluster level. By streamlining operations for Kubernetes environments, Cluster Shield makes it easier than ever to maintain your security and compliance posture.
For more information, see Sysdig Cluster Shield.
Window Agent
Container enrichment
The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.
Availability of Docker image for Windows Server v2019 and v2022
The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.
Defect fixes
Vulnerability fixes
Ability to handle wide characters from AmsiScanBuffer events
AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.
SDK, CLI, and Tools
Sysdig CLI
Sysdig CLI Scanner v1.8.6 is out!
- Fixed CVE-2024-26147.
- Now, Sysdig CLI scanner will honor proxy env vars when pulling images!
Sysdig CLI Scanner v1.9.0 is out.
IAC
- Fixed panic occurring during terraform directories scanning.
- Fixed bug on severity threshold flag.
- Exit code 1 is returned when violations exceed the threshold.
- Use v2 endpoint to get data from transforms.
VM
- Fixed a bug in maven matcher.
- Make policies succeed if, for a vulnerability, the fix version is present while the solution date is not.
Fixed Vulns
- CVE-2024-24786
https://sysdiglabs.github.io/sysdig-platform-cli
Python SDK
The latest version is v0.17.1. See the Sysdig Python SDK GitHub for details.
Terraform Provider
v1.22.0 is the latest version of the Sysdig Terraform Provider. For more information, see our Terraform Provider docs.
Terraform Modules
- AWS Sysdig Secure for Cloud remains unchanged at v0.10.9.
- Terraform Google secure v0.1.10
- feat: Add module outputs for webhook-datasource #17
- feat: agentless workload controller WIF #20
- feat: Adding support for WIF based auth to Webhook Datasource module #21
- feat(vm,cloud-scan): enables organizational use-case #23
- test: Add validation test coverage #16
- test(vm, cloud-scan): single-project use-case #18
- ci: Update CODEOWNERS #19
- ci: Update CODEOWNERS for workload scanning module#22
- Terraform Azure remains unchanged at v0.2.10.
Falco VSCode Extension
v0.1.0 is still the latest release.
Sysdig Cloud Connector
The Cloud Connector remains v0.16.61.
Admission Controller
Admission Controller remains (3.9.37) and helm chart (0.15.0).
Sysdig Secure Inline Scan Action
The latest release remains unchanged at v3.5.0.
https://github.com/marketplace/actions/sysdig-secure-inline-scan
Sysdig Secure Jenkins Plugin
The Sysdig Secure Jenkins Plugin remains at version v2.3.0.
https://plugins.jenkins.io/sysdig-secure
Prometheus Integrations
We have released v1.28.0: https://github.com/draios/prometheus-integrations/releases/tag/v1.28.0
- ADD more scope to the quotas panels
- ADD change for no data description for Keda panel
- ADD rabbitMQ rule drop also by port
- FIX typo in some dashboard descriptions
- ADD Alert for Sysdig Monitor
- Full Changelog: v1.27.0…v1.28.0
Sysdig On-premise
6.9.1 Hotfix Release, March 2024
This hotfix addresses the following:
- Update the rules validator for the policies backend service to allow users to upgrade their default rules to the latest available ruleset.
- The error during the upgrade process, caused by a missing import code for pvStorageSize.cassandra, has been fixed.
- The issue where the installer incorrectly added a \n (line feed) to the context when current-context is used but the context is not specified in the values.yaml, or on the installer command line, has been resolved.
- Cassandra failure during the Zookeeper upgrade process in the installer when override fields are used. To fix the issue, remove the customOverride field:
cassandra:
jvmOptions: -Xms6G -Xmx8G
# customOverrides: |
# compaction_throughput_mb_per_sec: 300Code language: Perl (perl)Upgrade Process
Supported upgrades from: 5.0.x, 5.1.x, 6.x
For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.
6.7.1 Hotfix Release, March 2024
This hotfix addresses an issue encountered during the zookeeper upgrade process in the installer, providing improved upgrade efficiency and speed.
Upgrade Process
Supported upgrades from: 5.0.x, 5.1.x, 6.x
For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.
6.4.5 Hotfix Release, March 2024
This hotfix fixes an issue with the slowness in the Secure UI.
Upgrade Process
Supported upgrades from: 5.0.x, 5.1.x, 6.x
For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.
Falco Threat Detection Rules Changelog
Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.
https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog
Rule Changes
- Added the following rules:
- Connection to SMB Server detected
- Steganography Tool Detected
- Python HTTP Server Started
- Execute Process from Masquerade Directory
- Shared Libraries Reconnaissance Activity Detected
- EC2 Instance Create User
- Terminate EC2 Instances
- Find Authentication Certificates
- Contact GCP Instance Metadata Service from Host
- Contact Azure Instance Metadata Service from Host
- Execution from Temporary Filesystem
- Reduced false positives for the following rules:
- Write below etc
- Connection to IPFS Network Detected
- nsenter Container Escape
- Execution from Temporary Filesystem
- Launch Root User Container
- Linux Kernel Module Injection Detected
- Packet socket created in container
- Container escape via discretionary access control
- Suspicious Access To Kerberos Secrets
- Redirect STDOUT/STDIN to Network Connection in Host
- Suspicious Access To Kerberos Secrets
- Dump memory for credentials
- Mount on Container Path Detected
- Create Symlink Over Sensitive Files
- Possible Backdoor using BPF
- eBPF Program Loaded into Kernel
- Launch Suspicious Network Tool in Container
- Suspicious Cron Modification
- Execution from /tmp
- Launch Sensitive Mount Container
- Non sudo setuid
- Suspicious Domain Contacted
- Launch Suspicious Network Tool in Container
- Modify Grub Configuration Files
- Fileless Malware Detected
- Container escape via discretionary access control
- Mount on Container Path Detected
- Find GCP credentials
- Ransomware Filenames Detected
- Mount Launched in Privileged Container
- Modification of pam.d detected
- Kernel startup modules changed
- Suspicious RC Script Modification
- Find Authentication Certificates
- Redirect STDOUT/STDIN to Network Connection in Container
- Suspicious Cron Modification
- eBPF Program Loaded into Kernel
- Non sudo setuid
- Suspicious Operations with Firewalls
- Suspicious RC Script Modification
- Mount on Container Path Detected
- Kernel Module Loaded by Unexpected Program
- Packet socket created in container
- Dump memory for credentials
- Mount on Container Path Detected
- Improved output for Discovery Security Service Activity Detected rule.
- Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules.
- Reduced false positives for the Linux Kernel Module Injection Detected rule.
- Improved output for AWS rules – Event Summary.
- Added Execute Process from Masqueraded Directory to managed policies.
- Improved output for the Kernel startup modules changed rule.
- Removed the Execute Process from Masqueraded Directory rule from managed policies.
- Improved condition for the following rules:
- Dump memory for credentials
- Suspicious Access To Kerberos Secrets
- Linux Kernel Module Injection Detected
- Redirect STDOUT/STDIN to Network Connection in Host
- Suspicious Cron Modification
- Clear Log Activities
- Modification of pam.d detected
- Linux Kernel Module Injection Detected
- Suspicious Cron Modification
- Suspicious network tool downloaded and launched in container
- Launch Suspicious Network Tool on Host
- Find GCP Credentials
- Launch Suspicious Network Tool in Container
- Improved description and tags for Change memory swap options rule.
- Improved tags for AWS EC2 ruleset.
- Improved condition for Suspicious Cron Modification rule.
- Improved output for AWS rules – Event Summary.
- Updated Indicators of Compromise rulesets with new findings.
- Improved tags for Suspicious Domain Contacted rule.
- Improved condition for macro network_tool_procs.
- Updated Indicators of Compromise rulesets with new findings.
- Improved condition for the Kernel Module Loaded by Unexpected Program rule.
- Improved tags for Suspicious Domain Contacted rule.
- Improved output for AWS rules – Event Summary.
- Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules.
- Improved condition for the Describe Instances rule.
- Improved tags for the GCP Create Cloud Function rule.
- Improved condition for the Kernel Module Loaded by Unexpected Program rule.
- Improved output for the Kernel Module Loaded by Unexpected Program rule.
- Improve output for AWS rules – Event Summary.
- Improve MITRE tags for AWS S3 ruleset.
- Improve condition for the Update Package Repository rule.
Default Policy Changes
Removed
- Execute Process from Masqueraded Directory rule from managed policies.
Added the following rules:
- Python HTTP Server Started
- Execute Process from Masquerated Directory
- Shared Libraries Reconnaissance Activity Detected
- EC2 Instance Create User
- Terminate EC2 Instances
- Data Split Activity Detected
- Contact EC2 Instance Metadata Service From Host
- Find Authentication Certificates
- Contact GCP Instance Metadata Service from Host
- Contact Azure Instance Metadata Service from Host
- Execution from Temporary Filesystem
- Connection to SMB Server detected
- Steganography Tool Detected
Updated policies for the following rules:
- Mount on Container Path Detected
- Modify Grub Configuration Files rule
- Escape to host via command injection in process
- Discovery Security Service Activity Detected
- Java Process Class File Download rule.
Open Source
Falco
Falco 0.37.1 is the latest stable release.
New Website Resources
Blogs
Webinars
A practical guide to resource constraints in Kubernetes
SOAR into 2024: Harness the power of your cloud detection and response
https://go.sysdig.com/Deminar-Fortify-Google-Cloud-Security.html