What’s new in Sysdig – April 2022

Welcome to another iteration of What’s New in Sysdig in 2022! Before starting, once again Happy Easter, Happy Passover, Happy Rama Navami, and Ramadan Mubarak! In general, happy spring break, and we hope you recovered from the chocolate egg drop.

This month, I have the pleasure of writing the “What’s new in Sysdig” blog! Hi, I’m Balaji Thirunavukkarasu, a Sales Engineer based out of the San Francisco Bay Area and a part of the Sysdig US West Enterprise team. My journey into the software industry started as a Support Engineer, then forayed into Technical account management and recently transitioned to Sales. My areas of interest have always been around distributed systems, cloud computing, Security, and OSS tools. On a personal front, I love to spend time with my kids, play professional cricket, golf with friends, and mountain bike.

Continuing with the usability improvements with new navigation from previous months, we are excited to announce a few additional features and improvements to the Sysdig Platform, which we will highlight below.

Sysdig Monitor

Metrics Explorer

Metrics Explorer has been rebuilt from the ground up to focus on advanced metric exploration and querying.

Improvements to Metrics Explorer include:

• Simple querying that builds PromQL queries under the hood. Metrics Explorer is the easiest way to build PromQL queries.
• Graph multiple metrics at once for correlation. For example, CPU usage vs. Kubernetes limits.
• Queries are ungrouped by default, showing the individual time series for a metric. This allows you to spot problems faster. For example, one of 50 Cassandra nodes with high pending compactions. Instead of segmenting, you now group by one or more labels. For example, workload, pod and container.
• When selecting a scope in the tree, only those metrics that are applicable to that entity are displayed.
• Metrics are now more logically categorized by metric namespace (prefix).
• Resolution has been improved. For example a one-hour view now shows 10 seconds of data. Additionally, the concept of time realignment has been removed.

For more information, see Explorer.

As always, please go check out our own Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.

Sysdig Secure

New Image Scanning Engine

This month, we are announcing the release of our new image scanning engine! The new scanning engine is developed 100% in-house and provides super fast scanning capabilities. Complete with a new UI, The new scanning engine makes it easy to prioritize vulnerabilities and focus on what matters most.

For now, both the old scanning engine and the new one are available. To enable the new scanning engine, navigate to Settings->Sysdig Labs and enable “New Vulnerabilities engine” to start using it.

Announcing Risk Spotlight

Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight. Most of the vulnerabilities reported in container environments are actually noise. Containers are loaded with packages that are never used. Risk spotlight focuses on vulnerabilities in packages that are active at runtime, allowing you to focus on what matters.

Key Benefits of Risk Spotlight

• Reduce vulnerability noise by up to 95%. Risk Spotlight eliminates the noise from vulnerabilities that pose no immediate risk by identifying the packages not used at runtime.
• Manage risk with actionable insights. Risk Spotlight delivers rich vulnerability details – such as the CVSS vector from multiple sources, the fix version, and link to publicly available exploits – and a package-centric view that facilitates remediation and managing vulnerability risk at scale.
• Comprehensive vulnerability management for containers from source to run. Risk Spotlight provides a single view of vulnerability risk across the container lifecycle, from build to runtime. Developers can take immediate actions to mitigate the few vulnerabilities that pose real risks and also apply security best practices early by removing unused packages during the build process.

Read all about Risk Spotlight in the blog post Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight.

Falco Rules

v0.63.0 is the latest version. Here there are some highlights of the changes from v0.50.5, which we covered in January.

Added the following rules:

• Modify ld.so.preload
• Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)
• Privileged Shell Spawned Inside Container
• Debugfs Launched in Privileged Container
• Mount Launched in Privileged Container
• Unprivileged Delegation of Page Faults Handling to a Userspace Process
• Launch Ingress Remote File Copy Tools in Container
• Suspicious Cron Modification

Further details and the full changelog can be found on Sysdig documentation.

Sysdig Agents

The latest Sysdig Agent release is v12.4.0. Below is a diff of updates since v12.3.1, which we covered in our last update.

• Support for New Architectures: ARM (aarch64) and s390x (zLinux)
• Custom-Metrics-Only Mode
• Prevent Processing Policy Updates

Please refer to our v12.4.0 Release Notes for further details.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.3 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

v0.5.37 is the newest release.

Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs

Github link – https://github.com/sysdiglabs/terraform-provider-sysdig

Terraform Modules

AWS Sysdig Secure for Cloud: v0.8.2

GCP Sysdig Secure for Cloud: v0.8.5

Azure Sysdig Secure for Cloud: v0.8.0

• Note: Azure Sysdig Secure for Cloud includes a breaking change to align to the new v3.0 version of the AzureRM Provider

Falco VS Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

Sysdig Cloud Connector has been updated to v0.16.7.

Features include:

• Restore segment tracking using customer ID instead of random UUID
• List last images from ECR, EKS, and Lambda

Check the full list of changes to get the full details.

Admission Controller

Sysdig Admission Controller has been updated to v3.9.1.

Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/

Runtime Vulnerability Scanner

The new vuln-runtime-scanner has been released to GA state with v1.0.0.

Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime

Sysdig CLI Scanner

Sysdig CLI Scanner has been released to v1.0.0.

Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Image Analyzer

Sysdig Image analyzer is still set to v0.1.16.

Host Analyzer

Sysdig Host Analyzer is still set to v0.1.6.

Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation

Sysdig Secure Inline Scan for Github Actions

v3.2.0 is still the latest release, which we covered in our November edition.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.12 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations:

• feat: Updated helm charts with new exporters image tags for security updates
• fix: Optimized Portworx metrics in Prometheus job
• fix: Added label kube_namespace_name correctly to kubelet PVC metrics
• feat: Updated the exporter image tags in the helm charts

  Dashboards and alerts:

  • feat: Added Kubernetes scope to troubleshooting dashboard templates
  • feat: Deprecated the legacy troubleshooting dashboard templates for MongoDB and SQL
  • fix: Removed non-useful disks from ‘Kubernetes Node Status & Performance’ dashboard
  • fix: Added filter to exclude containers FS in ‘File System Usage & Performance’ dashboard template. Also added cluster scope and changed table panel position.

Exporter images

• Security updates in UBI images of the following exporters:
  • JMX:
    • quay.io/sysdig/promcat-jmx-exporter:v0.16.5-ubi
    • quay.io/sysdig/promcat-jmx-exporter:v0.16.5
  • MySQL:
    • quay.io/repository/sysdig/mysql-exporter:v0.13.4-ubi
    • quay.io/repository/sysdig/mysql-exporter:v0.13.4
  • Memcached:
    • quay.io/repository/sysdig/memcached-exporter:v0.9.2-ubi
    • quay.io/repository/sysdig/memcached-exporter:v0.9.2
  • Nginx:
    • quay.io/repository/sysdig/nginx-exporter:v0.9.3-ubi
    • quay.io/repository/sysdig/nginx-exporter:v0.9.3
  • MongoDB:
    • quay.io/repository/sysdig/mongodb-exporter:v0.11.6-ubi
    • quay.io/repository/sysdig/mongodb-exporter:v0.11.6
  • ElasticSearch:
    • quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2-ubi
    • quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2
  • PostgreSQL:
    • quay.io/repository/sysdig/postgresql-exporter:v0.10.6-ubi
    • quay.io/repository/sysdig/postgresql-exporter:v0.10.6
  • Apache:
    • quay.io/repository/sysdig/apache-exporter:v0.10.5-ubi
    • quay.io/repository/sysdig/apache-exporter:v0.10.5
  • Redis
    • quay.io/repository/sysdig/redis-exporter:v1.31.6-ubi
    • quay.io/repository/sysdig/redis-exporter:v1.31.6

Sysdig On-Premise

The 5.1.0 On-Premise minor release is now official. Here are some highlights for this minor release:

• Added support for Kubernetes versions 1.22 and 1.23
• Added a pre-flight check to verify the kubectl and K8s versions of the cluster with the context provided by the customer
• API documentation for Sysdig Secure is now enabled by default
• Feature Enhancement: Falco Exceptions – Create Exception Objects to a Default Rule
• Various bug fixes

The full release notes can be found here: Sysdig Docs or Github

New Website Resources

Blogs

• Preventing cloud and container vulnerabilities
• Are vulnerability scores misleading you? Understanding CVSS severity and using them effectively
• Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight
• Sysdig achieves AWS DevSecOps specialization within AWS DevOps Competency
• Understanding Kubernetes pod pending problems
• Kubernetes 1.24 – What’s new?
• Understanding cloud security
• Adopting Docs-as-Code: From Hackathon to Production
• Critical Vulnerability in Spring Core: CVE-2022-22965 a.k.a. Spring4Shell
• Detecting and Mitigating CVE-2022-22963: Spring Cloud RCE Vulnerability
• Digital Forensics Basics: A Practical Guide for Kubernetes DFIR
• Detect malicious activity in Okta logs with Falco and Sysdig okta-analyzer
• How to be prepared for Cyber Warfare Attacks

Webinars

• Say Goodbye to PSPs?! Migrate your PSP Rules to OPA with No Hassle
• Cloud and Container Runtime Security on Azure
• How to Prepare for the Next Log4j
• Protecting Against Log4j Attacks in AWS Fargate
• Continuous Compliance on Azure
• CSPM Best Practices for Multi-Cloud: Beyond Native Tools
• Become a Certified K8s Security Specialist (CKS) in 2022! How to Pass with Saiyam Pathak, CNCF Ambassador
• Containerized AppSec from Code to Production w/ Snyk, Sysdig and AWS
• Reduce Alerts and False Positives – Monitor Golden Signals using Sysdig

Tradeshows

• MARCH 1-MAY 20, Cloud Security Demo Forum, Virtual
• APRIL-AUGUST, AWS Summit, Americas
• APRIL-MAY, AWS Summit, Europe, Middle East, Africa
• APRIL 27 – 29, On: The Beach, Malaga, Spain
• MAY 10, Dockercon, Virtual
• MAY 10-11, Red Hat Summit, Virtual
• MAY 16, Cloud Native eBPF DAY, Valencia, Spain
• MAY 16-17, Cloud Native SecurityCon, Valencia, Spain
• MAY 17, Prometheus Day Europe, Valencia, Spain
• MAY 17-20, KubeCon, Valencia Spain

Education

• Detecting a Cryptomining Malware attack with Falco and Prometheus
• Falco Plugins