What’s new in Sysdig – December 2021

Here we are with the final “What’s new in Sysdig” monthly newsletter of the year. First of all, Merry Christmas, メリークリスマス, Buon Natale, 성탄을 축하드려요, С рождеством!, Vrolijk kerstfeest, Feliz Navidad!

Whatever you may be celebrating, we wish you a wonderful holiday season from all of us at Sysdig!

First, we want to acknowledge the recent celebration (Dec. 18th) of International Migrants Day, to raise awareness about the protection of migrants and refugees. Our hearts are with them.

As a member of the team in charge of “What’s new in Sysdig,” this month is up to me, Diego Gagliardo. I joined Sysdig in Aug. 2020, as a Technical Account Manager based in Milan, Italy. As an Open Source lover and Cybersecurity enthusiast, I spend my night time looking into the dark sky, searching for wonderful deep sky objects for my astrophotographs.

The highlight of the month at Sysdig is our recent funding round: amaze yourselves with the story and the news here.

Product wise, we’re happy to announce the release of Sysdig Secure for Cloud – Azure (more details below).

But for our customers, there’s no doubt that this month will go down in history for log4j and the (in)famous CVE-2021-44228 vulnerability.

Here is the Sysdig official statement:

The Sysdig agent does not include the log4j library

Sysdig is using an alternative framework for logging, called Logback. The logback framework isn’t vulnerable to this issue.

Sysdig components include a log4j library in our standard distribution that was vulnerable. This library is included for compatibility reasons only, it’s not used for primary logging, and our security team has determined we are not vulnerable based on our application architecture and existing mitigating controls.

Sysdig can confirm that all services that compose Sysdig’s Cloud Platform running Apache’s vulnerable log4j library have been patched to the latest version, or add additional mitigating controls suggested by vendors. We have not detected any successful attempts at exploitation of this attack vector during that time window.

Details regarding upgrades follow:

• explicitly set commonsLog4jVersion = 2.17.0

• update all of log4j-to-slf4j, log4j-api, and log4j-core to version 2.17.0

Enjoy some of our latest blog posts for a better understanding of this vulnerability and how to protect your environment (with Sysdig, of course)!

• Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE)
• Mitigating log4j with Runtime-based Kubernetes Network Policies

As always, please go check out our own Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.

Sysdig Secure

Sysdig Secure for Azure

Sysdig is pleased to announce the general availability of the Sysdig Secure for cloud capabilities for Azure.

• Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets.
• Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure.
• Event Hub: Fully managed, real-time data ingestion service that’s simple, trusted, and scalable.
• Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instance Group.

For details, see Deploy Sysdig Secure for cloud on Azure.

Sysdig Agents

The latest Sysdig Agent release is v12.1.1. Below is a diff of updates since v12.0.4, which we covered in our last update.

• Ability to Build eBPF Probes for Debian 11 and for Linux Kernel v5.10.
• Prebuilt Probes for Debian 11 and Fedora Kernels.
• Enhanced Agent Containers for Probes on New Kernels with glibc v2.33.
• File Metrics in Audit Tap.
• Promscrape Memory Usage Limit: You can now limit the promscrape memory usage. The default is set to 640 MB.
• Falco Action Works as Expected: The kill container Falco action works as expected for containerd in Azure.
• Image Profile Shows Results Correctly: The imageid is reported correctly when using a CRI engine.
• Kubernetes Daemonset and Replicaset Association Works as Expected: Fixed an issue that could invalidate the association between Kubernetes Daemonset and Replicaset.
• Agent Updates Prometheus Configurations Correctly: Fixed a problem that was causing Prometheus configurations to be merged incorrectly when certain integrations were updated from the backend.
• Duplicate Environment Variable Hashes No Longer Appear in Audit Tap: The discrepancy between reported environment variables and hash in audit tap has been fixed.

SDK, CLI and Tools

Sysdig CLI

v0.7.14 is still the latest release. The instructions on how to use the tool and the release notes from previous versions are available at the following links.

https://github.com/sysdiglabs/sysdig-platform-cli/releases/tag/v0.7.14
https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.3 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

v0.5.27 is still the latest release, which we covered in our last update.

Documentation

Falco VS Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

v0.13.0 of the Sysdig Cloud Connector was released. We covered v0.11.3 last month.

Here are some highlights of the diff between these versions:

New Features

• Added azure scanning capabilities
• k8s: Allow to use custom tags in K8s Audit Log events
• Allow to disable tracking using an env variable
• Enabled AWS Brute Force attack
• Allow user to configure buffer size for ingestors

Bug Fixes

• Fixed scanning keys in cloud-connector.yaml configuration
• Rule Run Instances with Non-standard Image not comparing correct field
• Added service to AWS scanning rules

Check the full list of changes to get the full details.

Inline Scanner

v2.4.7 is still the latest release, which we covered in our last update.

Sysdig Secure Inline Scan for Github Actions

v3.2.0 is still the latest release, which we covered in our last update.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.12 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations

• New Memcached
• Updated Kubernetes Etcd

New Dashboards and Alerts

• Kubernetes Storage and PCV dashboard and alerts
• Troubleshooting panels in workload dashboard
• Kubernetes alerts for containers and pods troubleshooting (Crash Loop Back Off, OOMkill, etc.)
• Kubernetes alerts for disappearing nodes or clusters

Bug Fixes

• Bug fixed in Pod_Rightsizing_&_Capacity_Optimization Dashboard

Training & Education

We announce the availability of the all new Falco 101 Training Course, a must-attend training for those interested in container runtime security that wants to better understand Falco, its rules syntax, alerting, configuration, and more.

New Website Resources

Blogs

• Our $350M funding round will accelerate our cloud and container security momentum into global scale
• Visibility and Security for GKE Autopilot
• Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE)
• Mitigating log4j with Runtime-based Kubernetes Network Policies
• Critical vulnerability in log4j, a widely used logging library
• CSPM, CIEM, CWPP, and CNAPP: Guess who in cloud security landscape
• Threat news: TeamTNT stealing credentials using EC2 Instance Metadata
• Kubernetes 1.23 – What’s new?

Webinars

• Forensics and Incident Response
• Monitor Plant Health & PiHole Performance with Prometheus
• Improve AWS Cloud Threat Detection and Response – MITRE ATT&CK Framework