What’s new in Sysdig – February 2021

By Chris Kranz - FEBRUARY 23, 2021

SHARE:

Welcome to another monthly update on what’s new from Sysdig. Our team continues to work hard to bring great new features to all of our customers, automatically and for free! We hope you all managed to make it through January, and happy Lunar New Year! 恭喜发财 / 恭喜發財

February welcomes the launch of our always-popular fourth annual Sysdig Container Security and Usage report, which looks at how global Sysdig customers of all sizes and industries are using and securing container environments. This real-world data provides insights about security risks, container utilization, and services used from nearly 1 billion unique containers that our customers have been running over the past year.

In this report, you will learn:

  1. That shifting left is not enough. You also need runtime security.
  2. How much the new container runtimes and registries are increasing in popularity.
  3. Which open-source tools and standards are on the rise.

Download this report to see how your organization stacks up when it comes to securing and using containers over the past year.

As always, please go check out our own Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.

Sysdig Secure

Registry credentials: Support for multiple credentials

Sysdig Secure now supports assigning multiple credentials to the same registry depending on the relative internal registry path that is used to pull the image.

A wildcard can be added to the end of the path, indicating that any image located under the partial path inside the registry (/rg-2-1er in the example) will use the registry credentials configured here. This additional flexibility is useful for IBM registries, for example, which can have a different set of permissions depending on the namespace.

See also: Manage Registry Credentials.

Enhanced activity audit filters

We have improved the noise-reduction filter for the Activity Audit feature in Sysdig Secure. The feed will now automatically filter out duplicate entries with a high number of occurrences. No information is lost, as the filtered noise is only duplications of entries in the feed.

A sudden reduction in the number of Activity Audit entries per time slot is expected as a result of this filter.

Improvements to network security policies

We continue to expand the functionality of the network segmentation we added a few months back. This month, we added the following:

  • Support for CronJobs
  • Validated support for Weave and Cilium CNI

Falco rules

v0.10.5 has the following rule changes:

  • Rule Change thread namespace:
    • Allow cilium to nsenter.
    • Allow dynatrace to setns.
    • Allow sysdig agent to setns (the process name was changed recently).
  • Rule Clear Log Activities: Allow fluentd to write/access log files in a container.
  • Macro exe_running_docker_save: Add support for crio setting up containers. This affects several rules, including:
    • Modify Shell Configuration File
    • Update Package Repository
    • Write below binary dir
    • Write below monitored dir
    • Write below etc
    • Write below root
    • Write below rpm database
    • Modify binary dirs
    • Mkdir binary dirs
    • Set Setuid or Setgid bit
    • Create Hidden Files or Directories
  • Rule Launch Package Management Process in Container: Allow Sysdig node-image-analyzer to run rpm.

Sysdig Monitor

Import Prometheus alert rules

You now have the ability to import Prometheus alert rules into Sysdig Monitor. The ease of YAML import makes it significantly convenient to tap into Prometheus ecosystem resources, such as promcat.io.

For more information, see Import Prometheus Alert Rules.

UX improvements

Sysdig Monitor interface has been enhanced to provide the following capabilities:

Edit dashboard scopes in a panel editor Set a dashboard template as the team entry point

Sysdig Agents

Sysdig Agent

The latest Sysdig Agent release is 10.9.1. Below is a diff of updates since 10.9.0 which we covered in our last update.

Fixes

  • Thin Cointerface works as expected – Fixed a defect in the Thin Cointerface feature which could cause Kubernetes metadata to stop updating. Because Thin Cointerface is turned off by default, the change affects only a small number of users who have this feature turned on.

Sysdig Agent – Helm chart

The Helm Chart 1.11.3 is still the latest version.

Node image analyzer

Version 0.1.9 was released and contains the following diff updates since v0.1.7, which we covered in our last update.

  • Fixed an issue that prevented some images from being processed on GKE clusters using Docker and containerd.
  • Fixed an issue that prevented some images that don’t have full tags from being processed on OpenShift.
  • Improved version detection for logback, SpringFramework, and Tomcat Java packages.
  • Fixed an issue that resulted in the image analyzer crashing without a proper error message when an incorrect Docker socket path was provided.
  • Fixed an issue that resulted in a NIA crash when it was not possible to retrieve image data in some cases on CRI/OpenShift clusters.

Node image analyzer can be installed as part of the Sysdig Agent install.

Inline scanning engine

Version 2.3 was released and contains the following diff updates since v2.2, which we covered in our last update.

  • Allow setting of openssl seclevel via OPENSSL_SECLEVEL env var to support old certificates.
  • Improved version detection for logback, SpringFramework, and Tomcat Java packages.
  • More robust image ID identifier, avoiding unnecessary image re-scans along the container lifecycle.
  • Added malware scan support via ClamAV. Note: Please speak to the Sysdig team before enabling this.
  • Avoid prefixing with localbuild when not strictly necessary.

See also: Integrate with CI/CD Tools.

SDK, CLI and Tools

Sysdig CLI

v0.7.4 is still the latest release:

Python SDK

v0.14.13 is still the latest release:

Terraform provider

v0.5.11 has been released. Below are the diff changes from v0.5.10, which we covered last month:

New Features:

  • New scope parameter for sysdig_monitor_dashboard resources that allows you to define the global scope of a dashboard and assign PromQL variables.
  • Add user provisioning without email confirmation for the sysdig_user resource.

Bug Fixes:

  • Solve crash when updating Dashboard v3.
  • Solve Monitor alert import and vuln exception removal .
  • Improve Monitor Alert condition regexp.

Check the documentation for more information.

Falco VS Code extension

v0.1.0 is still the latest release:

Sysdig Cloud Connector

v0.4.4 was released. Below is a diff of updates since v0.4.0, which we covered last month:

Features:

  • Disable noisy rules.
  • Add a rule to detect AWS Cloud Shell environment creation.
  • Add a guide to deploy on GCP.

Bug Fixes:

  • Make sure alerts are sorted before sending to CloudWatch.

More info in:

Sysdig Secure inline scan for Github Actions

v3 is still the latest version.

Sysdig Secure Jenkins plugin

v2.1 is still the latest version:

Promcat.io

The following updates were made:

  • Added Nginx ingress controller
  • Added Microsoft Sql Server
  • Added Docker engine
  • Added SSL auth to MongoDB and PostgreSQL
  • Updated OCP HAproxy with promscrape v2

More info in:

New website resources

Blogs

Webinars

Other resources

Subscribe and get the latest updates