Welcome to another monthly update on what’s new from Sysdig! Happy 4th of July to our American audience, and bonne Bastille to our French friends. It’s been heating up in the northern hemisphere, so we hope you’ve all been managing to stay cool and safe.
Our team continues to work hard to bring great new features to all of our customers, automatically and for free! The big news this month is our intent to acquire Apolicy, which has everyone full of excitement. We’re already looking forward to the integrations!
As always, please go check out our own Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered in here.
See also: Compliance.
Extended Existing Compliance Standards to AWS
For the following existing compliance standards, we have added rules for AWS cloud provider:
- NIST 800-53 rev4 for AWS
- NIST 800-53 rev5 for AWS
- ISO 27001:2013 for AWS
- SOC2 for AWS
- HIPAA for AWS
Added New Compliance Standards
We have also added the following new compliance standards to Sysdig Secure’s offerings:
- GDPR for AWS
- GDPR for workload
- NIST 800-190 for workload
Trimmed Excess Rules from Some Standards
Certain rules have been re-evaluated and were removed because they did not significantly contribute to the security posture:
Logged in without Using MFA(merged with
Console Login Without MFA)
Interpreted procs outbound network activity
Launch Suspicious Network Tool in Container
All K8s Audit Events
CIS RedHat OpenShift Container Platform v4 Benchmark
Support for CIS RedHat OpenShift Container Platform v4 Benchmark has been added to Sysdig Secure.
As part of this release, Sysdig is allowing you to scan and validate compliance with 112 controls included in the CIS Bencmark requirements.
See also: Benchmarks
v0.22.0 is the latest version. Below is a diff of changes from
v0.20.1, which we covered last month.
Once again, we have a lot of changes and improvements during these versions as we continue to bring you more cloud security rules and improve our container security rules. This includes:
- Various improvements to GCP Rules handling Google Cloud Logs.
- Additional changes made to use exceptions for easier exception handling.
Check the full scope of these updates on the Falco rules changelog.
The latest Sysdig Agent release is
11.3.0. Below is a diff of updates since
11.2.1, which we covered in our last update.
In addition to the below improvements, the Sysdig Agent can also now be installed in AWS ECS Anywhere!
- Console Logging: Introduced per-component-level console logging feature. See Manage Console Logging for Agent Components.
- Slim Agent for eBPF Probes:
agent-kmodule-thincan now be used to build eBPF probes.
- Replication Controller Fields: Added missing replication controller fields to the aggregator Actions.
- Non-Delegated Agents Retrieve Less Data From the API Server: Use Kubernetes leases to better control the load on the Kubernetes API Server. This is disabled by default.
- Agent No Longer Generates Core Dumps on Java: Prevents java process core dumps caused by the Sysdig agent while trying to access
- Support Container Action on Containerd: Container actions are now properly supported on
containerd(CRI-O and other CRI engines that already had support). Actions for unsupported container engines are now properly reported to the Sysdig backend and a warning message is logged in the agent logs.
- Recovery During Agent Shutdown: Introduced a detection and recovery mechanism for hangs during agent shutdown.
- Promscrape V2 Termination No Longer Causes Agent Crash: Fixed a problem causing the agent to crash after
- Agent No Longer Restarts in Kubernetes Environment: The agent tries to fetch the metadata of the AWS instance in which it is running in order to tag metrics generated with the information unique to the AWS instance. If the metadata structure is not as expected, the agent continuously restarts due to an error in fetching such metadata. This issue has been fixed.
- Profiling Works as Expected: Fixed an issue that disabled support for performance profiles in the agent.
Sysdig Serverless Agent
The latest Sysdig Serverless Agent release is
2.0.0. Below is a diff of updates since
1.0.1, which we covered in our last update.
- Captures Available: Announcing the availability of the Captures feature in Fargate.
- Fixed/Enabled Policy Scoping on Instrumented Fargate Tasks: At this time, only container-related scope labels, such as
container.name, are supported.
- Delay Event Source Startup by Default: The system now waits for policies to be available before launching the instrumented task, to fully secure workloads.
- Fixed Exit Codes for Faulty Workloads: The exit codes of the instrumented tasks are now faithfully propagated.
- Better Handling of cmd and entrypoint Errors: Log more informative errors when
entrypointare not available for serverless agent instrumentation.
- Fixed S3 Bucket Error: Fixed an issue in the serverless agent installer that caused a failure while attempting to create an S3 bucket in us-east-1 region.
Sysdig Agent – Helm Chart
The Helm Chart
1.12.7 is the latest version. Below is a diff of updates since
v1.12.1, which we covered in our last update.
- Update agent to 11.3.0
- Some bug fixes regarding the new Node Analyzer deployment parameters
0.1.12 is still the latest release, which we covered in our last update.
v0.1.13 is the latest release. Below is a diff of updates since
v0.1.12, which we covered in our last update.
- Fixed a GKE- and ContainerID-specific bug where the node image analyzer couldn’t scan the image due to missing blobs.
- Implemented a few-second pause at startup to allow for Istio sidecars to complete the initialization before creating connections.
- We use the Universal Base Image (UBI) Sysdig-approved image as the base, ensuring the highest patch level approved by our security team.
Node image analyzer can be installed as part of the Sysdig Agent install: https://docs.sysdig.com/en/scan-running-images.html
Inline Scanning Engine
v2.4.3 is the latest release. Below is a diff of updates since
v2.4.2, which we covered in our last update.
- Updated base image to get updated security fixes (June 2021).
- Fixed incorrect version detection for Apache Struts 2 packages, which was leading to false positives.
See also: Integrate with CI/CD Tools.
v3.4.0 is the latest release. Below is a list of the top features from the most recent releases as we haven’t featured it in these updates before.
- Allow the use of wildcards for namespaces.
- Don’t send Activity Audit requests on attach.
- Mark k8s audit onboarding check.
- Allow to set the log level.
kubectl execevents on Sysdig Secure Activity Audit.
ka.req.binding.subjectsto return only the list of names.
- Handle error when image is not found.
- Handle errors when evaluating according to configuration.
- Improve messages giving more context about the evaluation results.
- Make sure we trim the trailing slash from the URL.
- Add rule reloader based on the
RetryAfterparameter from the backend.
- Add a feature flag to enable K8s audit detections.
- Include build info in the logger.
- Add runtime detections with Falco K8s audit rules.
SDK, CLI and Tools
v0.7.12 is the latest release. Below is a diff of updates since
v0.7.11, which we covered in our last update.
- Add update-json option on dashboards.
v0.16.2 is the latest release. Below is a diff of updates since
v0.16.1, which we covered in our last update.
sdcclient.secure.ActivityAuditClientV1to query Activity Audit events.
- This deprecates the
SdSecureClient.get_command_audit()methods that use an old API endpoint. The methods are kept to maintain backwards compatibility in old on-prem installations, but will be removed over time.
v0.5.15 is the latest release. Below is a diff of updates since
v0.5.14, which we covered in our last update.
- Enhanced error reporting from the API: Before, some API errors were reported as “422 Unprocessable Entity” without more information. Now, the provider tries to retrieve the message from the API and shows it to the user for more context on what’s wrong in the resource.
- Ignore 404 errors while removing resources: If a resource is being removed but was previously removed through the UI or other client, we can safely ignore this error.
- Documented the type parameter for the
- Added extra_headers documentation to the provider (for IBM users or extra headers needed for proxies).
- Updated some resource attributes documentation, mainly to report that all of them export the ID after the creation.
- Clarify team name documentation indicating that teams created in Monitor cannot be the same as the ones existing in Secure. This was confusing for some customers.
Falco VS Code Extension
v0.1.0 is still the latest release.
Sysdig Cloud Connector
Here are some highlights of the diff between these versions:
- Enhanced compatibility with Falco.
- Added benchmarks to the evaluator.
- Publish images on Quay.io.
- Azure rule for not allowing SSH inbound connection to a VM.
- Azure rules for detecting function, blob, and container operations.
- Azure rules for database services, logging and monitoring, and networking.
- Updated validator for
- Don’t ship
- Don’t send the containerID and hostname right now.
- Ensure we are using a paginator to retrieve logs from CloudWatchlogs.
- Register gcp account.
ingestor/eks) Don’t lose ticks when processing takes more time than interval.
Check the full list of changes to get the full details.
Sysdig Secure Inline Scan for Github Actions
v3.0.2 is still the latest, which we covered last month:
Sysdig Secure Jenkins Plugin
v2.1.9 is still the latest, which we covered last month:
New Website Resources
- Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation
- How to Establish a Culture of Secure DevOps
- Detecting new crypto mining attack targeting Kubeflow and TensorFlow
- Monitoring Availability Metrics with Blackbox exporter and Sysdig
- Top 10 vulnerability assessment and management best practices
- Deploying Sysdig from the new AWS CloudFormation Public Registry
- Preparing for the Certified K8s Security Specialist (CKS) Exam
- Less is more – Scan containers and hosts in one workflow
- Take the CKS Exam: Hands-on with Walid Shaari