It’s time for another publication of What’s New in Sysdig in 2022! I’m in charge of the “What’s new in Sysdig” blog for the month of June! Hello, I’m Majid Hussain, a Sr. Customer Solutions Engineer based in Morrisville, NC, working with the Sysdig US East Customer Success team since Aug. 2021.
My desire to learn more about containers, Kubernetes, and cloud is what landed me at Sysdig and boy am I learning here! Go Sysdig!
This month’s highpoints include some fine touches we’ve brought into Sysdig Monitor with the ability to view live logs on a container, translate form-queries into PromQL, multi-query support for stacked area charts. Drift Control makes its way into the Sysdig Secure side.
Sysdig Monitor
There are a lot of new changes in Sysdig Monitor. Check our release page for the complete list.
Live logs
Advisor displays live logs for a container, which is the equivalent of running kubectl logs. This strengthens Monitor for troubleshooting, allowing users to debug problems such as pods in a CrashLoopBackOff state. It also consolidates tooling, reducing the need to use other tools and keeping users in the product for troubleshooting and RCA.
Note: Live logs are tailed on-demand and, thus, not persisted. After a session is closed they are no longer accessible.
Live logs will be enabled by default in agent 12.7.0 (pending release) or newer. Agent 12.6.0 supports live logs but must be manually enabled. Older versions of the Sysdig Agent do not support live logs.
For more details, please refer to the Live Logs docs.
Translate form-query to PromQL
Advanced Prometheus knowledge is no longer required to build complex PromQL queries in Sysdig Monitor. With a single click, you can translate a form query to PromQL and build PromQL-based dashboards in no time. For more information, see Build PromQL Panels from Form Query.
Multi-query support for stacked area charts
Timechart now supports visualizing multiple queries as stacked areas in the same y-axis.
With this feature, it’s easier to visualize and compare sparse metrics.
Sysdig Secure
Container drift
Drift Control detects and prevents execution of executable files that were added or modified after a container is deployed into production. It uses real-time deep visibility into running containers to automatically identify those spurious executables.
It can be enabled in detection mode to alert on attempts to run packages or binary files that were added or modified at runtime, such as:
- Execute a package that was downloaded or updated with package manager
- Execute a file whose permission/attribute has been changed to executable
And if in prevention mode, Drift Control blocks those detected new executables from running.
For more details, please read our blog on container drift.
Falco rules
v0.74.3 is the latest version. Here are some highlights of the changes from v0.67.1, which we covered in May.
Added the following rules:
- AWS Suspicious IP Inbound Request
- eBPF Program Loaded into Kernel
Further details and the full changelog can be found on Sysdig documentation.
Sysdig Agents
The latest Sysdig Agent release is v12.6.0.
Please refer to our v12.6.0 Release Notes for further details.
SDK, CLI, and tools
Sysdig CLI
v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:
https://sysdiglabs.github.io/sysdig-platform-cli/
Python SDK
v0.16.3 is still the latest release, which we covered in our October update.
https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3
Terraform Provider
v0.5.37 is the newest release.
Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs
Github link – https://github.com/sysdiglabs/terraform-provider-sysdig
Terraform Modules
AWS Sysdig Secure for Cloud has a new release! – v0.9.1
GCP Sysdig Secure for Cloud has a new release! – v0.9.0
Azure Sysdig Secure for Cloud has a new release! – v0.9.0
Note: Please check release notes for potential breaking changes
Falco vs. Code Extension
v0.1.0 continues to be the latest release.
https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0
Sysdig Cloud Connector
Sysdig Cloud Connector has seen an updated release to v0.16.11.
Features include:
- Added
aws-cloudtrail-s3-sns-sqs-eventbridgeingestor - Appended new exceptions if fields are present
- Updated yaml v2 to v3
Check the list of changes to get full details.
Admission Controller
Sysdig Admission Controller has been updated to v3.9.5.
Changes since v3.9.3 include:
- Added helpers to troubleshoot rules parse error
- Updated yaml v2 to v3
- Appended new exceptions if fields are present
Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/
Runtime Vulnerability Scanner
The new vuln-runtime-scanner has been updated to release v1.1.1.
This release contains the following change:
- Optimized requests performed on the Kubernetes API
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime
Sysdig CLI Scanner
Sysdig CLI Scanner binary has been updated to v1.1.1.
Note: If you are using this binary for local scanning in your development environment or your pipeline does not automatically pull the latest binary, we recommend you update. Follow the instructions in the documentation to retrieve the latest binary. The documented steps work well in a pipeline too when your CI/CD pipelines can access the Internet. Really, it’s best to assume there’s always a new release!
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/
Image Analyzer
Sysdig Image analyzer latest version is still v0.1.17.
Host Analyzer
Sysdig Host Analyzer latest version is still v0.1.7.
Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation
Sysdig Secure Inline Scan for Github Actions
A new release is available! The release is v3.4.0.
https://github.com/marketplace/actions/sysdig-secure-inline-scan
Sysdig Secure Jenkins Plugin
The version has not changed since the last blog and is still v2.1.14.
https://plugins.jenkins.io/sysdig-secure/
Prometheus Integrations
There have been a few releases in the Prometheus Integrations space since the last post. An aggregate of changes is below.
Integrations
- feat: Added Fluentd integration
- feat: Added NTP integration
- feat: Added support for CA files in ElasticSearch exporter Helm chart
- fix: Removed duplicated securityContext in ElasticSearch exporter Helm chart
- refactor: Changed the ElasticSearch wizard and Helm chart to use secrets for URL of the ElasticSearch server
- refactor: Bumped helm chart repository version to include NTP exporter and fixes in Elasticsearch
- feat: Added HaProxy integration
- feat: Added PHP-fpm integration
- feat: Split Kubelet PVC-and-Storage integration in two different ones (PVC and Storage)
- feat: Enabled by default Kubelet-PVC metrics
- feat: Added README file to KSM-cAdvisor helm chart
- feat: Updated agent jobs for kube-controller-manager and kube-scheduler to support HTTPS and authentication
- fix: Helm chart for ElasticSearch exporter. Also added CA certificates option.
- fix: Added README file to OSS KSM helm chart
- fix: Public Readme file of the helm charts was not updating
- fix: NTP wizard was not rendering after prerequisites
- fix: Added logo to Fluentd integration
- docs: Created a new page in docs with automated info on the current supported integrations
- fix: Added php-fpm logo
- feat: Disabled by default Kubelet-PVC metrics
- fix: Elastic chart typo
Dashboards and alerts
- feat: Added Fluentd dashboard and alert templates
- feat: Added NTP dashboard and alert templates
- feat: Added dashboard and alert templates for HAProxy
- fix: Changes in the rules to show/hide Kubernetes dashboards to prevent hiding when unstable metrics or disconnected agents
- fix: Fixed waiting time in Portworx alert templates with predict linear functions
- fix: Fixed used request in the cluster capacity planning
- fix: Fixed minor typos in NTP dashboard
Exporter images
- feat: Added exporter images for NTP exporter:
- quay.io/repository/sysdig/ntp-exporter:v2.0.3
- quay.io/repository/sysdig/ntp-exporter:v2.0.3-ubi
- feat: New exporter image for PHP-FPM:
- quay.io/sysdig/php-fpm-exporter:v2.3.0
- quay.io/sysdig/php-fpm-exporter:v2.3.0-ubi
- fix: Fixed and updated the JMX exporter image
- quay.io/sysdig/promcat-jmx-exporter:v0.17.0
- quay.io/sysdig/promcat-jmx-exporter:v0.17.0-ubi
Promcat.io
- feat: Added HaProxy 2.3
- feat: Added PHP-FPM integration
- fix: Moved Cassandra exporter image to quay
Sysdig On-Premise
The 5.1.2 On-Premise minor release remains the latest.
The full release notes can be found here: Sysdig Docs or Github.
New website resources
Blogs
- KubeCon EU 2022 – Trends & Highlights
- How to Secure Amazon EC2 with Sysdig
- Detecting and mitigating CVE-2022-26134: Zero day at Atlassian Confluence
- Prometheus 2.36 – What’s new?
- Breaking down firewalls with BPFDoor (no e!) – How to detect it with Falco
- Secure SSH on EC2: What are the real threats?
- How to detect the containers’ escape capabilities with Falco
- How to monitor and troubleshoot Fluentd with Prometheus
- How to Secure AWS Route 53 with Sysdig
- 5 reasons why Sysdig partners with Proofpoint to enhance cloud security
- Preventing container runtime attacks with Sysdig’s Drift Control
Webinars
- July 14 – Crack the Exam Code to Become a Certified K8s Security Specialist (CKS)! Tips and Tricks to Prepare with Saiyam Pathak, CNCF Ambassador and Daniel Lemos, CKS
- July 19 – Kubernetes Monitoring Best Practices
- July 21 – A Comprehensive Approach to Cloud Threat Detection and Response
- July 26 – Troubleshoot Kubernetes in A Snap with Sysdig Monitor Advisor
- August 04 – FIND, FOCUS, and FIX the Cloud Threats that Matter Solutions Forum
Tradeshows
- July 26-27, AWS Reinforce 2022, Boston MA
- August 6-11, Blackhat USA 2022, Las Vegas NV
- October 10-12, ISC2, Las Vegas NV
- October 11-13, Google Next, San Francisco CA
- October 24-28, Kubecon NA 2022, Detroit MI
- November 28 – December 2, AWS Reinvent, Las Vegas NV