Welcome to another iteration of What’s New in Sysdig in 2022! The “What’s new in Sysdig” blog has fallen to me, Jason Donahue, for the month of March! I am a Solutions Engineer based in New Jersey and a member of the Sysdig US East Enterprise team since September, 2021. I have worn many hats in my career, from Networking to Systems Administration to Software Engineer. No matter what my role is, I have always had a focus on security and love building tools to make my job, and that of my colleagues, easier.
This month’s highlights include a couple of video tours showing off the new Sysdig UI. We introduced the new UI in last month’s blog, but this month we have some videos highlighting what has changed.
First up, we have Sysdig Secure:
Next is Sysdig Monitor:
In security news, we saw the new vulnerability CVE-2022-4092 also known as “Dirty Pipe.” This is a local privilege escalation flaw in the Linux Kernel. To read more about this exploit, and how Sysdig Secure can alert on it, read our blog post CVE-2022-0847: “Dirty Pipe” Linux Local Privilege Escalation.
Secure your Cloud with MFA and CIEM
This month, we released a blog emphasizing the importance of multi-factor authentication for your cloud accounts. The blog goes into detail about the many ways a password can be obtained, whether it’s through a brute force attack, credential leak, or phishing attack. MFA helps prevent a potential disaster by adding an additional layer of security to your accounts.
Related, Sysdig Secure now includes User Risk Labels to help quickly identify common user misconfigurations, including identifying accounts with MFA disabled. Read more about this new feature below.
New CIEM Features
We are happy to announce that a new set of features are available to customers leveraging our CSPM for CIEM.
User Risk Labels
Risk labels are now available to highly insecure attributes for specific Users and Roles in your Cloud Accounts. They are available and listed under the Users and Roles page and within the User Details tab of a specific user.
Trend Charts in Overview
Charts are now available to show trends over time within the Overview tab of the Identity and Access section of the UI. These charts help visualize your permission trends over time for Users, Policies, and Resources.
CSV Report Export
All reports and pages within the Identity and Access section of the UI can now be exported to a CSV File. You can select the Download CSV button found at the top right corner of all pages.
Effective Permission Calculation
With AWS’s support of different types of policies to limit permissions on different scopes, you can now use Sysdig to calculate effective permissions based on boundaries and organizational SCP. With this additional context when you view permission on identities, it will give a better understanding on the effective permissions level of those Objects.
CIEM Data in Insights
Within the Cloud Activity and User Activity views in Insights, there is now an Identity and Access tab. This helps give a high level overview and investigation mechanism for context from the IAM Perspective.
Data Sources Instrumentation
On the Data Sources > Managed Kubernetes page: For unconnected clusters, Sysdig has added quick instrumentation instructions using the known details about the cluster, such as the cloud account, region, and cluster name.
Falco 0.31.1 is the latest and greatest version of the Falco engine released. Some great new features include the ability to specify multiple
–cri command line options for different socket paths, but also adding more resilience against TOCTOU type attacks that can lead to rule bypasses.
Some additional highlights are below:
- A new drop category called n_drops_scratch_map
- Refactoring of the userspace/falco
- Updates to existing and new rules
There’s so much more, and you can find all the details in the release blog post, official changelog, and Sysdig documentation.
The latest Sysdig Agent release is v12.3.1. Below is a diff of updates since v12.2.1, which we covered in our last update.
- Defect Fix: Silencing noisy messages from the kernel that could generate spam when the syscall event buffer is full.
- New Category for Falco Baseline called “binaries.”
- Support for Workload Information from the Falco Baseline.
- Added default monitoring of Kubernetes resources such as “persistentvolumeclaims,” “storageclasses,” and “horizontalpodautoscalers.”
Please refer to our v12.3.1 Release Notes for further details.
SDK, CLI, and Tools
v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:
v0.16.3 is still the latest release, which we covered in our October update.
The Terraform Provider has been updated and the latest version is
Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs
Github link – https://github.com/sysdiglabs/terraform-provider-sysdig
Falco VS Code Extension
v0.1.0 is still the latest release.
Sysdig Cloud Connector
Sysdig Cloud Connector has been updated to
- Correct origin annotations when requesting a scan through the Admission Controller.
- Do not stop AWS event ingestion on timeouts.
- Allow the dispatcher to identify the event time included in auditor events.
Check the full list of changes to get the full details.
Sysdig Admission Controller has been updated to
Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/
Sysdig Inline Scanner has been updated to
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/scanning/new-scanning-engine/#for-pipeline-deploy-the-inline-scanner
Sysdig Image analyzer has been updated to
Sysdig Host Analyzer has been updated to
Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation
Sysdig Secure Inline Scan for Github Actions
v3.2.0 is still the latest release, which we covered in our November edition.
Sysdig Secure Jenkins Plugin
v2.1.12 is still the latest release.
- Added reason to the description to the Kubernetes troubleshooting alert templates
- Fixed MongoDB Helm chart and wizard to work with the correct image and be able to use an existing secret
- Improved MongoDB prerequisites text
- Improved Consul integration for specific Prometheus config in Consul
- Replaced required metric for Postgresql with ‘pg_up’ to show PostgreSQL Instance Health Dashboard and integration metrics reporting status
- Added auto-fill scope to template Container CPU & Memory Limits
- Security updates in UBI images of the following exporters:
New Website Resources
- Will the Cloud Kill Security Agents?
- How to monitor Starlink with Prometheus
- Triaging A Malicious Docker Container
- Why is MFA important to your cloud account
- CVE-2022-0492: Privilege escalation vulnerability causing container escape
- Real-Time Threat Detection in the Cloud
- CVE-2022-0847: “Dirty Pipe” Linux Local Privilege Escalation
- IBM Z Application Environment Modernization with Sysdig
- Mitigating CVE-2022-0811: Arbitrary code execution affecting CRI-O
- Secure Containers and Eliminate Noise from Code to Production with Sysdig and Snyk
- Protecting Against Log4j Attacks in AWS Fargate
- Continuous Compliance on Azure
- CSPM Best Practices for Multi-Cloud: Beyond Native Tools
- Become a Certified K8s Security Specialist (CKS) in 2022! How to Pass with Saiyam Pathak, CNCF Ambassador
- Containerized AppSec from Code to Production w/ Snyk, Sysdig and AWS
- MARCH 1-MAY 20, Cloud Security Demo Forum, Virtual
- MARCH 2-3, Cloud & Cyber Security Expo, Excel, London
- MAY 16, Cloud Native eBPF DAY, Valencia, Spain
- MAY 16-17, Cloud Native SecurityCon, Valencia, Spain
- MAY 17, Prometheus Day Europe, Valencia, Spain
- MAY 17-20, KubeCon, Valencia Spain