What’s new in Sysdig – March 2022

NEW!! June 14 | FIND, FOCUS, and FIX the Cloud Threats that Matter with Accenture, AWS, Expel, Snyk, Sysdig and SANS

Welcome to another iteration of What’s New in Sysdig in 2022! The “What’s new in Sysdig” blog has fallen to me, Jason Donahue, for the month of March! I am a Solutions Engineer based in New Jersey and a member of the Sysdig US East Enterprise team since September, 2021. I have worn many hats in my career, from Networking to Systems Administration to Software Engineer. No matter what my role is, I have always had a focus on security and love building tools to make my job, and that of my colleagues, easier.

This month’s highlights include a couple of video tours showing off the new Sysdig UI. We introduced the new UI in last month’s blog, but this month we have some videos highlighting what has changed.

First up, we have Sysdig Secure:

Next is Sysdig Monitor:

In security news, we saw the new vulnerability CVE-2022-4092 also known as “Dirty Pipe. This is a local privilege escalation flaw in the Linux Kernel. To read more about this exploit, and how Sysdig Secure can alert on it, read our blog post CVE-2022-0847: “Dirty Pipe” Linux Local Privilege Escalation.

Secure your Cloud with MFA and CIEM

This month, we released a blog emphasizing the importance of multi-factor authentication for your cloud accounts. The blog goes into detail about the many ways a password can be obtained, whether it’s through a brute force attack, credential leak, or phishing attack. MFA helps prevent a potential disaster by adding an additional layer of security to your accounts.

Related, Sysdig Secure now includes User Risk Labels to help quickly identify common user misconfigurations, including identifying accounts with MFA disabled. Read more about this new feature below.

Sysdig Secure

New CIEM Features

We are happy to announce that a new set of features are available to customers leveraging our CSPM for CIEM.

User Risk Labels

Risk labels are now available to highly insecure attributes for specific Users and Roles in your Cloud Accounts. They are available and listed under the Users and Roles page and within the User Details tab of a specific user.

User risk labels in Sysdig Secure

Trend Charts in Overview

Charts are now available to show trends over time within the Overview tab of the Identity and Access section of the UI. These charts help visualize your permission trends over time for Users, Policies, and Resources.

Trend charts in Sysdig Secure Overview

CSV Report Export

All reports and pages within the Identity and Access section of the UI can now be exported to a CSV File. You can select the Download CSV button found at the top right corner of all pages.

Effective Permission Calculation

With AWS’s support of different types of policies to limit permissions on different scopes, you can now use Sysdig to calculate effective permissions based on boundaries and organizational SCP. With this additional context when you view permission on identities, it will give a better understanding on the effective permissions level of those Objects.

Effective permission calculation in Sysdig Secure

CIEM Data in Insights

Within the Cloud Activity and User Activity views in Insights, there is now an Identity and Access tab. This helps give a high level overview and investigation mechanism for context from the IAM Perspective.

CIEM data insights in Sysdig Secure

Data Sources Instrumentation

On the Data Sources > Managed Kubernetes page: For unconnected clusters, Sysdig has added quick instrumentation instructions using the known details about the cluster, such as the cloud account, region, and cluster name.

Falco Rules

Falco 0.31.1 is the latest and greatest version of the Falco engine released. Some great new features include the ability to specify multiple –cri command line options for different socket paths, but also adding more resilience against TOCTOU type attacks that can lead to rule bypasses.

Some additional highlights are below:

  • A new drop category called n_drops_scratch_map
  • Refactoring of the userspace/falco
  • Updates to existing and new rules

There’s so much more, and you can find all the details in the release blog post, official changelog, and Sysdig documentation.

Sysdig Agents

The latest Sysdig Agent release is v12.3.1. Below is a diff of updates since v12.2.1, which we covered in our last update.

  • Defect Fix: Silencing noisy messages from the kernel that could generate spam when the syscall event buffer is full.
  • New Category for Falco Baseline called “binaries.”
  • Support for Workload Information from the Falco Baseline.
  • Added default monitoring of Kubernetes resources such as “persistentvolumeclaims,” “storageclasses,” and “horizontalpodautoscalers.”

Please refer to our v12.3.1 Release Notes for further details.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.3 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

The Terraform Provider has been updated and the latest version is v0.5.36.

Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs

Github link – https://github.com/sysdiglabs/terraform-provider-sysdig

Falco VS Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

Sysdig Cloud Connector has been updated to v0.16.2.

Bug Fixes

  • Correct origin annotations when requesting a scan through the Admission Controller.
  • Do not stop AWS event ingestion on timeouts.

Features

  • Allow the dispatcher to identify the event time included in auditor events.

Check the full list of changes to get the full details.

Admission Controller

Sysdig Admission Controller has been updated to v3.8.7.

Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/

Inline Scanner

Sysdig Inline Scanner has been updated to v2.4.9.

Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/scanning/new-scanning-engine/#for-pipeline-deploy-the-inline-scanner

Image Analyzer

Sysdig Image analyzer has been updated to v0.1.16.

Host Analyzer

Sysdig Host Analyzer has been updated to v0.1.6.

Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation

Sysdig Secure Inline Scan for Github Actions

v3.2.0 is still the latest release, which we covered in our November edition.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.12 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations

  • Added reason to the description to the Kubernetes troubleshooting alert templates
  • Fixed MongoDB Helm chart and wizard to work with the correct image and be able to use an existing secret
  • Improved MongoDB prerequisites text
  • Improved Consul integration for specific Prometheus config in Consul
  • Replaced required metric for Postgresql with ‘pg_up’ to show PostgreSQL Instance Health Dashboard and integration metrics reporting status

InDashboards

  • Added auto-fill scope to template Container CPU & Memory Limits

Exporter images

  • Security updates in UBI images of the following exporters:
    • JMX:
      • quay.io/sysdig/promcat-jmx-exporter:v0.16.4-ubi
      • quay.io/sysdig/promcat-jmx-exporter:v0.16.4
    • MySQL:
      • quay.io/repository/sysdig/mysql-exporter:v0.13.4-ubi
      • quay.io/repository/sysdig/mysql-exporter:v0.13.4
    • Memcached:
      • quay.io/repository/sysdig/memcached-exporter:v0.9.2-ubi
      • quay.io/repository/sysdig/memcached-exporter:v0.9.2
    • Nginx:
      • quay.io/repository/sysdig/nginx-exporter:v0.9.2-ubi
      • quay.io/repository/sysdig/nginx-exporter:v0.9.2
    • MongoDB:
      • quay.io/repository/sysdig/mongodb-exporter:v0.11.6-ubi
      • quay.io/repository/sysdig/mongodb-exporter:v0.11.6
    • ElasticSearch:
      • quay.io/repository/sysdig/elasticsearch-exporter:v1.3.1-ubi
      • quay.io/repository/sysdig/elasticsearch-exporter:v1.3.1
    • PostgreSQL:
      • quay.io/repository/sysdig/postgresql-exporter:v0.10.5-ubi
      • quay.io/repository/sysdig/postgresql-exporter:v0.10.5
    • Apache:
      • quay.io/repository/sysdig/apache-exporter:v0.10.4-ubi
      • quay.io/repository/sysdig/apache-exporter:v0.10.4

New Website Resources

Blogs

Webinars

Tradeshows

Workshops

Stay up to date

Sign up to receive our newest.

Related Posts

Real-Time Threat Detection in the Cloud

IBM Z Application Environment Modernization with Sysdig

What’s new in Sysdig – February 2022