Welcome to another edition of What’s New in Sysdig in 2022! The “What’s new in Sysdig” blog is now under my control! Hello, I’m Wes MacKay, a Sales Engineer based out of Dallas, TX working with the Sysdig US West Corporate team. I’m way too passionate about containerization, personal cloud storage, and automating my home life. In my spare time, I’m always looking for better Thai and Sushi restaurants in my area.
This month’s highlights include a new feature Sysdig Advisor for faster troubleshooting and Container Drift for detecting deviation of code in runtime.
Sysdig Platform Architecture
Sysdig Platform Audit Trail
We are happy to announce that Sysdig Platform Architecture now supports the capability of tracking, logging, and reporting on all changes in the system. This is enabled by default for all SaaS customers. Event forwarding support for this feature will also be included in the near future.
For additional information, please visit our Release notes for Secure and Monitor.
Sysdig for Cloud
Sysdig earned the badge AWS Well Architected Framework Partners for the category of “Security Management” and has been added to the Management and Governance Cloud Environment Guide.
Sysdig Monitor
Advisor
We’re excited to announce Advisor, a new Kubernetes troubleshooting product in Sysdig Monitor, that accelerates troubleshooting by up to 10x. Advisor displays a prioritized list of issues and relevant troubleshooting data to surface the biggest problem areas and accelerate time to resolution.
Advisor is now available to all customers at no additional cost, and additional troubleshooting features will be added over the coming weeks.
Enhanced Metric Store
Sysdig has launched our next generation metric store, introducing a number of new features, as well as changes to and removal of some features in Sysdig Monitor.
Some improvements include:
- Metrics are now unified in a Prometheus compatible naming convention.
- Existing dashboards, alerts, and notifications will be automatically migrated to the new naming convention.
- Queries will perform faster and handle larger volumes of data.
- Number panels, tables, histograms, and toplist panels can now show the latest value for an entity.
- You can display metrics with differently scraped intervals. For example 10s and 1m on the same graph.
Check out the Release Notes for the full list of new and changed features.
Sysdig Secure
Falco Rules
v0.67.1 is the latest version. Here there are some highlights of the changes from v0.50.5, which we covered in April.
Added the following rules:
- Tampering with Security Software in Container
- Execution of binary using ld-linux
- Possible Backdoor using BPF
Further details and the full changelog can be found on Sysdig documentation.
Sysdig Agents
The latest Sysdig Agent release is v12.5.0. Below is a diff of updates since v12.2.0, which we covered in our last update.
- Default Availability of Slim Agent
- Container DriftControl: Detect and Prevent Drift in Container Runtime
- Disable Syscalls for Secure Modes
Please refer to our v12.5.0 Release Notes for further details.
SDK, CLI and Tools
Sysdig CLI
v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:
https://sysdiglabs.github.io/sysdig-platform-cli/
Python SDK
v0.16.3 is still the latest release, which we covered in our October update.
https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3
Terraform Provider
v0.5.37 is the newest release.
Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs
Github link – https://github.com/sysdiglabs/terraform-provider-sysdig
Terraform Modules
AWS Sysdig Secure for Cloud: v0.8.2 is still the latest release.
GCP Sysdig Secure for Cloud: v0.8.5 is still the latest release.
Azure Sysdig Secure for Cloud: v0.8.0 is still the latest release.
- Note: Azure Sysdig Secure for Cloud includes a breaking change to align to the new v3.0 version of the AzureRM Provider.
Falco VS Code Extension
v0.1.0 continues to be the latest release.
https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0
Sysdig Cloud Connector
Sysdig Cloud Connector has seen an updated release to v0.16.8
Features include:
- Allow setting cloud connector configuration and log_level via environment vars
- Cloud Risk Assessment
Check the full list of changes to get the full details.
Admission Controller
Sysdig Admission Controller has been updated to v3.9.2
A feature has been added in this release:
- Do not show std http server errors unless debug is enabled
Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/
Runtime Vulnerability Scanner
The new vuln-runtime-scanner has been updated to release v1.0.3
This release contains the following change:
- Optimized requests performed on the Kubernetes API
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime
Sysdig CLI Scanner
Sysdig CLI Scanner binary has been updated to v1.0.2
Note: If you are using this binary for local scanning in your development environment or your pipeline does not automatically pull the latest binary, we recommend you update. Follow the instructions in the documentation to retrieve the latest binary. The documented steps work well in a pipeline too when your CI/CD pipelines can access the Internet.
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/
Image Analyzer
Sysdig Image analyzer has been updated with security patches.
The new release is v0.1.17
Host Analyzer
Sysdig Host Analyzer has been updated with security patches.
The new release is v0.1.7
Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation
Sysdig Secure Inline Scan for Github Actions
v3.2.0 is still the latest release, which we covered in our November edition.
https://github.com/marketplace/actions/sysdig-secure-inline-scan
Sysdig Secure Jenkins Plugin
A new version of the plugin has been released. The release is v2.1.14
Changes from our last report:
- fix: customize connection timeout and allow ping.
- Filter for severity and fixable on vulnerabilities table.
- Ability to download vulnerabilities table in csv format.
- Show policy name on policy table.
- Display warning error when json files needed for generating tables are not present.
- Add explicit dependency to apache.commons.lang3 for docker-java-core (#52).
- Fixes issues with missing class in some environments.
https://plugins.jenkins.io/sysdig-secure/
Prometheus Integrations
Integrations:
- feat: Updated helm charts with new exporters image tags for security updates
- fix: Added filter to drop Portworx metrics in Prometheus default job
- fix: Added label kube_namespace_name correctly to kubelet PVC metrics
- feat: Updated the exporter image tags in the helm charts
- feat: Optimized metrics sent by Kubelet and kubelet-PVC jobs
- feat: Increased scrape interval of Kubelet to one minute
- refactor: In KSM helm chart, removed remote-write label in KSM recording rules which are not needed in dashboards or alerts
- fix: Dashboard names in list of dashboards of an integration
- fix: Improved documentation and fix typos in integration wizard
- fix: Changed nginx-ingress metric that detects reporting metrics for nginx_ingress_controller_nginx_process_cpu_seconds_total, as this is always present
- fix: Improved CoreDNS Prometheus job to be detected in IKS clusters
- fix: Changed troubleshooting metrics in some integrations for metrics inside the filter of the Prometheus job
Dashboards and alerts:
- feat: Added Kubernetes scope to troubleshooting dashboard templates
- feat: Deprecated the legacy troubleshooting dashboard templates for MongoDB and SQL
- fix: Removed no useful disks from ‘Kubernetes Node Status & Performance’ dashboard
- fix: Added filter to exclude containers FS in ‘File System Usage & Performance’ dashboard template. Also added cluster scope and changed table panel position.
- fix: Typo in Dashboards: “Workload Status & Performance” and “KSM Workload Status & Performance”
- fix: In Dashboard “Workload Status & Performance”, removed the scope of method in the “HTTP Requests Count per Workload” panel
- fix: Fixed query in “Unused Requested CPU by all Replicas of a container“ panel in “Cluster Capacity Planning” Dashboard
- fix: Removed duplicate files for “PCV and Storage” dashboard template
- fix: Text in banner for Workload Kubernetes dashboard template
- feat: Changed OOTB K8s dashboards to use “is” vs. “in” scoping to improve performance. Dashboards changed:
- Cluster/Namespace Available Resources
- Cluster Capacity Planning
- Pod Rightsizing & Workload Capacity Optimization
- Pod Scheduling Troubleshooting
- Kubernetes HPA
- fix: In Cluster Capacity Planning dashboard, only added the containers with limits/requests in certain panels
- fix: In dashboard “Kubernetes CoreDNS” review the label “job” used in some panels
Exporter images:
- New exporter images with security updates:
- JMX:
- quay.io/sysdig/promcat-jmx-exporter:v0.16.5
- quay.io/sysdig/promcat-jmx-exporter:v0.16.5-ubi
- MySQL:
- quay.io/repository/sysdig/mysql-exporter:v0.13.5
- quay.io/repository/sysdig/mysql-exporter:v0.13.5-ubi
- Memcached:
- quay.io/repository/sysdig/memcached-exporter:v0.9.3
- quay.io/repository/sysdig/memcached-exporter:v0.9.3-ubi
- Nginx:
- quay.io/repository/sysdig/nginx-exporter:v0.9.3
- quay.io/repository/sysdig/nginx-exporter:v0.9.3-ubi
- MongoDB:
- quay.io/repository/sysdig/mongodb-exporter:v0.11.7
- quay.io/repository/sysdig/mongodb-exporter:v0.11.7-ubi
- ElasticSearch:
- quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2
- quay.io/repository/sysdig/elasticsearch-exporter:v1.3.2-ubi
- PostgreSQL:
- quay.io/repository/sysdig/postgresql-exporter:v0.10.6
- quay.io/repository/sysdig/postgresql-exporter:v0.10.6-ubi
- Apache:
- quay.io/repository/sysdig/apache-exporter:v0.10.5
- quay.io/repository/sysdig/apache-exporter:v0.10.5-ubi
- Redis:
- quay.io/repository/sysdig/redis-exporter:v1.31.6
- quay.io/repository/sysdig/redis-exporter:v1.31.6-ubi
- Grok:
- quay.io/sysdig/grok-exporter:v1.0.2
- quay.io/sysdig/grok-exporter:v1.0.2-ubi
- JMX:
Promcat.io:
- Added Prometheus annotations to nginx-controller setup guide
Sysdig On-Premise
The 5.1.0 On-Premise minor release remains the latest.
The full release notes can be found here: Sysdig Docs or Github
New Website Resources
Blogs
- Shift left is only part of secure software delivery
- Improving AWS Security Services with Sysdig Secure
- Killnet Cyber Attacks Against Italy and NATO Countries
- Building on Sysdig’s Open Source Foundation
- New release of Sysdig Open Source leverages Falco plugins
- Sysdig Advisor: Making Kubernetes troubleshooting effortless
- Trends at Blackhat Asia 2022 – Kubernetes, Cloud Security and more
- Prometheus 2.35 – What’s new?
- Ten considerations for securing cloud and containers
- Hunting AWS RDS Security Events with Sysdig
- Compromising Read-Only Containers with Fileless Malware
- Beekeeper Serves Up Secure Communications, Data, and Applications Across Cloud Environments with Sysdig
- Monitor and troubleshoot Consul with Prometheus
Webinars
- Manage Excessive Permissions and Entitlements in AWS
- CIS compliance for Azure
- Automatically Prioritize Vulnerabilities Using Runtime Intelligence
- Container and Kubernetes Security Best Practices: Forensics & Incident Response
- CSPM Best Practices for Multi-Cloud: Beyond Native Tools
Tradeshows
- March 1 – May 20, Cloud Security Demo Forum, Virtual
- April – August, AWS Summit, Americas
- April – May, AWS Summit, Europe, Middle East, Africa
- May 10, Dockercon, Virtual
- May 10-11, Red Hat Summit, Virtual
- May 16, Cloud Native eBPF DAY, Valencia, Spain
- May 16-17, Cloud Native SecurityCon, Valencia, Spain
- May 17, Prometheus Day Europe, Valencia, Spain
- May 17-20, KubeCon, Valencia Spain
- June 6-9, RSA Conference 2022, San Francisco CA
- June 7-9, SUSECON Digital, Virtual
- June 14, DevSec Con 24, Virtual