December 17, 2021
Update on Log4j Vulnerability (CVE-2021-44228)
Sysdig confirms that all services that compose Sysdig’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to 2.16. We have not detected any successful attempts at exploitation of this attack vector during that time window.
December 15, 2021
Update on Log4j Vulnerability (CVE-2021-44228)
The sysdig agent does not include the Log4j library
Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.
Sysdig components include a log4j library in our standard distribution that was vulnerable. This library is included for compatibility reasons only, is not used for primary logging, and our security team has determined we are not vulnerable based on our application architecture and existing mitigating controls.
Sysdig can confirm that all services that compose Sysdig’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to the latest version or adds additional mitigating controls suggested by vendors. We have not detected any successful attempts at exploitation of this attack vector during that time window.
Details regarding upgrades We:
- explicitly set
- update all of
December 15, 2021
Sysdig Secure for Azure
Sysdig is pleased to announce the general availability of the Sysdig Secure for cloud capabilities for Azure.
- Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
- Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure
- Event Hub: Fully managed, real-time data ingestion service that’s simple, trusted, and scalable
- Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instance Group.
For details, see Deploy Sysdig Secure for cloud on Azure.
December 12, 2021
A Statement on Log4j vulnerability (CVE-2021-44228)
Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes
Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.
Sysdig components include a log4j library in our standard distribution that appears to be vulnerable. It has been confirmed that this library is included for compatibility reasons only and is not used for primary logging. As a result this should not pose any risks.
Patches will be provided to upgrade the log4j libraries that are included for compatibility reasons.
If you have any questions or concerns, please reach out to your Sysdig contact.
December 1, 2021
Image Analyzer 0.1.15 Inline Scanner 2.4.8 Released
Release 0.1.15 of the Node Image Analyzer
Release 2.4.8 of the Sysdig Inline Scanner
- Updated to the latest security fixes
- Fixed support for
USER, and other instructions when the image is built using
November 5, 2021
Improved Handling of Forwarded Benchmark Events
Forwarded benchmark events now include AWS tags as key-value pairs (rather than a flattened string), making them easier to consume.
November 2, 2021
Inline Scanner 2.4.7 Update
libseccomp >= 2.3.3(on the Host/JenkinsWorker - where the docker command is executed)
- docker version >
Fixed support for
USER, and other instructions when image is built.
October 27, 2021
Cloud Infrastructure Entitlements Management (CIEM) for AWS
Sysdig Secure has added Permissions and Entitlements Management functionality. You can find it under Posture menu tab.
By combining the CIEM capabilities announced today with Sysdig’s existing capabilities, Sysdig customers can proactively prevent cloud permissions risks, scan for vulnerabilities and misconfigurations, and detect and respond to attacks across container and cloud environments.
- Gain visibility into all cloud identities and their privileges: get a comprehensive view into access permissions across all AWS users and services
- Enforce least privilege: eliminate excessive permissions by applying least-privilege policies to users and services with automatically generated IAM policies. Sysdig proposes policies based on analyzing which entitlements are granted versus which are actually used.
- Simplify audit of access controls to meet compliance requirements: use reports for regular access reviews to evaluate active and inactive user permissions and activity.
- Documentation: Permissions and Entitlements
- Watch: Remediating Excessive IAM permissions in less than 2 minutes with Sysdig Secure
- Blog: Cloud Infrastructure Entitlements Management (CIEM) with Sysdig Secure
- Learn more about Sysdig CIEM capabilities • https://sysdig.com/use-cases/ciem-cloud-infrastructure-entitlements-management/)
October 26, 2021
New Secure Event Forwarder Integrations: Google Chronicle, Google Pub/Sub & Amazon SQS
An extended set of output data integrations has been added to Sysdig Secure’s Event Forwarder functionality, in particular:
- Integration with Google Chronicle. NOTE: Only Runtime policy events are available as data to send at this moment.
- Integration with Google Pub/Sub and Amazon SQS, which can be used as temporary storage that will adapt the EFO push behaviour into a data pull endpoint.
October 25, 2021
Sysdig Secure for GCP
Sysdig is pleased to announce the general availability of the Sysdig Secure for cloud capabilities for GCP.
- Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
- Cloud Threat Detection: Identify threats in your GCP environment using Falco rules for GCP
- Audit Logs: Google Security Command Center integration to forward threats identified by Falco rules.
- Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Google Container Registry, Google Artifact Registry and images executed on Google Cloud Run.
- Chronicle Integration: Events forwarding to Google Chronicle.
- Installation via GCP Marketplace: You can install Sysdig from the GCP marketplace and pay using the payment method and credit of your GCP account.
See full details: Sysdig Secure for cloud and Deploy Sysdig Secure for cloud on GCP.
October 13, 2021
New Scanning Engine (Technology Preview)
Sysdig Secure is developing a new scanning engine that will deliver major improvements, additional capabilities, and scanning-centric workflows.
The first iteration is available to test and provides:
- Much faster scan times: 4x to 10x faster initial image analysis
- Extended vulnerability data, including CVSS scores, vectors containing the full exploitability data, availability of an associated public exploit, etc.
- Inline scanner available as a stand-alone binary, no longer requires spawning a container
- Better remediation advice, including ‘Which packages are the worst offenders in my image? Considering all the possible fix versions, which one should I apply?’
- Improved, more intuitive user experience, with faster response times
Important: The new engine is still on “Preview” phase.
- Not suitable for production. There is no forward compatibility guarantee for the data or configuration (yet)
- Testing the new scanning preview will NOT affect any existing scanning workflows that leverage the current scanning backend. It is safe to enable the preview on any account.
- Additional fundamental components are still in development; they will be released in an upcoming version.
To test the new engine, simply enable the flag under Settings >User Profile>Sysdig Labs.
See New Scanning Engine to download the Inline Scanner binary and begin.
September 17, 2021
Date Columns Added for Scheduled Scanning Reports
In Sysdig Secure, the Scheduled Reports for Scanning now display additional vulnerability metadata for both runtime and registry reports.
- Disclosure date: Time when the vulnerability information was registered in the feed
- Solution date: Time when the fix version for this vulnerability (if any) was registered in the feed
To avoid breaking compatibility with existing reports and external instrumentation, these fields will only be available for newly created reports; existing Scheduled reports (even if they are modified and saved again) will not contain these columns.
September 8, 2021
New and Updated Compliance Standards
Sysdig Secure has added three new compliance standards and updated another. See also: Compliance
Updates to PCI DSS v3.2.1 Compliance for Workload
We have implemented some changes to the PCI DSS v3.2.1 for workload compliance checks. The control coverage for PCI is now: 1.1.2, 1.1.3, 1.1.5, 1.1.6.b, 2.2, 2.2.a, 2.2.1, 2.2.2, 2.4, 2.6, 4.1, 6.1, 6.2, 6.4.2, 6.5.1, 6.5.6, 6.5.8, 7.2.3, 10.1, 10.2, 10.2.1, 10.2.5, 10.2.7, 10.5.5, 11.5.1
Check for Network Security enabled added to controls 1.1.2, 1.1.3 and 1.1.5
Check for Kubernetes audit enabled added to controls 4.1, 6.4.2 and 6.5.8
Outbound or Inbound Traffic not to Authorized Server Process and Portadded to control 2.2.1
Attach to cluster-admin Roleadded to controls 7.2.3 and 10.5.5
Terminal shell in containeradded to controls 10.1 and 10.2.1
ClusterRole With Pod Exec Created,
ClusterRole With Wildcard Createdand
ClusterRole With Write Privileges Createdadded to control 10.2
Launch Privileged Containeradded to control 10.2.5
Container Drift Detected (chmod)and
Container Drift Detected (open+create)added to control 11.5.1
All K8s Audit Eventsrule removed from controls 10.1, 10.2, 10.2.1, 10.2.7
New PCI DSS v3.2.1 Compliance for AWS
The PCI Quick Reference describes the full range of controls required to pass a PCI 3.2 audit. In this release, Sysdig Secure will add the following controls.
For AWS protection: 2.2, 2.2.2, 10.1, 10.2.1, 10.2.2, 10.2.5, 10.2.6, 10.2.7, 10.5.5, 11.4
New AWS Well Architected Framework Compliance
The AWS Well Architected Framework whitepaper defines best practices to build secure, high-performing, resilient, and efficient infrastructure for applications and workloads.
For workload protection, Sysdig Secure will check the following sections: OPS 4, OPS 5, OPS 6, OPS 7, OPS 8, SEC 1, SEC 5, SEC 6, SEC 7, REL 2, REL 4, REL 5, REL 6, REL 10, PERF 5, PERF 6, PERF 7
For AWS protection, Sysdig Secure will check the following sectionsOPS 6, SEC 1, SEC 2, SEC 3, SEC 8, SEC 9, REL 2, REL 9, REL 10
New AWS Foundational Security Best Practices v1 (FSBP) Compliance
AWS Foundational Security Best Practices v1 (FSBP) describes the full range of controls to detect when your deployed accounts and resources deviate from security best practices.
For AWS protection, Sysdig Secure will check the following sections: AutoScaling.1, CloudTrail.1, Config.1, EC2.6, CloudTrail.2, DMS.1, EC2.1, EC2.2, EC2.3, ES.1, IAM.1, IAM.2, IAM.4, IAM.5, IAM.6, IAM.7, Lambda.2, GuardDuty.1
New NIST 800-171 rev2 Compliance
The National Institute of Standards and Technology (NIST) Special Publication 800-171 rev2 describes the full range of controls required to pass a NIST 800-171 audit. It provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.
For workload protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.20, 3.3.1, 3.3.2, 3.3.5, 3.3.8, 3.3.9, 3.4.3, 3.4.5, 3.4.6, 3.4.7, 3.4.9, 3.5.1, 3.5.2, 3.11.2, 3.12.1, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 3.13.6, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 3.14.7
For AWS protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.3.1, 3.3.2, 3.3.7, 3.5.7, 3.5.8, 3.14.6, 3.14.7
September 2, 2021
New Terraform Onboarding Options for Secure for cloud
Users can now onboard Sysdig Secure for cloud with their AWS accounts (single or organizational) using Terraform. See the feature description and the deployment/onboarding instructions.
August 12, 2021
Inline Scanner 2.4.6 Released
Version 2.4.6 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.
- Added support for images with the (deprecated) manifest schema V1
July 30, 2021
Inline Scanner 2.4.5 released
Version 2.4.5 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.
- Fixed an edge case in which using the
--format jsoncaused a corrupted JSON output
July 28, 2021
Inline Scanner v2.4.4 Released
Version 2.4.4 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.
Bumped ClamAV version to latest (0.103.3).
Updated base image to get updated security fixes (July 2021)
Added retry mechanism when pulling images from registries
--write-json PATHoption to permit storing json log to file
Fixed Malware scan fails when image has not read the permissions on files
Fixed failure in getting images for registries that do not support tag listing
July 27, 2021
Admission Controller with Kubernetes Audit (
k8s_audit Falco rules)
Today we announce the general availability of the Kubernetes Audit functionality as part of the Sysdig Secure Admission Controller.
Kubernetes admission controllers provide operators the ability to validate and/or mutate incoming API requests. Admission controllers are a core functionality of Kubernetes, and many are enabled by default.
Sysdig Secure has long provided Kubernetes API security using
k8s_audit Falco rules to create policies against Kubernetes audit
logs. However, there have been some complications:
Many Kubernetes distros are opinionated in the way to collect and access logs, some using dynamic backends (deprecated in Kubernetes 1.19, but still available in OCP up to 4.3), while more vanilla approaches use webhooks, and cloud providers require a bridge to collect logs via their own logging streams.
Distros diverging from Falco:
With OCP 4.4+, we had no clear way to collect and validate audit logs against our Falco rules.
Tap directly in the Kubernetes API request via Admission Controllers and
use the existing
k8s_audit rules our customers have relied on for so
long. See the installation
July 2, 2021
Inline Scanner 2.4.3 Released
- Updated base image to get updated security fixes (June 2021).
- Fixed incorrect version detection for Apache Struts 2 packages which was leading to false positives.
July 1, 2021
Node Image Analyzer v0.1.13 Released
Version 0.1.13 of the Node Image Analyzer has been released.
This release comes with the following improvements:
Fixed a GKE- and ContainerID-specific bug where the node image analyzer couldn’t scan the image due to missing blobs
Implemented a few-second pause at startup to allow for Istio sidecars to complete the initialization before creating connections
- We use the Universal Base Image (UBI) Sysdig-approved image as the base, in order to ensure the highest patch level approved by our security team.
June 23, 2021
Enhancements to Compliance Module
Terminology note: Compliance standards are scoped to different platforms depending on the specific security rules they include, Broadly, these are divided into:
Workload types: Including any Falco rules for kernel system calls, Falco rules for Kubernetes audit logs, host benchmarks, and security features that affect hosts, containers, and kubernetes clusters
AWS/cloud type: Falco rules for CloudTrail and Cloud Custodian rules on Amazon Web Services
See also: Compliance.
Extended Existing Compliance Standards to AWS
For the following existing compliance standards, we have added rules for AWS cloud provider:
NIST 800-53 rev4 for AWS
NIST 800-53 rev5 for AWS
ISO 27001:2013 for AWS
SOC2 for AWS
HIPAA for AWS
Added New Compliance Standards
We have also added the following new compliance standards to Sysdig Secure’s offerings:
GDPR for AWS
GDPR for workload
NIST 800-190 for workload
Trimmed Excess Rules from Some Standards
Certain rules have been re-evaluated and were removed because they did not significantly contribute to the security posture:
Logged in without Using MFA(merged with
Console Login Without MFA)
Interpreted procs outbound network activity
Launch Suspicious Network Tool in Container
All K8s Audit Events
June 14, 2021
CIS RedHat OpenShift Container Platform v4 Benchmark
Support for CIS RedHat OpenShift Container Platform v4 Benchmark has been added to Sysdig Secure.
As part of this release Sysdig is allowing you to scan and validate compliance with 112 controls included in the CIS Bencmark requirements.
See also: Benchmarks
June 9, 2021
Sysdig Secure UX Improvements: “Investigate” Navigation & Activity Audit
Sysdig navigation just got a facelift. To help our Sysdig Secure users navigate easily, we:
Added the new menu item Network (previously found under the Policies menu), and
Grouped Activity Audit + Captures into Investigation to better describe the use-case it helps users resolve.
The Activity Audit module also got several interface and user experience improvements:
Runtime scope moved to the top to align with other Secure interfaces and allow more space for activity data
Activity types (
command) can now be filtered directly from the graph using the legend
Attributes of the displayed elements can be filtered directly from the list, without displaying the side detail panel
June 4, 2021
Kubernetes Network Security: New Configuration and Improved User Experience
Sysdig’s Kubernetes Network Policy tool has been updated to include additional fine-tuning configurations and an improved user experience.
Additional Configuration Panel
Workload Labels: Depending on your workload labelling policy, some labels may not be relevant for generating a KNP policy. Use the additional config to include/exclude a particular set of labels per cluster/namespace to declutter your UI and the resulting policy.
Unresolved IP Configuration: Now it is possible to label raw IPs that are not mapping to your Kubernetes/OpenShift entities, i.e. external cloud provider services, so these labels will be automatically applied to the topology and ingress / egress tables.
Cluster CIDR configuration: If the CIDR configuration is not automatically detected by the agent, you can now directly configure internal subnets per cluster using the Sysdig interface.
Topology map: Additional information pop-up when hovering over a network connection or a network node, such as server process, source, destination, and more.
Unresolved IP filtering: In the ingress and egress tables, by type or using free text search.
Additionally, Network is now presented as a top-level item in the Sysdig Secure navigation.
May 27, 2021
Falco Policy Tuner - Beta
Sysdig is now releasing a managed version of the standalone Falco Tuner.
Previously, you had to run the tuner in your local environment, print
suggestions, and manually update a rule with those suggestions. The new
feature runs in the background and automatically tunes noisy rules and
false positives. To streamline the creation of these exceptions, we’ve
created a new object within Falco called
Note: To enable the tuner, Admin access rights to Sysdig Secure are required.
Feature Enhancement: Falco Exceptions
Previously, exceptions were created using
and not conditions inside a
Falco rule, e.g.
- rule: Write below binary dir ... condition: > bin_dir and evt.dir = < and open_write and not package_mgmt_procs and not exe_running_docker_save and not python_running_get_pip and not python_running_ms_oms and not user_known_write_below_binary_dir_activities ....
However, this process can be unwieldy and can result in unintended behavior. The new format, using exceptions, looks like this:
- rule: Write below binary dir ... condition: bin_dir and evt.dir = < and open_write .... exceptions: - name: package_mgmt_procs fields: proc.name comps: in values: package_mgmt_binaries # list of known binaries ...
See the full documentation here.
May 19, 2021
Regulatory Compliance for ISO27001:2013 and HIPAA Now Available
Two new compliance standards have been added to Sysdig Secure’s compliance feature:
HIPAA (Health Insurance Portability and Accountability Act)
See also:Compliance for information about the specific controls Sysdig covers for each security standard.
Inline Scanner v2.4.1 Released
Version 2.4.1 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.
- Updated ClamAV version to 0.103.2 to avoid end-of-life problems present in the former version, such as failure in updating the antivirus database
type Descriptor Forwarding Activity Audit through Event Forwarder
The JSON payload when sending Activity Audit
elements through the Event
Forwarder will now contain an additional field name:
describes the type of the entry, respectively:
See also: Event Forwarding.
May 18, 2021
New and Improved Host OS and Container Scanning Tools
We at Sysdig are working hard to improve your security posture and compliance experience. As part of this commitment we are implementing a new framework to generate host benchmark results, introducing host scanning, and making backend improvements to the image scanning mechanism.
The new features require a new component to be installed called the Node Analyzer. We’ve provided an installation script to automate the installation or to upgrade an existing Node Image Analyzer daemonset, if applicable.
Once you’ve installed or updated the components, the UI will automatically show Host Scanning and new Benchmarks functionality (Legacy Benchmarks can still be accessed.)
Host Scanning: New
In addition to Sysdig Secure’s rich array of tools for scanning container images, you can now scan the hosts as well.
Scan hosts for vulnerabilities, and detailed Software Bill of Materials (SBoM)
Support for OS (e.g. rpm) and non-OS (e.g. Java, Ruby, Python) packages
Compare and diff scan results
Host Benchmarks: Updated
Clustered aggregations - understand the posture of your environments, not just a single entity
Image Scanning: Updated
- Automatically scan images if they have not been scanned
April 29, 2021
New Scan Results Page Layout
We have reorganized the visual layout of the Scan Results summaries to clearly distinguish policy evaluation from vulnerability matching and to better summarize the information.
Vulnerabilities and Policies are now two different sections in the UI
Vulnerability match update time is displayed to further distinguish from the Policy Evaluation time
Policy breakdown is collapsed by default to reduce cognitive load
Re-evaluate policies button is now located in the impacted section only, as opposed to whole page
Apart from the vulnerability update time, the data remains unchanged from previous versions
See also: Review Scan Results.
April 26, 2021
Inline Scanner v2.4.0 Released
Version 2.4.0 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.
- Updated base image to get updated security fixes.
HTTPS_PROXYenvironment variables support for malware scanning mode. This is required if you want to retrieve the malware database inline behind a proxy.
Added support for
.dockercfgrepository auth method, accessible via the
HTTP1.1by default to bypass a cURL bug.
Provided fix for an error when using the docker-daemon storage type with a docker UID different than 1000.
March 30, 2021
Sysdig Secure for cloud
Sysdig Secure for cloud is available with Cloud Risk Insights for AWS, Cloud Security Posture Management based on Cloud Custodian for AWS and multi-cloud threat detection for AWS using Falco.
What’s Included in this release:
Insights: a powerful new visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.
Threat Detection based on AWS CloudTrail:To detect threats, anomalies and suspicious activities with the flexible Falco engine. See also: Sept 29, 2020.
Cloud Security Posture Management with AWS Benchmarks: The AWS CIS Benchmarks assessment evaluates your AWS services against the benchmark requirements and returns the results and remediation activities you need to fix misconfigurations in your cloud environment.
We’ve included several UI improvements to provide additional details such as: control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based.
Image Scanning for ECR and Fargate: one-click deployment – see also ECR April 13, 2020 and Fargate Sept. 28, 2020.
Free-Forever Cloud Security Tier
Sysdig is launching a new Free-forever cloud security tier for one single account.
Easy onboarding in minutes
Manage cloud posture with a daily run of CIS Benchmarks
Detect threats with out-of-the-box CloudTrail detection rules based on Falco
Scan containers (ECR/Fargate scanning) automatically and within your cloud environment for upto 250 images a month
March 24, 2021
Image Scanning Reports v3 [BETA]
The Image Scanning Reports feature has been thoroughly updated and has moved from a synchronous model to an asynchronous mode, in which you schedule the reports you need and then receive them through your normal notification channels (email, Slack, webhook.). The new version also includes:
A preview function to check report structure in the UI
A more advanced query builder
Extended set of data columns (i.e. CVSS base score and vector) and extended set of available filters (i.e. package type)
Reporting v3 supports two different types or reports:
Vulnerability report: Containing vulnerability, package and image data
I.e. Vulnerabilities in my runtime with
Severity ≥ High, a Fix available and not included in a vuln exception list.
Policy report: Containing scanning policies and evaluated images data
I.e. Images in my internal registry failing the “NIST” scanning policy.
You need to enable this feature from the Sysdig Labs setting on the User Profile page.
See Scheduled Reports for more detail.
March 22, 2021
Feature Enhancement: Falco Policy Types
Sysdig Secure has introduced Policy Types– a separation of policies into logical groups, based on the sources used in the policy engine. When creating a policy, you choose a type and then only the relevant scopes and container actions will be presented.
We have also introduced a new policy type to support threat detection with AWS CloudTrail rules.
For full details, see Manage Policies.
March 17, 2021
Scan Results: UX Enhancements & Added Functionality
Summarized views based on image count, image fail / pass distribution and image origin distribution.
Registry filter dropdown, multi-select
Visible image counters: Images shown in the page vs total number of images available after applying filters
Visual charts: Pass/fail and origin distribution (also respecting filters)
New table design to offer additional visual feedback and reduce data redundancy, plus additional vulnerability data.
Individual vulnerabilities can now be clicked to display additional information in a side panel:
The vulnerability feed source that was used for the matching
A description of the vulnerability
March 15, 2021
Sysdig Serverless Agent 1.0.0 for Fargate ECS
The “container-as-a-service” serverless environment calls for new agent models, and Sysdig provides them. Whereas in ECS, users still manage the underlying instances, with AWS Fargate the host is never visible and users simply run their workloads. And while this model is convenient, it can introduce risk as many people leave the containers unattended, without monitoring security events within that can exfiltrate secrets, compromise business data, impact performance, and increase their AWS costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.
For these reasons, Sysdig has introduced a new “serverless agent” model that can be deployed in these container-based cloud environments. The first implementation is for Fargate (ECS).
Sysdig will be rolling out security features on the serverless agent over time. In v1.0.0, users will see:
Runtime Policies and Rules
To obtain secure event information and the associated Falco policies and rules in the Sysdig Secure UI from a Fargate environment, users install the serverless agent using a CloudFormation Template. Then log in to Sysdig Secure and review the events in the UI.
See also: AWS Fargate Serverless Agents and Serverless Agent Release Notes (for future updates).
March 12, 2021
Deprecation Notice: Legacy Commands Audit & Legacy Policy events
The “Commands Audit” feature was deprecated in favor of Activity Audit in November 2019. This feature will be completely removed from the SaaS product April 2021.
Sysdig agent version 0.93+, released in November 2019, is required by the Activity Audit feature.
The “Policy Events” feature was deprecated in favor of the new Events feed in June 2020. This feature will be completely removed from the SaaS product April 2021.
Sysdig agent version 10.3.0+ is recommended.
UI Improvement on Rules Library and Rule Details
Usability improvements that display the policies in which a rule is used, from both the Rules Library list and the Rule Detail view. See Manage Rules for details.
March 2, 2021
Regulatory Compliance for SOC 2, NIST 800-53 rev4 and rev5
Three new compliance standards have been added to Sysdig compliance feature: SOC 2, NIST 800-53 rev4 and NIST 800-53 rev5.
The compliance validator now also includes new checks for the following features: Admission Controller, Network Security Policies and Node Analyzer.
See the Compliance documentation for usage details and the controls implemented.
February 23, 2021
Windows Scanning Released
A beta version of the Windows Scanning Inspector has been released. This is a new feature from Sysdig for scanning Windows containers.
This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.
See also: Windows Container Image Scanning [BETA].
Identify Windows container image vulnerabilities from:
- Windows OS CVEs
Windows or Linux hosts
Reports in JSON and PDF
Days since fixed
UI-Based Admission Controller Released
Kubernetes’ admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.
Sysdig’s Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.
See also: Admission Controller.
Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist
Only allow images that pass the scanning evaluation criteria
Only allow images that have been evaluated recently
Only allow images that have been scanned before creation is requested to Kubernetes
Registry and repository whitelist
Scan unscanned requested images immediately (optional)
February 20, 2021
Network Micro-Segmentation: Support for CronJobs, Weave, & Cilium CNIs
The Sysdig Network Security Policy Tool has been upgraded to add support for CronJob pod Owners.
With the addition of CronJob support, communication is aggregated to the CronJob (scheduler) level, rather than the Job. Therefore, when administrators review the activity in the Network Security Policy menu, they will see the higher-level CronJobs listed, and not an excess number of individual Job entries.
This update also adds support for Weave and Cilium CNIs on top of Calico support.
Malware Detection during Inline Image Analysis
As part of the inline scanner version 2.3.1 release, malware scanning was added as a configurable detection that can be performed during inline analysis.
The default behavior if this feature is enabled and malware is found is to consider the scanning failed, report malware details, and abort analysis:
See Perform Inline Malware Scanning for recommended parameters and output options.
February 16, 2021
Registry Credentials: Support for Multiple Credentials
Sysdig Secure now supports assigning multiple credentials to the same registry depending on the relative internal registry path that is used to pull the image.
A wildcard can be added to the end of the path, indicating that any
image located under the partial path inside the registry (
the example) will use the registry credentials configured here. This
additional flexibility is useful, for example, for IBM registries which
can have a different set of permissions depending on the namespace.
See also: Manage Registry Credentials.
February 10, 2021
Inline Scanner v2.3 Released
Version 2.3 of the Inline Scanner has been released.
- Avoid prefixing the image names with
localbuildwhen not strictly necessary
Improved version detection for specific software packages:
Allow setting of
opensslsecurity level via
OPENSSL_SECLEVELenv var to support old certificates
More robust image ID identifier, avoiding unnecessary image re-scans along the container lifecycle
Added malware detection feature
February 4, 2021
Enhanced Activity Audit Filters
We have improved the noise-reduction filter for the Activity Audit feature in Sysdig Secure. The feed will now automatically filter out duplicate entries with a high number of occurrences. No information is lost, as the filtered noise is only duplications of entries in the feed.
A sudden reduction in the number of Activity Audit entries per time slot is expected as a result of this filter.
January 28, 2021
Node Image Analyzer v0.1.9 Released
Version 0.1.9 of the Node Image Analyzer has been released.
This release comes with the following improvements:
Fixed an issue that prevented some images from being processed on GKE clusters using Docker and Containerd
Fixed an issue that prevented some images that don’t have full tags from being processed on OpenShift
Improved version detection for Logback, SpringFramework and Tomcat Java packages
Fixed an issue that resulted in the image analyzer crashing without a proper error message when an incorrect Docker socket path was provided
- Added support for running the Node Image Analyzer in non-Kubernetes environments.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.