Serverless Agent Release Notes
For Installation and Upgrade steps, see AWS Fargate Serverless Agents.
4.2.1 Sep 7, 2023
Defect Fixes
Ensure Workload Instrumentation Handles Signals Consistently
Esure the stack pointer always points to a valid stack area, as required by signal handlers.
Vulnerabilities
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2023-30079
- CVE-2023-22652
- CVE-2023-28321
- CVE-2023-28484
- CVE-2023-29469
- CVE-2023-34969
- CVE-2023-28322
Fixed the following vulnerabilities with the serverless instrumentation:
- CVE-2023-28321
- CVE-2023-28484
- CVE-2023-29469
- CVE-2023-28322
4.2.0 Aug 1, 2023
Defect Fixes
Ensure Graceful Termination of the Instrumented Workload
The runtime instrumentation ensures the graceful termination of the instrumented workload when the container receives a termination signal (SIGTERM
).
Workload Agent Instability
The workload agent no longer fails to handle the syscall bpf(2)
.
Vulnerabilities
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2018-20839
- CVE-2019-12904
- CVE-2019-17543
- CVE-2020-17049
- CVE-2020-24736
- CVE-2021-39537
- CVE-2021-42694
- CVE-2022-23990
- CVE-2023-1667
- CVE-2023-2253
- CVE-2023-2283
- CVE-2023-26604
Fixed the following vulnerabilities with the serverless patcher:
- CVE-2018-20839
- CVE-2019-12904
- CVE-2019-17543
- CVE-2020-17049
- CVE-2020-24736
- CVE-2021-39537
- CVE-2021-42694
- CVE-2023-0361
- CVE-2023-1667
- CVE-2023-2253
- CVE-2023-2283
- CVE-2023-26604
- CVE-2023-27535
Fixed the following vulnerabilities with the serverless instrumentation:
- CVE-2018-20839
- CVE-2019-12904
- CVE-2019-17543
- CVE-2020-17049
- CVE-2020-24736
- CVE-2021-39537
- CVE-2021-42694
- CVE-2022-23990
- CVE-2023-1667
- CVE-2023-2283
- CVE-2023-24329
- CVE-2023-26604
- CVE-2023-34969
4.1.2 Jun 1, 2023
Defect Fixes
Vulnerabilities
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2023-27535
- CVE-2023-24329
- CVE-2022-43552
- CVE-2022-35252
- CVE-2019-20916
Fixed the following vulnerabilities with the serverless instrumentation:
- CVE-2023-27535
- CVE-2022-43552
- CVE-2022-35252
Workload Agent Instability
The workload agent no longer fails to handle the capset
syscall.
Orchestrator Agent Secure Features
The orchestrator agent no longer fails to start when the collector enables falcobaseline
.
4.1.1 May 15, 2023
Defect Fixes
Vulnerabilities
Fixed the following vulnerabilities with the serverless patcher:
- CVE-2023-28840
- CVE-2023-28841
- CVE-2023-28842
4.1.0 May 2, 2023
Cross-Compatibility
The orchestrator agent 4.1.0 is compatible with the workload agent 4.0.0 and vice versa.
New Features
Disable AWS ContainerInsights
The CloudFormation templates orchestrator-agent.yaml
and serverless-instrumentation.yaml
support disabling Container Insights.
Defect Fixes
Captures Fixed
Captures no longer fail to start and complete.
Kilt Recipe/Definition Customization
The Kilt Recipe/Definition in the instrumentation.yaml
can now be customized.
Vulnerabilities
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2022-41723
- CVE-2023-0286
Fixed the following vulnerabilities with the serverless patcher:
- CVE-2023-0286
Fixed the following vulnerabilities with the serverless instrumentation:
- CVE-2023-24329
- CVE-2023-0286
4.0.0 February 10, 2023
End of Life
The local installer used to deploy the instrumentation stack is no longer supported.
Deprecation Notice
The CloudFormation template serverless-instrumentation.yaml
has been deprecated.
New Features
Serverless Patcher
The Serverless Agent 4.0.0 provides serverless-patcher, a new containerized template patcher that can run locally and be integrated into CI/CD pipelines.
CloudFormation Template instrumentation.yaml
The Serverless Agent 4.0.0 provides instrumentation.yaml
, a new CloudFormation template to deploy the automation to instrument (that is to patch) templates on Cloud.
SecretsManager Support for the Orchestrator Agent
Secrets like the Access Key and the Proxy Password can be now automatically fetched and provided to the orchestrator agent at deployment time.
Custom CA Certificates Support for the Orchestrator Agent
The orchestrator agent supports the uploading of custom CA certificates. That allows the SSL certificate verification of OnPrem backends and proxies.
Workload Agent Logs Fine-Tuning
Logs can be tuned and controlled at the fine-grained component level. This can avoid excessive logging from certain components, or enable extra logging from specific components for troubleshooting.
Defect Fixes
Runtime Instrumentation Exits
The runtime instrumentation exits when the main process exits, thus avoiding waiting other process to finish and keeping the container alive.
Renamed Parameter in CloudFormation Template orchestrator-agent.yaml
The Gateway
parameter has been renamed to NetworkType
in the CloudFormation template orchestrator-agent.yaml
.
Exact Image Tags
The CloudFormation stacks uses exact tags now, instead of latest
.
Redundant Wildcard Permissions
Redundant wildcard permissions have been removed from the TaskRole
of the orchestrator-agent.
SIGINT
/SIGTERM
Propagation
The runtime instrumentation propagates SIGINT
and SIGTERM
signals to the instrumented workload now.
Honor Log Silent Mode in the Workload Agent
The `silent log mode prevents environment variables from being printed now.
List Separator to OptIn/OptOut Containers to be/from being Instrumented
Colons are now required as list separators to OptIn/OptOut containers. Commas are no longer supported.
Example
In the TaskDefinition
, Tags
can be leveraged to explicitly instrument some containers of the task, or prevent a bunch of them from being instrumented.
For example, the following tag prevents myContainer1
and myContainer2
from being instrumented when the template
patching runs in OptOut
mode (default):
Tags:
- Name: "kilt-ignore-containers"
Value: "myContainer1:myContainer2"
Vulnerabilities
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2022-28948
- CVE-2022-47629
- CVE-2022-41721
Fixed the following vulnerabilities with the workload agent:
- CVE-2022-47629
3.0.5 December 07, 2022
Defect Fixes
Fixed the following vulnerabilities with the orchestrator agent:
- CVE-2014-6407
- CVE-2014-3499
- CVE-2014-9356
- CVE-2014-9357
- CVE-2015-3627
- CVE-2022-32149
- CVE-2022-42898
Fixed the following vulnerabilities with the workload agent:
- CVE-2021-42836
- CVE-2021-42248
Fixed the following vulnerabilities with the serverless instrumentation:
- CVE-2022-42898
3.0.4 November 17, 2022
Defect Fixes
Tag Value Reference Failure Fixed
The Instrumentation Lambda in the CloudFormation stack no longer fails when the workload to be instrumented contains references for tags’ values.
Broad Stack Permissions Reduced
Permissions were reduced in the CloudFormation stack.
Proxy Password Obfuscation Failure Fixed
Orchestrator and Instrumentation logs no longer contain plaintext proxy passwords.
3.0.3 September 19, 2022
New Feature
Added task label to the metric serverlessdragent.workload_agent.count
to enable grouping multiple containers in a single task.
3.0.2 September 02, 2022
Defect Fixes
Fixed Preventing Workload Starting if no Policies in Place
To avoid workload starvation, the instrumentation can now start the workload if security policies are not in place.
The workload starting policy can be easily configured, see Configure workload starting policy.
Fixed Workload-starvation-detection Watchdog
Instrumentation watchdog no longer needs to be configured via the watchdog.sinsp_worker_timeout_s
parameter.
Fixed /proc
Scan Failure
Instrumentation /proc
scan no longer fails when the SSM Agent runs as root and the instrumented task runs as non-root user.
New Instrumentation Logging Level Parameter
The instrumentation logging level can now be easily configured via a new parameter exposed in the Instrumentation stack.
3.0.1 June 30, 2022
Defect Fixes
Log Levels Updated
The instrumentation logger for the Fargate Serverless Agent can now be configured to the following log levels:
silent
error
warning
info
debug
trace
See also: Manage Serverless Agent Logs
3.0.0 June 17, 2022
Defect Fixes
Fixed DEBUG Logging Error
The instrumented task should no longer be blocked from starting when using DEBUG logging with log-forwarding enabled, and better error messages have been added for failures when log forwarding.
Fixed Termination Error
Instrumentation tasks now terminate correctly on fatal errors and trigger the ECS restart policy.
Cleaned Up Serverless Agent Metadata
Redundancies in the serverless agent metadata (labels and tags) were corrected:
- AWS-related metadata are grouped below
aws.*
tags - Container-related metadata are grouped below
container.*
tags - Custom tags are grouped below
agent.*
tags
New Features
New Container-Based Installer
The Serverless Agent 3.0.0 provides a new container-based installer to simplify the deployment of the instrumentation & orchestration stacks. (Serverless Agent 3.0.0 supports the existing command-line-based installer as well.) See also: AWS Fargate Serverless Agents.
Instrumentation Logs Format
The Serverless Agent 3.0.0 supports both the json
and text
format for the forwarded instrumentation logs.
See also Manage Serverless Agent Logs.
2.3.0 March 15, 2022
Defect Fixes
Container Metadata Now Automatically Provided to Avoid Errors
The following metadata values are now automatically passed by serverless agents:
- container.image.repo*
- container.image.tag**
- container.image.digest**
- container.image.id*
*value is always provided in same way
**value depends on how the image is referred to when deploying the instrumented container, i.e. repo:tag
vs
repo@digest
.
Example:
:latest
When specifying an image such as falcosecurity/event-generator:latest
the metadata configuration =:
- container.image.repo = falcosecurity/event-generator
- container.image.tag = latest
- container.image.digest = null
- container.image.id = sha256:aaabbbcccddd
:named image
When specifying an image such asfalcosecurity/event-generator@sha256:aaabbbcccddd
the metadata configuration =:
- container.image.repo = falcosecurity/event-generator
- container.image.tag = null
- container.image.digest = sha256:aaabbbcccddd
- container.image.id = sha256:aaabbbcccddd
Fixed Display Problem in Insights Composite View for Fargate Events
Secure events from the Fargate serverless agent are now correctly labeled with Account ID and Region, allowiing them be grouped correctly in the Insights Composite view.
Fixed Occasional Problem with Starting Instrumented Tasks
Added retry and fallback logic to avoid restarts when a log-forwarding endpoint isn’t present.
Manual Instrumentation of Workload Agents
Improved documentation for manual instrumentation of workload agents, including handling logs.
2021 Archive
2021 Archive of Sysdig Serverless Agent release notes.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.