Sysdig On-Premises Release Notes

Oversight Services Now Offered for All Installs and Upgrades

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox.

Other browsers may also work, but are not tested in the same way.

6.2.1 Release, June 2023

Upgrade Process

Supported Upgrades From: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Sysdig Secure

Vulnerability Management Scanning Engine

Sysdig now provides the Vulnerability Management Scanning engine for all on-premises users. This scanning engine was released in April 2022 and brings the latest vulnerability features and improvements.

For 6.2.1 fresh installations, the Vulnerability Management engine will be the only scanning engine provided. For customers upgrading from 5.0.x, 5.1.x, or 6.x versions, both the Legacy Scanning engine and the newer Vulnerability Management engine are available.

Expanded Support for OpenShift 4 in Unified Compliance

Sysdig Secure support for CIS RedHat OpenShift Container Platform v4 Benchmark has been expanded in Unified Complience. This includes 13 new controls in Sections 1-4 for 92% coverage, and 11 new controls in Section 5 for an overall coverage of 74%.

Infrastructure Resource Changes

With version 6.2.1, the number of components the Sysdig Platform requires to run both Sysdig Secure and Sysdig Monitor is nearly doubled. This release introduces new product features in both products, as well as upgrades and enhancements of the datastores from the last major release in September 2021.

Sysdig has provided general testing with Platform configurations on 5.1.x and 6.0.x branches. Below is a table comparision of the CPU and Memory requirements for a Sysdig backend with 600 agents connected to each.

Note that the usage for each on-premises installation is different, so your load and sizing requirements may differ from the table above. To prepare for your upgrade from 5.x to 6.x, reach out to your account team for assistance to ensure your infrastructure meets requirements.

Secure-Only Backend Enablement Optimized

For users who enable a backend deployment with the secureOnly configuration set to true, the footprint of Monitor components has been further reduced and minimized. However, for those upgrading from 5.x+, the addition of features and components in 6.2.1 has a complex effect on the overall resource usage.

• In general, 6.0.0 requires less CPU and slightly more memory than 5.+.
• As version 6.2.1 has more components than 5.1.x, this means that the shared components (the ones used in both versions) require fewer resources in version 6.2.1.
• If you are upgrading from an existing branch with the legacy scanning engine, running both scanning engine components will require the most resources.

Take-away: For users with limited infrastructure resources who only use Sysdig Secure, please contact customer support or your Sysdig account team with your infrastructure node count and node size to ensure that the Secure-Only mode is the right deployment type for your needs.

Internal Agent Dashboards Added (On-Prem Only)

In Sysdig Secure, under Integrations > Data Sources, a new dashboard has been added for viewing granular information about the agents deployed in your environment.

Known Defects

• For 6.2.1 fresh installs, a few compliance checks that used the legacy scanner will not be available until a later release. For the full list of which checks are unavailable, please reach out to your account team for details.
• The Get Started page doesn’t work in a 6.2.1 fresh install as it relies on a legacy scanning endpoint that is not longer available. This will be patched in a future release.
• In the new Internal Agents Dashboard, if your agents are installed in Secure mode, some of the panels are missing data. This will be corrected in a future agent release. The affected panels are: Kubernetes Metadata Up to Date, CPU Usage, Memory Usage, and Total Agents without Cluster.*
• The new Internal Agents Dashboard will not load properly if the Cloudsec service is not enabled. This service can be enabled through a flag in the Installer: sysdig.secure.cloudsec.enabled = true.

6.1.2 Release, May 2023

Upgrade Process

Supported Upgrades From: 5.0.x, 5.1.x, 6.0

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Defect Fixes

• Refined the upgrade process for users upgrading from 6.0 or 5.1.X branches.
• Fixed an issue where some values.yaml configurations were not kept during an upgrade.

6.1.1 Release, May 2023

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Sysdig Secure

Daily Updates of Managed Policies and Rules

In Sysdig Secure Threat Detection, managed policies and rule definitions are now updated from Sysdig daily at midnight UTC via a new cronjob service, sysdigcloud-falco-rules-deployer. See Manage Daily Updates (On-Prem Only) if you need to change the schedule or disable the feature for any reason.

Sysdig Monitor

Cloud Metrics

• Supports the following features:

  • Cloud Metrics UI

  • Cloud Integrations for AWS CloudWatch Metric Streams.

    For more information on enabling CloudWatch Metric Streams, see Enable Cloud Metrics Streams in On-Prem Deployments.

  • Cloud Integrations for Azure

• For users upgrading from 5.x.x to 6.x.x on-prem versions, the AWS CloudWatch API metrics will be converted from Sysdig notation to Prometheus. All the dashboards and alerts will be converted automatically.

• AWS CloudWatch API metrics will still be available in the Sysdig notation (aws.*)if the metrics are queried directly via the API. However, aws.*.latency metrics will be reported in seconds instead of nanoseconds, which was required for consistency between the AWS CloudWatch API metrics and AWS CloudWatch Metric Streams metrics. Users querying the aws.*.latency metrics directly via API from Grafana should change the time unit to seconds.

Defect Fixes

• Fixed the Integrations without workload type
• Fixed the list alerts API for summary information
• Changed icons in Event feed for policy type
• Fixed an issue in which an appended rule could result in empty tags
• Fixed a wrong label value order to report retention as label value
• Fixed an issue on user provisioning
• Fixed a problem with metrics that have new categories

5.1.9 Hotfix Release, April 2023

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Defect Fixes

• Added “Alert group name” to Webhook (notification channel) payload
• Retention manager now removes spurious images
• Images with SHA256 as tag are now re-evaluated
• Consolidated scan results between API and UI

6.0.2 Hotfix Release, April 2023

Upgrade Process

This release only supports fresh installations of the Sysdig platform into your cloud or on-premise environment.

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Defect Fixes

• Enabled Internal Agents Dashboard
• Added CPU Usage and Memory Usage panels to Internal Agents Dashboard

6.0.0 Release, April 2023

Upgrade Process

This release only supports fresh installations of the Sysdig platform into your cloud or on-premise environment.

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Monitor

Sysdig has migrated to a Prometheus-native data store and is now available on on-premise deployments. This release adds several product offerings that are available on the Sysdig SaaS platform for the Monitor product. The following features are now available in the fresh installation of the 6.0.0 on-premise release.

Advisor

• Advisor
• Advisories
• Live Logs
• YAML Configuration

Dashboards

• Dashboard Manager
• Dashboard Library

Explore

• Metrics Explorer
• PromQL Query Explorer
• PromQL Library

Alerts

• New Alerts Editor
• Alerts Library

Integrations

• Monitoring Integrations
• Grafana Plugin

AWS Cloudwatch Metrics

• The AWS CloudWatch API metrics will be available in Prometheus format. For more information, see AWS CloudWatch API Metrics.

Notification Channels

Two new notification channels have been added:

• Prometheus Alert Manager
• Google Chat

Secure

Insights

Sysdig Secure has introduced a powerful visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis. For more information, see Insights.

Compliance

New report types have been added to Unified Compliance:

• GCP
• Azure
• Kubernetes
• Docker
• Linux

Threat Detection Policies and Rules

Threat detection policies now have three “flavors”, following the same model in our SaaS platform.

• Default/Managed Policies
• Managed Ruleset Policies
• Custom Policies

For information on the full description of these policy types, see in our Threat Detection Policies.

Integrations

• Managed Kubernetes
• Sysdig Agents

Platform

Custom Roles

A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This features has been available in SaaS and is now released for our on-premise users. Fore more information, see Custom Roles.

Group Mappings

Group mappings allow you to connect groups from your identity provider (IdP) to the roles and teams associated with your Sysdig account.

Login Message

You can now configure a custom login message to help maintain security standards based on your organization.

Platform Audit

Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself. By default, the UI is disabled to help minimize the required resources of running on-premise. The API is enabled by default. For more information, see Sysdig Platform Audit.

Privacy Settings

You can choose to opt in or out of sharing usage data with Sysdig.

5.1.8 Hotfix Release, February 2023

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Defect Fixes

• Fixed a time unit issue for Elasticsearch resolvers.
• Fixed an issue where container metadata labels missing for JVM metrics.
• Fixed an issue where sysdig_fs_* metrics not being discovered.

5.1.7 Hotfix Release, January 2023

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

• Fixed an issue when images would not be scanned or re-evaluated with an alert configured with four or more scopes.
• Fixed an issue when Captures from a runtime policy would not display in the Inspect UI.

Sysdig Platform

• Updated several containers that mistakenly were running as root. All containers now run using an unprivileged user.
• Updated the apiVersion of all Cronjobs from batch/v1beta1 to batch/v1.
• Fixed an issue that would sometimes result in a 413 Payload Too Large HTTP response to the Sysdig API.
• Fixed an issue with some Sysdig templates missing nodeSelectorTerms although nodeaffinityLabel is specified.

5.1.6 Hotfix Release, January 2023

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

• Fixed a privacy setting issue that would revert the admin setting after an update to the values.yaml file.
• Fixed a sidepanel interface bug that would appear under Scan Results.
• Fixed an issue with the metadata service sometimes returning an empty string as a value for some metrics, causing a banner to display saying A new version of Sysdig is available.
• Fixed an Anchore issue that would show vulnerabilities in packages that should not have been present.
• Updated the Anchore image with latest code and security updates.

5.1.5 Hotfix Release, December 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

• Fixed an issue when Sysdigcloud-api would fail to connect to Cassandra when a column name already exists
• Fixed an invalid Cassandra StatefulSet YAML issue in multi-AZ deployments

5.1.4 Hotfix Release, November 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Secure

• Removed the Legacy Benchmarks button from the Secure UI. The feature soon to be deprecated in on-premise deployments.

• Added the Shared with Team permission in Group Mappings to the ServiceManager role.

Defect Fixes

• Fixed an issue when a scanned image would not correctly report a vulnerability detected in kernel-headers package.
• Fixed a Secure scanning issue when an image was scanned by multiple sources (i.e. Inline Scanner and Node Analyzer) and the UI would redirect the user to the incorrect source.
• Fixed a Team Scope issue in Secure when the agent.tag.accountid scope was configured and users could not see Host scanning results.
• Updated the Secure Only on-premise setting for aggregation interval set to 60 seconds to help reduce the number of “stream resetting” log warnings in the Sysdig backend.

5.1.3 Hotfix Release, September 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

• Fixed an Elasticsearch issue occurred during upgrades that could result in pods ending in a CrashLoopBackOff state. This fix will overall improve Elasticsearch resiliency for users.

4.0.8 Hotfix Release, July 2022

Supported Upgrades From: 3.6.X

Defect Fixes

• Fixed an issue with PVC metrics not displaying properly in the UI.
• Fixed a filtering issue when RDS metrics would not populate in the RDS Overview Dashboard.

5.1.2-2 Hotfix Release, July 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

Sysdig Platform

• Added support for Openshift 4.10.

5.1.2 Hotfix Release, May 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Secure Feature: Reporting

• Added the Run Now and Download(s) menu items.

Defect Fixes

• Fixed an “Unable to load latest task result” bug when accessing compliance benchmarks results.

5.1.1 Hotfix Release, May 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Sysdig Platform

• Added the RelayState parameter optional for SAML configuration.
• Upgraded the Spring Framework to version 5.2.20 in the sysdig-backend container.

Monitor

• Added the ability to choose regions with Capture Storage.

Installer Improvements

• Fixed an issue with MultiAZ GCP/GKE platforms that would prevent Elasticsearch from starting.
• Fixed an ingress permissions issue when upgrading from 5.0.4 to 5.1.0 that would result in the Sysdig UI generating a 404 Not Found error.
• Fixed an installer bug when cloudProvider.name was set and cloudProvider.region was not set.
• Fixed a Kafka/Zookeeper statefulset naming issue when installing or upgrading Sysdig on-premise

Defect Fixes

• Monitor Alert re-notification messages now provide the latest metric value instead of the metric value at time of triggering.
• Fixed a Runtime scan page issue not displaying image results based on specific Team scopes.

5.0.5 Hotfix Release for CVE-2022-22965

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the ReleaseNotes on Github. There you will also find important Install instructions.

Improvements

This hotfix upgrades the Spring Framework to version 5.2.20 in the sysdig-backend container.

5.1.0 Release, March 2022

Upgrade Process

Supported Upgrades From: 4.0.x, 5.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Sysdig Platform

Installer Improvements

• Kubernetes versions 1.22 and 1.23 are now supported.
• An optional cronjob for the falco-rules-installer, which runs once a month, can now be created through the Installer values file.
• Users operating their own ingress controller, such as Rancher, are no longer need to manually create Ingress Objects Go HTTP APIs. Note that the Collector uses TCP and will need external configuration.
• The Installer now has a pre-flight check to verify the kubectl and Kubernetes versions of the cluster with the context provided by the user.

Secure

API Docs

• API documentation for Sysdig Secure are now enabled by default.

Defect Fixes

• Fixed an issue with Secure Events not displaying the correct number of events in the dashboard.
• Fixed an issue that prevented Rapid Response being enabled with a Secure Team created with LDAP.
• Fixed a network issue that would sometimes occur during an upgrade which would cause PostgreSQL to timeout.
• Fixed an issue when the nats-streaming-init container failed to start due to permission problem when storageClassProvisioner is set to hostPath.
• Fixed a Compliance Database Password issue during upgrades from on-prem 4.0.x to on-prem 5.0.x
• Fixed an issue with the StatefulSet definition when upgrading from 4.0.x to 5.0.x on a Kubernetes cluster prior to 1.18.x

4.0.7/5.0.4 Hotfix Release for CVE-2021-44228 in Apache’s log4j (3.6.4, 4.0.7, 5.0.4)

The patch relese upgrades all components that compose Sysdig’s Platform running Apache’s vulnerable Log4j library to 2.16.

Note on ElasticSearch: This is using Log4j v2.11.1. An additional JVM parameter has been added through the Installer in accordance with the recommendations from Elastic. In addition, the impacted class from the Log4j library has been removed completely. Security scanners may still list this as vulnerable but in this case it will be a false positive. Elastic currently does not offer a way to fully remove or upgrade this component.

4.0.6/5.0.3 Hotfix Release for CVE-2021-44228 in Apache’s log4j (3.6.3, 4.0.6, 5.0.3)

Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.

Sysdig components include a log4j library in our standard distribution that was vulnerable. This library is included for compatibility reasons only, is not used for primary logging, and our security team has determined we are not vulnerable based on our application architecture and existing mitigating controls.

We have released a patch version of our self hosted-software which upgrades the vulnerable version of log4j or adds additional mitigating controls suggested by vendors.

• 3.6.3
• 4.0.6
• 5.0.3

Please reach out to support or the customer success team for assistance with your upgrade.