Sysdig On-Premises Release Notes

Oversight Services Now Offered for All Installs and Upgrades

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox.

Other browsers may also work, but are not tested in the same way.

Hotfix Release for CVE-2021-44228 in Apache’s log4j (3.6.4, 4.0.7, 5.0.4)

The patch relese upgrades all components that compose Sysdig’s Platform running Apache’s vulnerable Log4j library to 2.16.

Note on ElasticSearch: This is using Log4j v2.11.1. An additional JVM parameter has been added through the Installer in accordance with the recommendations from Elastic. In addition, the impacted class from the Log4j library has been removed completely. Security scanners may still list this as vulnerable but in this case it will be a false positive. Elastic currently does not offer a way to fully remove or upgrade this component.

Hotfix Release for CVE-2021-44228 in Apache’s log4j (3.6.3, 4.0.6, 5.0.3)

Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.

Sysdig components include a log4j library in our standard distribution that was vulnerable. This library is included for compatibility reasons only, is not used for primary logging, and our security team has determined we are not vulnerable based on our application architecture and existing mitigating controls.

We have released a patch version of our self hosted-software which upgrades the vulnerable version of log4j or adds additional mitigating controls suggested by vendors.

• 3.6.3
• 4.0.6
• 5.0.3

Please reach out to support or the customer success team for assistance with your upgrade.

Release 5.0.2 Hotfix December 2021

Upgrade Process

Supported Upgrades From: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0, 5.0.1

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Fixes

• Fixed a version-comparison bug in RedHat rpm packages.
• Enabled a retention manager for Secure-only on-prem installations to handle data retention.

Release 5.0.1 Hotfix November 2021

Upgrade Process

Supported Upgrades From: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Fixes

• Fixed missing field “Last Evaluation Date” in the scanning policy evaluation results and Scheduled Reports
• Kubernetes environment / labels are no longer mandatory to generate a scanning Scheduled Report
• Fixed CVSS filters in scanning Scheduled Reports
• Fixed an issue in scanning Scheduled Reports when scanning Red Hat images that caused related Red-Hat advisories (RHSA) to not be displayed
• Fixed priority sorting for ‘Unknown’ severity vulnerabilities that are now considered less severe than ‘Negligible’ in scanning Scheduled Reports

Release 4.0.5 Hotfix October 28, 2021

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Fixes

• Fixed Scheduled Reports not displaying last evaluation date field
• Fixed an issue in 4.0.x Scheduled Reports when scanning Red Hat images, causing vulnerabilities missing related Red-Hat advisory (RHSA) to not be displayed

Release 4.0.4 Hotfix September 29, 2021

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Fixes

• Fixed a timeout issue for policy advisor and scanning database init containers occuring in some environments
• Fixed a certificate handling issue at network security component

Release 5.0 September 7, 2021

Upgrade Process

**Supported Upgrades From: **4.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install and Upgrade instructions.

Sysdig Platform

Define S3 Bucket Path for Storing Captures

Sysdig Platform users can now define a custom path in the S3 bucket they are using for storing captures. This is useful to those who want to reuse a certain bucket used for other purposes or send captures from different installations to the same S3 bucket. For more information, see (On-Prem) Configure Custom S3 Endpoint.(On-Prem) Configure Custom S3 Endpoint

Webhook Channel Enhancements

Sysdig supports the following on a Webhook channel integration:

• Insecure connections: You now have the ability to skip the TLS verification.

• Custom headers: If your Webhook integrations require additional headers or data you can append to the alert format by using a custom header on the UI. This option is in addition to the existing API facility to add custom headers programmatically.

S3-Compatible Storage for Capture Files

Configuring S3-compatible storage, such as Minio or IBM Cloud Object Storage, for your Sysdig captures is now supported on Sysdig Monitor. The capability can be turned on by configuring the system appropriately, as given in (SaaS) Configure Custom S3 Storage Endpoint.

Microsoft Team Channel

You can now use Microsoft Team s as a notification channel in Sysdig Monitor. See Configure a Microsoft Teams Channel for more details.

Dark Mode

The dark appearance, known as Dark Mode, is available in Sysdig applications.

Sysdig can now automatically match your OS preferences. Available in Sysdig platform on-premises, or in SaaS in the US East and rolling out globally. For more information, see Configure Theme Preference.

Customized Session Expiration

Session expiration is the amount of time a user can remain idle before the session is automatically ended or expired. After the session expires, the user must log in to the Sysdig application again.

Sysdig now gives you the ability to make a shorter or longer idle session expiration for Sysdig applications. When a user browser is idle for a certain period of time, they will get automatically logged out. For more information, see Configure Customized Session Expiration.

Sysdig Monitor

Workload Label

Sysdig Monitor now supports two new labels, kubernetes.workload.name and kubernetes.workload.type which can be used for scoping Dashboards and configuring Gropings.

Earlier, each type of object (deployment, replicaset, statefulset, etc.) was unique, and in turn, you needed to use different types of Kubernetes Dashboards and a different Grouping resulting in n/a , where distinct types of Kubernetes objects are listed.

For more information, see Unified Workload Labels.

Silencing Alert Notifications

Sysdig Monitor allows you to silence alert notifications for a given scope for a predefined amount of time, and schedule silence in advance. When silenced, the alert will still be triggered and posted on the Events feed and in the graph overlays but will indicate it has been silenced. The types of notification channels you can use are Email, Slack, and Amazon SNS.

You will be notified 30 minutes before the start time and 30 minutes before the end time of a silence window. You will also be able to easily extend or end an active silence. To access the feature, navigate to Alerts > Silence on the Monitor UI.

For more information, see Silence Alert Notifications.

Sysdig Secure

Sysdig Secure for cloud

Sysdig Secure for cloud is available with Cloud Risk Insights for AWS, Cloud Security Posture Management based on Cloud Custodian for AWS and multi-cloud threat detection for AWS using Falco.

What’s Included in this release:

• Insights: a powerful new visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

• Threat Detection based on AWS CloudTrail: To detect threats, anomalies and suspicious activities with the flexible Falco engine. See also: Sept 29, 2020.

• Cloud Security Posture Management with AWS Benchmarks: The AWS CIS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

  We’ve included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based.

• Image Scanning for ECR and Fargate: one-click deployment– see also ECR April 13, 2020 and Fargate Sept. 28, 2020.

Falco Policy Tuner

Sysdig is now releasing a managed version of the standalone Falco Tuner.

Previously, you had to run the tuner in your local environment, print suggestions, and manually update a rule with those suggestions. The new feature runs in the background and automatically tunes noisy rules and false positives. To streamline the creation of these exceptions, we’ve created a new object within Falco called exceptions.

Note: To enable the tuner, Admin access rights to Sysdig Secure are required.

Feature Enhancement: Falco Exceptions

Previously, exceptions were created using and not conditions inside a Falco rule, e.g.

- rule: Write below binary dir
  ...
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
  ....

However, this process can be unwieldy and can result in unintended behavior. The new format, using exceptions, looks like this:

- rule: Write below binary dir
  ...
  condition: bin_dir and evt.dir = < and open_write
  ....
  exceptions:
    - name: package_mgmt_procs
      fields: proc.name
      comps: in
      values: package_mgmt_binaries # list of known binaries
  ...

See the full documentation here.

Tunable Exclusions Available in Insights Details

We’ve added the ability to identify and add exceptions using the Policy Tuner in the Insights module. Now you can receive policy tuning recommendations directly within the Insights view, enhancing usability, ease, and refinement of results.

See also: Insights and Runtime Policy Tuning .

New Scan Results Page Layout

We have reorganized the visual layout of the Scan Results summaries to clearly distinguish policy evaluation from vulnerability matching and to better summarize the information.

Improvements include:

• Vulnerabilities and Policies are now two different sections in the UI

• Vulnerability match update time is displayed to further distinguish from the Policy Evaluation time

• Policy breakdown is collapsed by default to reduce cognitive load

• Re-evaluate policies button is now located in the impacted section only, as opposed to whole page

• Apart from the vulnerability update time, the data remains unchanged from previous versions

See also: Review Scan Results.

New and Improved Host OS and Container Scanning Tools

We at Sysdig are working hard to improve your security posture and compliance experience. As part of this commitment we are implementing a new framework to generate host benchmark results, introducing host scanning, and making backend improvements to the image scanning mechanism.

Installation Steps

The new features require a new component to be installed called the Node Analyzer. We’ve provided an installation script to automate the installation or to upgrade an existing Node Image Analyzer daemonset, if applicable.

Once you’ve installed or updated the components, the UI will automatically show Host Scanning and new Benchmarks functionality (Legacy Benchmarks can still be accessed.)

Host Scanning: New

In addition to Sysdig Secure’s rich array of tools for scanning container images, you can now scan the hosts as well.

• Scan hosts for vulnerabilities, and detailed Software Bill of Materials (SBoM)

• Support for OS (e.g. rpm) and non-OS (e.g. Java, Ruby, Python) packages

• Compare and diff scan results

Host Benchmarks: Updated

• More checks

• Better results

• Clustered aggregations - understand the posture of your environments, not just a single entity

Image Scanning: Updated

• Automatically scan images if they have not been scanned

Kubernetes Network Security: New Configuration and Improved User Experience

Sysdig’s Kubernetes Network Policy tool has been updated to include additional fine-tuning configurations and an improved user experience.

Additional Configuration Panel

• Workload Labels: Depending on your workload labelling policy, some labels may not be relevant for generating a KNP policy. Use the additional config to include/exclude a particular set of labels per cluster/namespace to declutter your UI and the resulting policy.

• Unresolved IP Configuration: Now it is possible to label raw IPs that are not mapping to your Kubernetes/OpenShift entities, i.e. external cloud provider services, so these labels will be automatically applied to the topology and ingress / egress tables.

• Cluster CIDR configuration: If the CIDR configuration is not automatically detected by the agent, you can now directly configure internal subnets per cluster using the Sysdig interface.

Improved UX

• Topology map: Additional information pop-up when hovering over a network connection or a network node, such as server process, source, destination, and more.

• Unresolved IP filtering: In the ingress and egress tables, by type or using free text search.

Additionally, Network is now presented as a top-level item in the Sysdig Secure navigation.

Activity Audit Improved

The Activity Audit user interface was enhanced as follows:

• Activity Audit entry point moved under the Investigate menu

• Trace feature, used for kube exec, is now also available for parent commands

• The filter selector is also available in-line, with no need to open the detail view

• Lateral Tree view removed and replaced with the Scope menu above, in alignment with the Event panel

  

Alert Notification Channel for Microsoft Teams

Microsoft Teams is now available as an Alert Notification Channel in Sysdig Secure for Runtime Policies. See also: Manage Policies

Internal Scanning Date Improvements

Scanning policies have improved the reliability of the Max days since creation and Max days since fix rule gate parameters. The information is now included in the inline-scan JSON report and available in the Jenkins plugin.

Reporting Improved with Multi-Select Option

Added the option to select multiple policies and multiple package types as part of a scheduled scanning report.

Release 4.0.3 August 27, 2021

This release is a hot-fix only release.

Upgrade Process

Supported Upgrades from: 3.6.2, 4.0.0, 4.0.1, 4.0.2

For the full supportability matrix, see the Release Notes on Github. Other upgrade notes are maintained in the GitHub upgrade folder.

Installation Instructions

Full installation instructions for Kubernetes environments: here.

Defect Fixes

Inline Scanning Fix for Sysdig Secure

Fixed an issue when scanning long Java manifest files that caused the scan to fail.

LDAP Improvements for Sysdig Platform

Fixed an issue with the LDAP sync Job running out of shared memory. The LDAP sync will no longer stop if it encounters an intermittent issue or error, but will allow the sync to complete.

4.0.2 June 29, 2021

This release is a hot-fix only release for Sysdig Secure features.

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1.

For the full supportability matrix, see the Release Notes on Github.

Improvements

CSV Runtime Reports

• The runtime labels that were described in a single CSV column (JSON encoded) will now be represented using one column per label.

• If the same vulnerability, same package, same image is found in several runtime contexts, the CSV will separate each runtime context in a separate row, instead of building a JSON array with several objects nested.

See also: Scheduled Reports.

Defect Fixes

Fixed Incorrect Fingerprinting Causing False Positives in Scanning

Fixed incorrect version detection for Apache Struts 2 packages leading to false positives.

Fixed Metadata Retrieval Issue in Scanning

Fixed incorrect metadata retrieval for corner cases when imageIDs are associated with several digests.

Improved Memory Usage

Reduced Redis memory consumed by scanning by optimizing the usage of the scanning API cache.

Fixed Subscription Alert Entries

Fixed scanning alerts triggers for images discovered via the Node Image Analyzer or Inline Scan container.

Readable Filenames for Scanning Reports

The scheduled scanning reports now generate report files named after the report name i.e. my-daily-critical-vulns-2021-05-04.zip

Release 4.0.1 May 05, 2021

This release is a hotfix-only release for Sysdig Secure features.

Upgrade Process

Supported Upgrades From: 3.6.2

For the full supportability matrix, see the Release Notes on Github.

Improvements

Improved RHEL Vulnerability Matching

The RedHat OVAL source feed interpretation and the matching algorithm have been improved to handle special RedHat packages versioning rules. This should effectively translate into fewer false positives and more accurate fix versions for RH-based packages.

Defect Fixes

Security Fix

A SQL injection vulnerability discovered in 4.0.0 has been fixed in 4.0.1.

Scan Results

The vulnerability list on the UI shows a different number of vulnerabilities as compared to the summary PDF report for the same image. This issue has been fixed as part of Improved RHEL Vulnerability Matching.

Secure Audit Reporting Errors

Secure Audit Reporting displayed intermittent errors for custom agent versions. Fixed the agent version parsing to correctly assess feature support.

Release 4.0.0 April 06, 2021

Upgrade Process

Supported Upgrades From: 3.6.2

For the full supportability matrix, see the Release Notes on Github.

Migrating MySQL to PostgreSQL

For consolidation and to meet higher performance requirements, upgrading to v4.0.0 from v3.x.x involves migrating MySQL to the PostgreSQL database. The migration process is seamless and no user intervention is expected. For more information, see Migration Documentation on Github.

Related Documents

Deprecations

Deprecating “Scan Image” Reaction in Alerts

When setting up runtime alerts in previous versions, there was an option to trigger “scan image” when an unscanned image was detected. This has been deprecated in the UI in favor of the Node Image Analyzer, which is bundled by default with the Sysdig agent as an additional container per node.

See also: Manage Scanning Alerts.

Defect Fixes

Large SAML Metadata

An issue was detected in an earlier version where large SAML metadata could not be saved due to limits in the database field size. This issue is now fixed and Sysdig now supports large SAML metadata.

Single Sign-On for Monitor and Secure

When a user logs in to Sysdig products successively, a confusing error message related to SAML was displayed if:

• If both Secure and Monitor have been configured with SSO.

• The Create User on login feature has been turned on for both products.

This issue is fixed with this release.

When a user created in one product logs in to another, and if the Create user on login feature is turned on, no error message is thrown. The user is added to the appropriate team in the product and can log in to the other.

Sysdig Platform

Monitor UI Displays On-Prem License Information

The on-prem license information is now displayed on the Monitor UI. Additionally, users will be warned of imminent license expiration on the UI.

Changes to Auditing Sysdig Platform Activities

Due to the changes in the underlying database (PostgreSQL instead of MySQL), the existing Sysdig auditing data will be dropped when performing the upgrade from 3.x to 4.0 on-premise version. The audit data is not migrated due to the potentially large size of the table, which could prolong the upgrade process. The data remains available in the MySQL database. If you require the data, do the following:

1. Before upgrading, dump the audit_events table from MySQL.

2. When the upgrade is completed, import the data back to the new database if you desire.

   Contact your Sysdig contact for details on how to perform this operation.

Sysdig Monitor

Improved Alerts

The Alert interface has been improved to allow faster browsing and easier management. For more information, see Alerts.

Explore Workflow Enhancements

The Explore interface has been improved to allow faster troubleshooting.

You are now launched directly into the drill-down view when you navigate to Explore. You will still be able to group and navigate your infrastructure by using the hierarchical scope tree.

The new Grouping editor helps you create and manage your infrastructure groupings.

For more information, see Explore.

Visualizing Missing Data on Dashboards

Dashboards now show null or missing data values as gaps instead of zero. Optionally, missing data can be displayed as a dotted or solid line in both Form-based and PromQL panels. StatsD metrics will continue to show null values as zero unless overridden by the settings. For more information, see Display Missing Data.

Host Overview

To complement Sysdig Kubernetes Overviews, Hosts Overview has been released. Host Overview provides a unified view of the performance and health of physical hosts in your infrastructure.Hosts Overview

Sysdig Secure

Serverless Agent Preview Feature

The 1.0.x serverless agent is supported as a preview feature with Sysdig Platform 4.0. Note that there is no guarantee of forward or backwards compatibility with this preview release.

Sysdig Serverless Agent 1.0.0 for Fargate ECS

The “container-as-a-service” serverless environment calls for new agent models, and Sysdig provides them. Whereas in ECS, users still manage the underlying instances, with AWS Fargate the host is never visible and users simply run their workloads. And while this model is convenient, it can introduce risk as many people leave the containers unattended, without monitoring security events within that can exfiltrate secrets, compromise business data, impact performance, and increase their AWS costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.

For these reasons, Sysdig has introduced a new “serverless agent” model that can be deployed in these container-based cloud environments. The first implementation is for Fargate (ECS).

Sysdig will be rolling out security features on the serverless agent over time. In v1.0.0, users will see:

• Runtime Policies and Rules

• Secure Events

To obtain secure event information and the associated Falco policies and rules in the Sysdig Secure UI from a Fargate environment, users install the serverless agent using a CloudFormation Template. Then log in to Sysdig Secure and review the events in the UI.

See also: AWS Fargate Serverless Agents and Serverless Agent Release Notes (for future updates).

Kubernetes-Native Network Security with Sysdig Secure (Beta)

A new feature has been added to Sysdig Secure for authoring and refining Kubernetes network policies (KNPs) that:

• Automatically extracts the connection information, by observing the cluster networks and microservices communications

• Offers a visual flow to fine-tune the Kubernetes network policies, incorporating the user’s adjustments

• Automatically generates the KNP YAML to be applied, without requiring previous Kubernetes policy knowledge from the user.

As soon as the feature is enabled, the Sysdig agent starts collecting and processing application communications, which are then enriched using Kubernetes metadata and presented in two different ways:

• Topology maps: a visual representation of the network flow between the Kubernetes entities (Services, Deployments, StatefulSets, DaemonSets, Jobs)

  

• Ingress / Egress tables: for additional detail on each inbound/outbound communication and policy tuning.

Once the user has finished editing the desired policy, Sysdig will automatically compute the associated KNP YAML:

• Enforcement is delegated to the Kubernetes control plane, favoring policy-as-code and avoiding direct tampering with cluster communications

• Allow-only approach ensures that any communication which is not explicitly allowed by the policy will be forbidden

Prerequisites

Sysdig agent version 10.7+

Supported Orchestrator Distributions and CNI Plugins:

• Vanilla Kubernetes (kops, kube-admin) using Calico

• OpenShift 4.x using OVS

• Google GKE using Calico

• Amazon EKS using Calico

• Rancher Kubernetes using Calico

Please contact us to enable this feature for your Sysdig Secure accounts.

See also: Network Security Policy Tool .

Network Micro-Segmentation: Support for CronJobs, Weave, & Cilium CNIs

The Sysdig Network Security Policy Tool has been upgraded to add support for CronJob pod Owners.

With the addition of CronJob support, communication is aggregated to the CronJob (scheduler) level, rather than the Job. Therefore, when administrators review the activity in the Network Security Policy menu, they will see the higher-level CronJobs listed, and not an excess number of individual Job entries.

This update also adds support for Weave and Cilium CNIs on top of Calico support.

New Product: Rapid Response

Rapid Response is an Endpoint Detection and Response (EDR) solution built for cloud-native workloads, which gives security engineers the ability to respond to incidents directly via a remote shell. The shell uses the underlying host tooling already installed, such as kubectl, Docker commands, cloud CLIs, etc. Users can also mount their own scripts to use any familiar tooling.

Rapid Response requires a component installed on the host machine. This component provides end-to-end encrypted communication using a passphrase only your team knows. The Rapid Response feature is disabled by default and can only be accessed to teams that have the feature enabled. Admins can see all user activity, including access to audit logs, and can initiate a rapid response session. Advanced users can view only their own user activity, including their audit logs, and can initiate a rapid response session.

See also: Rapid Response: Installation and Rapid Response

Image Scanning Reports v3 [BETA]

The Image Scanning Reports feature has been thoroughly updated and has moved from a synchronous model to an asynchronous mode, in which you schedule the reports you need and then receive them through your normal notification channels (email, Slack, webhook.). The new version also includes:

• A preview function to check report structure in the UI

• A more advanced query builder

• Extended set of data columns (i.e. CVSS base score and vector) and extended set of available filters (i.e. package type)

Reporting v3 supports two different types or reports:

• Vulnerability report: Containing vulnerability, package and image data

  I.e. Vulnerabilities in my runtime with Severity ≥ High, a Fix available and not included in a vuln exception list.

• Policy report: Containing scanning policies and evaluated images data

  I.e. Images in my internal registry failing the “NIST” scanning policy.

See Scheduled Reports for more detail.

UI-Based Admission Controller Released

Kubernetes' admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.

Sysdig’s Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.

See also: Admission Controller.

Main Features

• Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist

• Only allow images that pass the scanning evaluation criteria

• Only allow images that have been evaluated recently

• Only allow images that have been scanned before creation is requested to Kubernetes

• Registry and repository whitelist

• Scan unscanned requested images immediately (optional)

CIS AWS Cloud Benchmark Released

A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

See also: AWS Foundations Benchmarks.

New Runtime Policy Events JSON Format

The JSON format for the runtime policy events has been upgraded to include full scope information, rule labels, and a single-line representation for the event field’s keys and values.

To preserve backwards compatibility with existing integrations, the former JSON format is still available (and used by default on migration).

From the Event Forwarder page, under “Data to Send,” the old JSON format is labeled “Policy Events (Legacy)” and the new one as “Runtime Policy Events.”

See also: Event Forwarding.

Scan Results List Updated

The UI for the list of scanned images has been updated to include several functionality and design improvements:

• Status column (Passed or Failed) is now filterable

• Image Origin (Inline Scanner, Node image analyzer, etc.) is now visible, filterable, and has multi-select option

• Image registry is now visible on the table

• Ability to sort by date-added (default) or image name

• Flexible free-text search: filter by registry/repo:tag, repo:tag, repo, etc.

See also: Review Scan Results.

Improved UI for New Users

We have added introductory splash screens throughout the product to help you get started when using a feature for the first time.

UI Improvement on Rules Library and Rule Details

Usability improvement so you can see in which policies a rule is used, from both the Rules Library list and the Rule Detail view. See Manage Rules for details.

Deprecation Notice: Legacy Commands Audit & Legacy Policy events

• The “Commands Audit” feature was deprecated in favor of Activity Audit in November 2019. This feature will be completely removed from the On-prem distribution in version 4.1.

  Sysdig agent version 9.5.0+, released in January 2020, is required by the Activity Audit feature.

• The “Policy Events” feature was deprecated in favor of the new Events feed in June 2020. This feature will be completely removed from the On-prem distribution in version 4.1.

  Sysdig agent version 10.3.0+ is recommended.

Windows Scanning Released

A beta version of the Windows Scanning Inspector has been released. This is a new feature from Sysdig for scanning Windows containers.

See also: Windows Container Image Scanning [BETA].

Features

• Identify Windows container image vulnerabilities from:

  • Windows OS CVEs

• Windows or Linux hosts

• Reports in JSON and PDF

• Policy support

  • Severity

  • Fix available

  • Days since fixed

Malware Detection during Inline Image Analysis

As part of the inline scanner version 2.3.1 release, malware scanning was added as a configurable detection that can be performed during inline analysis.

The default behavior if this feature is enabled and malware is found is to consider the scanning failed, report malware details, and abort analysis:

See Perform Inline Malware Scanning for recommended parameters and output options.

Release 3.6.2 December 14, 2020

This release contains bug fixes and minor improvements.

Upgrade Process

Supported Upgrade From: 3.2.2, 3.5.1, (3.6.0 or 3.6.1 if it was installed)

For the full supportability matrix see the GitHub documentation.

Bug Fixes

• Fixed email notifications error

  In some cases, including alerts with very large scopes and some others, email notifications were not sent due to a bug in the email renderer. This issue has been fixed.

• Fixed Kubernetes metadata display delay

  In 3.6.0 and 3.6.1 releases, upon connecting an agent, it would take 1h for Kubernetes metadata to appear. With this bug fixed, the metadata is displayed a couple of minutes after connecting the agent.

• Fixed dashboard display error when switching teams

  When the user switched teams, the dashboard menu was not displayed and required the user to reload the application. This has been fixed.

• Improvements to the security setup of our Intercom integrations

  We have improved the security of the Sysdig Intercom integration, as in some cases, the conversations could leak between different users.

• Fix to Activity Audit Janitor

  Fixed an Activity Audit Janitor error that stopped the AA clean-up process when a particular set of Sysdig Secure features were not enabled.

Improvements

Increased Decimal Precision from 4 to 6

With this release, we increased the decimal precision from 4 to 6 decimal places. This feature is mostly useful for customers using Prometheus metrics, as by convention, the metrics for time are given in seconds in Prometheus exporters, which does not work well for low numbers (for example - latencies in microseconds).

New Runtime Policy Events JSON Format

The JSON format for the runtime policy events has been upgraded to include full scope information, rule labels, and a single-line representation for the event field’s keys and values.

To preserve backwards compatibility with existing integrations, the former JSON format is still available (and used by default on migration).

From the Event Forwarder page, under “Data to Send,” the old JSON format is labeled “Policy Events (Legacy)” and the new one as “Runtime Policy Events.”

See also: Event Forwarding.

Release 3.5.3 December 14, 2020 (Replicated Only)

This release is a bug fix only release.

Upgrade Process

Sysdig Platform v 3.5.3 has been tested and qualified against the same components as in v. 3.5.1.

Supported Upgrade from: 3.5.1, 3.2.x, 3.0

Bug Fixes

Sysdig Platform

• Fixed email notifications error

  In some cases, including alerts with very large scopes and some others, email notifications were not sent due to a bug in the email renderer. This issue has been fixed.

• Improvements to the security setup of our Intercom integrations

  We have improved the security of the Sysdig Intercom integration, as in some cases, the conversations could leak between different users.

Sysdig Secure

• Events Forwarder improvement

  Fixed a crash condition in the Events Forwarder service stemming from a microservices connectivity issue.

Release 3.6.1 November 23, 2020

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Supportability Matrix

Sysdig Platform has been tested and qualified against the following.

* Note that as of this release, there are no upgrades for Replicated installations.

Related Documents

Sysdig Secure

The following improvements were introduced in release 3.6.1:

Node Image Analyzer: Scan “Repo-less” Images

Added support to scan images that lack a Repo tag, such as OpenShift 4.x distribution images.

Audit Tap Forwarding: Fixed Splunk Event Timestamp Metadata

The format of the “time” field included in the Splunk event metadata for forwarded Audit Tap events is now increased to millisecond granularity.

Fixed False Positives on Java Libraries Related to log4j

Fixed an issue that resulted in log4j-jboss-logmanager and log4j-1.2-api being incorrectly detected as log4j, possibly generating vulnerability false positives.

NOTE: Inline Scanner v2.1

Inline Scanner v2.1 has been released.

This component is independent of the Sysdig Platform version you are running–it can be used with Sysdig On-Prem version 3.6.1 and with earlier versions.

Inline Scanner 2.1 includes the following enhancements:

• NEW

  Added ability to analyze scratch-based images

• FIXES

  Fixed a bug retrieving the PDF output for previously- scanned images

  Addressed several vulnerabilities found in the inline scanner container

See also: Integrate with CI/CD Tools.

Release 3.6.0 November 10, 2020

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Supportability Matrix

Sysdig Platform has been tested and qualified against the following.

* Note that as of this release, there are no upgrades for Replicated installations.

Related Documents

Sysdig Platform

Interactive Session Expiration Installation-Wide

With this release, you can define a period of interactive-session expiration, so that when a user is idle for a defined period of time, the session terminates. This helps enterprises with strict security and compliance requirements comply with relevant security controls, such as NIST or PCI-DSS 8.1.8 .

Currently, this feature is available for on-premises only and is configured per installation.

See also: Configure Interactive Session Expiration.

Minor Enhancements and Fixes around Users and Teams

• Team Search Available when Switching Teams

  You can now search for Teams on the Team Switcher. This feature is especially handy for Admins who are members of many teams.

  

  See also: Switching Teams in the UI.

• User search now supports many more users

  With this release, we have enhanced the performance for listing and search for users on both Settings>Users and Settings>Teams pages. We now support tens of thousands of users comfortably.

• LDAP: Search for users by both username and email address

  For enterprises using LDAP, this release enables search on both username and user email address in the Settings>Users and Settings>Teams pages. Users are listed by name but can be searched by email as well.

• LDAP: Default team role respected

  This fix ensures that when LDAP users are created upon login, the default user role for the team is respected.

Inline Scanner 2.0

A new version of the Sysdig inline scanner script has been released.

Major improvements:

• The inline analysis container doesn’t need to spawn any additional containers

  • This removes the requirement for the Docker client, docker-in-docker, etc.

  • This enables usage in environments where docker-in-docker is not feasible or hard to instrument (e.g., Tekton).

• Additional analysis workflows and formats:

  • Added support to analyze a docker archive

    • A .tar.gz file containing the image, i.e. the output from a “docker save”

    • Example execution

  • Added support to analyze OCI images (both and directory and archive)

    • Uncompressed or compressed OCI image format

    • Example Jenkins pipeline

  • Added support to retrieve an image from the container storage (CRI-O and others)

    • Example execution

Additional improvements:

• Faster image ingestion

• More verbose logs available for troubleshooting and diagnosis

• Machine-readable JSON output via --format JSON command

To upgrade an earlier Sysdig Inline Scanning version to 2.0, you need to take into account the new invocation parameters, which are not backward compatible.

Sysdig Inline scanner can be used stand-alone or as a step inside a CI/CD pipeline (Jenkins, Tekton, CircleCI, etc). In the upcoming weeks, we will update the different integrations to provide out-of-the-box support for the 2.0 version.

Sysdig Secure

Regulatory Compliance Control Validation & PCI Checks

A new feature has been added to Sysdig Secure for checking controls from various compliance standards. For the first release, we provide checks against specific controls in PCI 3.2. Future releases will include SOC2, NIST-800-53, and more. See also: Compliance in Sysdig documentation.

Compliance Validator and Reports

The validator checks many Sysdig Secure features, including: image scanning policies, Falco runtime policies and rules, scheduled benchmark testing, Admission Controller, Network Security Policies, Node Image Analyzer, and more. Over time we will add new compliance coverage.

Disclaimer: Sysdig cannot check all controls within a framework, such as those related to physical security.

PCI Control Details

The PCI Quick Reference describes the full range of controls required to pass a PCI 3.2 audit. In this release, Sysdig Secure will check the following subset:

Controls 1.1.2, 1.1.3, 1.1.6.b, 2.2, 2.2.1, 2.2.2, 2.2.a, 2.4, 2.6, 4.1, 6.1, 6.2, 6.4.2, 6.5.1, 6.5.6, 6.5.8, 7.1.2, 7.2.3, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.6, 10.2.7, 10.3, 10.5.5, 10.6.1, 11.4, 11.5.a, 11.5.b.

Replacing RHSA Advisories with CVE Advisories

In new images scanned, RHSA advisories will be replaced with CVE advisories.

Benchmarks support for Kubernetes Benchmark 1.6

• Kubernetes Bench upgraded to version 1.6

• Using the Kubernetes benchmark, we now provide customer-selected benchmark checks for GKE and EKS (rather than just the Kubernetes default).

Vulnerability Exceptions Handling Enhanced

The Vulnerability Exceptions feature in Sysdig Secure has been redesigned and enhanced.

It now offers:

• Additional vulnerability and feed context

• Precise mapping between images and their associated exceptions

• A better exception management lifecycle

• Multiple vulnerability lists, which can be flexibly assigned to different image sets (or just a particular image), using the scanning policy assignments

• Additional information displayed to improve team awareness and security context

  • Vulnerability description

  • User-defined notes

  • Vulnerability feed info, with severities and links as provided per feed

• Configurable expiration dates:

  • An exception is automatically disabled when the expiration date is met

  • Day resolution, all times relative to 0:00 UTC

• Enhanced workflow integration with the “Scan results” page for an individual image, with the ability to quickly append a flagged vulnerability to a list.

Migration: The exception and evaluation behavior in the current environment will be maintained after the feature upgrade. In particular:

• Pre-existing vulnerability exceptions will be migrated to the “Default exceptions list”

• The “Default exceptions list” will be assigned to every pre-existing policy assignment

• All the pre-existing vulnerability exceptions expiration date will be set to “Never."

See also: Manage Vulnerability Exceptions and Global Lists.

Event Forwarding: Kafka and Webhook Added

Two new supported integrations have been added to the Sysdig Secure Event Forwarder:

• Kafka topic

• Generic webhook

The Kafka topic integration includes support for:

• Multiple Kafka brokers

• Partitioner/Balancer algorithms: Murmur2, Round robin, Least bytes, Hash, CRC32

• Compression algorithms: LZ4, Snappy, Gzip, Zstandard

The Webhook integration includes support for:

• Authentication methods: Basic authentication, Bearer Token, and Signature Header

• Custom headers defined by the user to accommodate any additional parameter required on the receiving end

Image Exclusion on Policy Events

Users often want to tune policy events. We’ve added a button on the event detail that will add an exclusion to a specific container.image.repo for the policy that triggered the event. Once that exclusion is applied to the scope, policies will no longer fire for that container.image.repo.

Captures Filter on the Policies Page

Policies can now be filtered to display if a capture is associated with an active or inactive policy.

Quick Menu to Captures from Runtime Events

For runtime policy events that have an associated capture, we now offer a contextual menu for performing quick actions over the event capture, rather than a simple link to the Captures interface. You can:

• View the capture directly in Sysdig Inspect

• Directly download or delete the capture

Additionally, if the event is scoped to a particular container, Sysdig Inspect will automatically filter the displayed information to the scope of that Container ID.

Image Scan Results Page Redesigned to Improve Load Times & User Experience

The user interface is cleaned up, reorganized, and provides the following functional improvements:

• Load times are significantly decreased because the last known evaluation for the image is automatically fetched

  • View the latest evaluation time directly in the scan summary Evaluated at

  • Use the new Re-evaluate button to fetch current data if desired

• View the image origin/reporting mechanism in the new “Added By” field.

  Possible values are: Sysdig Secure UI, Node Image Analyzer, API, Sysdig Inline Scanner, or Scanning alert.

• Copy the Image Digest and Image ID to the clipboard using a quick pop-up panel.

  

Forwarding the Activity Audit Information

The Sysdig Secure Event Forwarder has added support to forward Activity Audit data to external platforms.

Sysdig Monitor

Time Navigation in Events Feed

You can now browse and find historic events easily by using time navigation.

Zooming Out Dashboards

You now have the ability to zoom out Dashboards. This feature doubles the selected timeframe for a better context surrounding a problem when troubleshooting an incident.

Release 3.5.1 August 24, 2020

NOTE: Version 3.5.1 includes a fix for vulnerabilities that were detected in version 3.5.0. It is recommended to skip version 3.5.0 and install version 3.5.1 instead. As of this release, all on-premises installs and upgrades include oversight services from Sysdig support.

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Platform

Endpoint for Feeds Update Has Changed

We no longer point to ancho.re for feeds update but to[ https://api.sysdigcloud.com/api/scanning-feeds/v1/feeds](http:// https://api.sysdigcloud.com/api/scanning-feeds/v1/feeds). This could require a change to your firewall rules, as an exception to your proxy for ancho.re would impact the feeds update.

Sysdig Secure

New Sysdig Secure Overview Page

The Sysdig Secure Overview provides an at-a-glance view of the critical areas of your security posture.

Scoping

Panels can be scoped by Cluster or Namespace. The scope will update all panels that are displaying run-time data and the corresponding drill-down views.

Panels

• Build Time - Images Scanned: Image scan results for all static image scans

  Drill-down - To Image Scanning Reports page.

• Build Time - CVEs Found by Severity: The total number of CVEs present in each image scanned.

  Drill-down - Available in a future release

• Run-time - Images Scanned: The pass/fail status of images running now and their trend over time.

  Drill-down - To Runtime Scanning Image page.

• Run-time - CVEs by Severity: The total number of CVEs present in each running image

  Drill-down - Available in a future release

• Run-time - Policy Events by Severity: The total number of policy events by severity.

  Drill-down - Secure Events page.

• Benchmarks Tests Failing: The total number of benchmark tests that have failed.

  Drill-down - Benchmarks Results page.

See also: Secure Overview .

New Get Started Page

The Get Started page provides the key steps to ensure users are getting the most value out of Sysdig Secure. We’ll update this page with new steps as we add new features to Sysdig Secure. 

The Get Started page also serves as a linking page for:

• Documentation

• Release Notes

• The Sysdig Blog

• Self-Paced Training

• Support

Users can access the page at any time by clicking the rocketship in the side menu.

See also: Getting Started with Sysdig Secure.

Feeds Status Page Added

It’s useful to understand the last time the feeds were updated, especially in self-hosted environments. The Feeds Status page shows the different vulnerability feeds we integrate with, their feed group (often the distro version), the time of the last sync, and how many CVE records are present in the feed group.

See also: Feeds Status.

Secure Events Feed Overhaul

The Events feed in Sysdig Secure (formerly called Policy Events) has been redesigned, both visually and functionally.

Apart from the styling and user experience improvements, these are the major new features and use cases

Advanced Filtering

We are deprecating the grouping/clustering of events present in the old version in favor of a much more powerful set of filtering capabilities:

• Severity filters: Presented as quick buttons at the top, supporting multi-select

• Attribute filters: Provide a simplified syntax to filter events by the attributes they contain. For example ruleType="Falco - Syscall" or image.repo!="sysdig/agent"

  • Open the event details side panel to find quick filtering widgets to include or exclude the attribute values associated with the displayed event

• Event type selector: Supports runtime scanning alerts on top of policy runtime events (see section below), with an easy multi-selector in the UI.

• Free text search: Allows you to search the event titles and scope label values. I.e. Terminal shell in or my-k8s-cluster.

• New scope selector: Allows for additional selector logic (in, not in, contains, startswith, etc), improving the scoping flexibility over earlier versions. This scope selector also provides scope variables, allowing you to quickly switch between, for example, Kubernetes namespaces without having to edit the panel scope.

All these filters can be combined additively to further refine your search.

Multiple Event Types

The new event feed displays not only the policy runtime events, but also runtime image scanning alerts.

The backend architecture, filtering, and UX have been designed to accommodate additional types of security events that will be pushed to the Event Feed in the future, upgrading the interface from a policy-runtime-centric experience to a full security center control panel.

Additional Event Details

Policy runtime events: These now display the rule that was fired together with the rule labels. You can use the quick filters mentioned above to further refine the search.

Richer scope: Every security event now displays all the scope labels retrieved for the event, not just those configured in the scope selector.

See also: Secure Events.

Additional Considerations/Limitations

Events in the old and new format will be stored separately:

• No event or event data will be lost during the transition

• Events that were registered before the new feed is deployed can be browsed using the old feed interface, which is available from the burger menu in the top-right corner

• Events that happen after the new feed is deployed will appear in the new event feed

• Eventually, all events within the retention period will be present in the new interface, at which point the version switcher will disappear

Team, Role, and Channel Updates

A variety of enhancements have been added to the team, role, and notification channel options.

Service Manager Role Added to Sysdig Secure

RBAC capability was previously added to Sysdig Secure. (See also January 27, 2020 and User and Team Administration.)

Now a new role, Service Manager, is also available in Secure. It has the same permissions as the Standard User, plus the ability to invite existing users to the team and manage the notifications channels assigned to the team. See Team-Based Roles and Privileges

Configurable Default Team Role

You can now define the default user role to apply when a new member is added to the team. The Admin can change this default on a per-team basis. See also: Create a Team.

RBAC and Team Assignment for Notification Channels

Previously, notification channels in Sysdig Secure and Monitor were treated as global entities, visible and editable for most users of the platform regardless of team configurations.

We are enhancing the management and RBAC controls in the following ways:

• Notification channels can now be “global” or limited to a particular team

• Global channels can be managed by admins and can be viewed/used by other roles, while team-limited channels are available only to team members

• Team Manager , Advanced User, and Service Manager (Secure) roles can create/update/delete team-scoped notification channels, they can also read and use the global ones

• Standard and View Only roles can read team-limited and global notification channels

• Admins will be able to create global notification channels and migrate channels from “global” to “team-limited”, and also from one team to another.

See also: Set Up Notification Channels and the Share With field in each individual channel setting page.

Optimized Runtime Page

We’ve released a new Runtime page for the Image Scanning module within Sysdig Secure. Improvements include:

• Filtering based on pass/fail/unscanned

• The ability to search results for a specific image

• Optimized queries to improve response times

For more information, see Review Scan Results.

Menu Update

The ordering of the side menu has been changed.

Image Scanning Updates

The image scanning navigation bar has changed.

• The side menu is reorganized into Analyze and Configure sections

  • Analyze: Different areas of scanning that allow users to view scan results

  • Configure: The areas of scanning that involve the setup of the application

• Whitelist terminology with CVEs has been removed.

  “CVE whitelist” is now CVE Exceptions.

CLI-Based Admission Controller for Image Scanning

An additional tool for evaluating and admitting images is now available.

Sysdig Admission Controller

Sysdig’s Admission Controller (UI-based) combines the Sysdig Secure image scanner with a policy language to evaluate scan results and the admission context, providing great flexibility in the admission decision. It also provides the first line of defense against image-based security threats.

By using Kubernetes API extensions to perform image scanning and other security checks on admission, we cover a major threat-prevention and hardening use case: “Only the images that are explicitly approved will be allowed to run on my cluster”.

The admission decision relies not only on the image name and tag but also on additional context from the admission review, including namespace, pod metadata, etc.

Features

• Registry and repository whitelist / blacklist

• Global and per-namespace admission configuration

• Configurable pre-scan and post-scan behavior, i.e.:

  • Accept only the images that pass the scan (default)

  • Directly reject non-whitelisted registries / repos, without scanning

  • Accept the image even if it doesn’t pass the scan

  • Do not accept any image that hasn’t been scanned already

• Pod mutation: image tag is replaced by digest to prevent TOCTOU (Time of Check, Time of Use) issue if the tag is updated between the scan and the pod scheduling

Requirements

• Helm 3

• Kubernetes 1.15 or higher

For more information, see Admission Controller .

Added Automatic Image Scanning using Node Analyzer

The (node) image analyzer (NIA) provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agent container.

This component was introduced to reduce dependencies on analyzing images within the Sysdig backend (SaaS or On-prem). Some advantages include:

• Sharing credentials with the Sysdig backend in order to pull images is not required

• Sharing the image content and potentially code with the Sysdig backend is not required; only metadata will be sent out

• Opening a network route to allow the Sysdig backend to reach the user’s registries is not required

For more information, see Scan Running Images.

Added Image Scanning Integration Options

Two new scanning integrations are available for CI/CD pipelines. Sysdig provides:

• A reference implementation with Tekton Pipelines (prototype)

• A fully supported integration with Amazon Elastic Container Registry (ECR) for triggering auto-scans from the registry

Integrating Secure Image Scanning with Tekton Pipelines

Tekton Pipelines allow you to implement CI/CD workflows using a highly modular, cloud-native approach that:

• Uses containers as the building blocks for individual tasks

• Runs directly on Kubernetes/OpenShift without requiring a dedicated infrastructure

• Uses tasks that are purely declarative and described using their own CRD, making them easily composable and reusable

Sysdig’s reference implementation details the prototype task to invoke Sysdig Secure image scanning as a pluggable step in your CI/CD pipeline with just a YAML file:

Leveraging Tekton integration with the orchestration layer, you can retrieve the image scanning policy evaluation and state (pass/fail) directly from the logs of the task pod.

Read the “Securing Tekton pipelines in OpenShift with Sysdig” blog post for additional details

Integrating Secure Image Scanning with Amazon ECR

Automatically scan images pushed to your Amazon Elastic Container Registry (ECR) using AWS-native technologies and Sysdig Secure.

Sysdig image scanner integration is deployed as a CloudFormation template that listens to ECR registry events and uses AWS resources to streamline the image scanning process.

• ECR itself will trigger the scan, no need for your CI/CD pipelines to actively pull from the registry

• Deployed in a few clicks, you just provide basic configuration parameters such as the Sysdig API token or the Sysdig backend URL

• No need to configure registry scanning credentials on the Sysdig Secure side

This integration offers two different operation modes

Inline scanning:

• Scanning will be performed inside an AWS CodeBuild pipeline allocating ephemeral resources

• No need to configure any registry credentials for Sysdig Secure

• No need to expose your ECR registry to the Sysdig Secure backend

• Sysdig Secure will not retrieve the image contents, only the metadata that is required to perform the policy evaluation

Backend scanning:

• Sysdig Secure will retrieve the full image contents in order to perform the scan

• Your ECR registry must be reachable by the Sysdig Secure backend

• Registry credentials are required, but they are pushed automatically by a lambda function, no need for manual configuration

Updated Inline Scan Script

• Added header values for import API for better supportability.

• Upgraded to Anchore engine v0.6.1.

• Use docker:dind instead of ubuntu for the base image. This reduces the image size and speeds up downloading.

The latest version of the inline script will always be available at https://download.sysdig.com/stable/inline_scan.sh

Link to repo for script source code: https://github.com/sysdiglabs/secure-inline-scan

Inline Scanning Reporting Improvements and Documentation

This script from SysdigLabs is useful for performing image analysis on locally built container images and posts. The only dependency for this script is access to docker-engine, Sysdig Secure endpoint (with the API token) and network connectivity to post image analysis results.

Here are examples of using the inline scanner in different pipelines:

• Gitlab

• Github Actions

• AWS Codepipeline

• Azure Pipelines

• CircleCI

PDF Reports from the Inline Scanner

A new option

-R  [optional] Download scan result pdf report

will generate a PDF artifact that is available for developers to consume in the pipeline.

Updates to Default Rules and Policies

The following changes have been made to default Policies in Sysdig Secure, and to default Falco rules:

• New rule tags added that map Falco rules to PCI and NIST controls

• New default policies added specifically for PIC/NIST compliance

• Tuning modifications for:

  • Write below etc

  • Write below root

  • Change thread namespace

  • Run shell untrusted

  • Detect outbound connections to common miner pool ports

For more information, see also Falco Rules Changelog.

New Vulnerability Feed Available: VulnDB

We’ve added VulnDB as an additional 3rd-party vulnerability source to improve Sysdig’s coverage in non-OS package vulnerabilities.

In addition, a new page is available for each VULNDB-linked advisory. It lists the CVEs and details about the Common Vulnerability Scoring System (CVSS) scores and external references.

See also: Vulnerability Databases Used.

Linux CIS Benchmark Test Added

Sysdig Agents can run the Independent Linux benchmark against the underlying host where the agent is installed. The Linux benchmark can be scheduled to run at a chosen interval in your environment and emits results and metrics about the status of the tests.

Openshift Hardening Guide

The Openshift hardening guide implements configuration checks run by the agent against Openshift environments.

See https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/container_security_guide/index

Note: This is supported for 3.x versions of Openshift. When Openshift releases a hardening guide for 4.x versions, we will update the configuration checks.

Captures can be Routed to Specific Storage Locations

As a user, you may have different S3 buckets where you’d like to store Sysdig captures, based on the environment where the policy event was triggered. New options are available for deciding what storage option you’d like to use for each policy event.

Sysdig Monitor

New Dashboards is GA

Sysdig Monitor offers a new version of dashboards. Its improved editing experience provides you with more flexibility and the new set of functionalities offers additional ways to visualize and consume your Sysdig data.

Features and Enhancements

Improved User Experience

The New Dashboard offers a more fluid, natural dashboard building experience. For more information, see About the Dashboard UI.

Dashboard Sharing

You can now share your dashboard with members within your Sysdig team or share it across teams with fine-grained access controls. Define who should be able to see the dashboards and what level of access they should be granted: view only or collaborator with edit privileges. For more information, see Sharing New Dashboards

Time Series Name Templating

Customize the time series names on the legend on the panel editor by using the labels associated with Prometheus metrics and segments to gain context faster. For more information, see Create a New Panel.

Multi-Metric, Multi-Segmentation Options

Configure multiple queries within a single panel, and configure each query with multiple segmentation and scoping options. Individual queries can be customized to render as a line or stacked area. For more information, see Create a New Panel.

Event Overlay

Contextualize metrics and understand the “why” faster with a unified view of both metrics and events. Configure event overlay to display events from Kubernetes environments as well as alert events, and any other events ingested using Sysdig’s open REST API. For more information, see Display Dashboard Specific Events.

Dashboard Templates

You can quickly view your infrastructure through the lens of one of Sysdig’s curated dashboards, or use it as a base to start building your own. You can find dashboard templates for managing Kubernetes capacity and health, hosts and server performance, applications and services telemetry, and the security posture of your infrastructure with data fed from Sysdig Secure. See Dashboard Templates to learn more.

Mapping Values to Text

Instantly understand what’s going on by mapping number panel values to text. If you have a metric that returns 1 for up, and 0 for down, map those values to “UP” and “DOWN” respectively. By defining thresholds and mapping to text, you don’t need to be concerned about the values. This is critically valuable when dashboards are shared between team members. For more information, see Text.

Granular Axes and Legend Controls

You have more flexibility when customizing the axes, as well as better support for time series with long names. You can now configure the legend by toggling its visibility and moving it to the bottom of the panel. See About the Dashboard UI.

Major Changes

Significant changes have been introduced to enhance the usability of the existing functionalities. Review the changes before you explore the functionalities.

Topology Maps

Topology maps are no longer available in Dashboard. Access Topology maps through Explore, as you explore your microservices and Kubernetes applications.

Dashboard Wizard

My Dashboards are no longer accessible in Explore. Additionally, Dashboard Wizard has been removed. Instead, the concept of Templates has been introduced in Dashboards to help you get started with a library of templates addressing key use cases.

Histogram and Summary Metric Type

Histogram and summary metrics are no longer supported in the Histogram panel type. You can continue to use them within Explore.

APIs and Integrations

API endpoints for the legacy dashboards (v2) will soon be deprecated. If you are directly integrating into the API, please contact Sysdig for guidance. Additionally, our Python SDK and CLI have been updated to support the new dashboards APIs.

Sysdig Monitor Rebranding

The Monitor app has been refreshed with new logos and icons. The navigation pane has been re-organized. The Explore tab is moved below Dashboards.

The New Get Started Page

The Get Started page provides the key steps to ensure that you are getting the most value out of Sysdig Monitor. We’ll update this page with new steps as we add new features to Sysdig Monitor.

The Get Started page also serves as a linking page for:

• Documentation

• Release Notes

• The Sysdig Blog

• Self-Paced Training

• Support

You can access the page at any time by clicking the rocketship icon in the left navigation bar. See Getting Started with Sysdig Monitor.Getting Started with Sysdig Monitor

RBAC and Team Assignment for Notification Channels

Previously, notification channels in Sysdig Secure and Monitor were treated as global entities, visible and editable for most users of the platform regardless of team configurations.

We are enhancing the management and RBAC controls in the following ways:

• Notification channels can now be “global” or limited to a particular team

• Global channels can be managed by admins and can be viewed/used by other roles, while team-limited channels are available only to team members

• Team Manager , Advanced User, and Service Manager (Secure) roles can create/update/delete team-scoped notification channels, they can also read and use the global ones

• Standard and View Only roles can read team-limited and global notification channels

• Admins will be able to create global notification channels and migrate channels from “global” to “team-limited”, and also from one team to another.

See also: Set Up Notification Channels and the Share With field in each individual channel setting page.

AWS Role Delegation

Sysdig Monitor can now utilize the Amazon Web Service (AWS) AssumeRole functionality and discover cloud assets, grab CloudWatch metrics from your AWS account, and use custom S3 bucket for storing captures. Upon integrating with an AWS role, you can delegate access to AWS resources that are not associated with your Sysdig AWS account.

Role delegation is an alternative to the existing integration method using the access keys. This method is considered secure as sharing developer access keys with third-parties is not recommended by Amazon.

For more information, see Integrate with AWS Role Delegation.

Configurable Default Team Role

You can now define the default user role to apply when a new member is added to the team. The Admin can change this default on a per-team basis. See also: Create a Team.

Default Dashboards for Istio 1.5

Default dashboards (Overview and Services dashboards) are now available for Istio v1.5 in addition to the existing ones for Istio v1.0.

Release 3.2.2, June 11, 2020

This is a hotfix release for Benchmarks. See Defect Fixes for details.

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Secure

Defect Fixes

Problem: On a cluster running Kubernetes v1.12 or later versions with Sysdig agent v9.7.0 or later versions, the CIS Kubernetes benchmark result could not be interpreted, resulting in an infinite spinner displayed in the UI.

Resolution: Sysdig agents v9.7.0 or later versions can now be used with Kubernetes v1.12 or later versions. The CIS Kubernetes versions included are 1.3, 1.4, and 1.5.

Sysdig Monitor

This release contains no new features or defect fixes.

Sysdig Platform

This release contains no new features or defect fixes.

Release 3.2.1-Onprem (Replicated Only), March 23, 2020

This is a hotfix release that enforces a minimum Replicated Console version to include a necessary security patch. This release contains no new Sysdig functionality and is not a required upgrade.

Release 3.2.0, March 04, 2020

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Secure

Data Retention Limits for Scan Results

Use this feature to set limits on how long image scan metadata is stored, either by tags or days. This removes stale data and helps keep scan results easy to read.

See Data Retention for details.Data Retention

RBAC Capability Available in Sysdig Secure

The new role-based access control (RBAC) model available in Sysdig Secure allows you to define the access privileges granted to each user in a Sysdig Secure team.

Besides the Admin role, which has full access and belongs to every team, there are four roles that can be assigned when adding a user to a team. (Note that the role names are the same in Monitor and Secure, but the privileges differ slightly. Users must be assigned Monitor team roles and Secure team roles separately.)

• View Only: Read access to every Secure feature within the team scope. A View Only user cannot modify runtime policies, image scanning policies, or any other content.

• Standard User: Can push container images to the scanning queue and view the image scanning reports. Standard Users can also display the runtime security events within the team scope. They cannot access the Benchmarks, Activity Audit. or Policy definition sections of the product.

• Advanced User: Can access every Sysdig Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage other users.

• Team Manager: Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.

  Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.

See User and Team Administration for details.

Vulnerability Scan Results Comparison

In image scanning reports, the vulnerability comparison feature allows users to compare two different tags within the same repo to see which vulnerabilities are new or have been fixed in version X compared to version Y.

This allows developers easily to compare the latest image to a previous version to easily report on which vulnerabilities have been addressed and which are new.

See Review Vulnerability Summaries for details.Review Vulnerability Summaries

Redesigned Captures Page

The Captures function in Sysdig Secure has a new look and the following usability improvements:

• Bulk deletion of capture files

• Ability to see whether a capture was triggered manually or by a policy

• Search across all capture files

File Data Source Support for Activity Audit

Sysdig Secure’s Activity Audit now supports a new data source element: File activity.

• You can now filter the audit trail by file type or specific file attributes:

  • File name

  • Directory

  • Command (used to access the file)

  • Access mode

• File activity is also visible in the time-series graph at the top (pink color):

  

• Activity Audit will capture non-read file operations executed by interactive commands

Sysdig Monitor

This release contains various bug fixes and improvements. There are no new features in v3.2.0.

Sysdig Platform

S3-Compatible Storage for Capture Files

Configuring S3-compatible storage (such as Minio or IBM Cloud Object Storage) for your Sysdig captures is now supported on Sysdig Platform on-prem deployments. The capability can be turned on by configuring the system appropriately, as given in (On-Prem) Configure Custom S3 Endpoint.

Release 3.0.0, December 19, 2019

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Secure

Activity Audit (Beta)

The Activity Audit in Sysdig Secure allows you to browse a live stream of activity from your Kubernetes containers and nodes. Audit takes the highly detailed data from syscalls and Kubernetes audit logs captured at the agent level, and makes it always-on, searchable, and indexed against your cloud-native assets.

This stream includes executed commands, network activity, and kubectl exec requests to the Kubernetes API. The Activity Audit allows users to view different data sources in-depth for monitoring, troubleshooting, diagnostics, or to meet regulatory controls (SOC2, NIST, PCI, etc).

Flexible filtering and scoping to help you focus on what’s relevant: Filters allow you to search, sort, and surface meaningful data and connections as they are needed. You can filter by data source type, data source attributes (like command name or Kubernetes user) and dynamic Kubernetes scope

Automatically trace a kubectl exec session : The built-in trace functionality allows you to isolate and trace a kubectl exec access to a pod, automatically correlating the original Kubernetes user and IP that accessed the pod with the activity that was performed during the interactive session, including commands and network connections.

Kubernetes Policy Advisor (Beta)

With the Kubernetes Policy Advisor, Sysdig Secure auto-generates Pod Security Policies (PSPs) to significantly decrease the time spent configuring Kubernetes Policies. Strict security policies reduce risk, but can also break applications. Sysdig tests the impact of pod security policies through simulations, enabling teams to adjust misconfigurations before shifting to production. There are three main features that comprise the Kubernetes Policy Advisor:

Auto generation: Sysdig Secure can parse any Kubernetes yaml file that includes a pod spec to generate a tailor-made PSP based on the configuration.

Simulations: Start a simulation of the auto-generated PSP or any user-inputted PSP to see what pods would have been blocked from running if this PSP had been actively applied to the cluster.

Events and tuning: Each pod/activity that would have violated the PSP will generate an event. Within the event details, users can see information about potential modifications they may need to make to the policy or the pod configuration.

Scanning Improvements

New Scanning Rules

File attributes can now be verified as part of the image scan analysis. A specific file can be validated against a node or sha256 hash.

Scale Improvements to Scanning Reporting

No query conditions are required as part of the Package and Policy Queries.

Google Distro-less OS

Support for images based on Google distro-less OS, including detection of base OS/version and installed OS dpkg packages.

Sysdig Monitor

Overview Is GA

Overview is now generally available. Overview leverages Sysdig’s unified Kubernetes data platform to monitor, secure, and troubleshoot your Kubernetes clusters and workloads.

Major highlights of Overview GA include but are not limited to:

• Multi-cloud view of the health, risk, and capacity of your Kubernetes infrastructure— a single pane of glass for Kubernetes Clusters, Nodes, Namespaces, and Workloads across a multi- and hybrid-cloud environment. You can easily filter by any of these entities and view associated events and health data. View the infrastructure organized by Clusters, Nodes, Workloads

• Shows metrics prioritized by event count and severity, allowing you to get to the root cause of the problem faster.

• Drill down to Dashboards for instant insights.

To learn about the capabilities of the Overview feature, see Overview.

Enhanced Out-of-the-box Dashboards

In an attempt to improve the Dashboards experience, the following changes have been introduced:

The following Dashboards are added:

• Kubernetes Cluster Overview: Provides nodes and workloads availability and highlights the high-level health of your Clusters. It also summarizes resources consumption (CPU, memory) across Nodes and Namespaces to pinpoint possible anomalies and node disk utilization

• Kubernetes Node Overview: Provides availability of the Nodes, indicating potential issues reported by Kubernetes; a summary of resource (CPU and Memory) allocation and utilization, as well as Network and Disk utilization.

• Kubernetes Namespace Overview: Provides a high-level summary of availability, and resource allocation and utilization across all the Workloads in the selected Namespace.

• Kubernetes Deployment Overview: Provides a detailed summary of pod status, pod restarts, as well as resource allocation and utilization across pods for each Workload.

• Kubernetes StatefulSet Overview: Provides a detailed summary of pod status, pod restarts, as well as resource allocation and utilization across pods for each StatefulSet.

• Kubernetes DaemonSet Overview: Provides a detailed summary of pod status, pod restarts, as well as resource allocation and utilization across pods.

• Kubernetes Job Overview: Provides a detailed summary of job status, completion trend, pod restarts, as well as resource allocation and utilization across pods.

• Kubernetes ReplicaSet Overview: Provides a detailed summary of pod status, pod restarts, as well as resource allocation and utilization across pods for each ReplicaSet.

• Kubernetes Pod Overview: Provides a detailed summary of pod status, pod restarts, and resource allocation and utilization in a selected pod.

• Kubernetes Workloads CPU Usage and Allocation: Helps you verify that CPU requests are properly configured and actual utilization is expected.

• Kubernetes Workloads Memory Usage and Allocation: Helps you verify that memory requests are properly configured and actual utilization is expected.

• Kubernetes CPU Allocation Optimization: Helps you verify that infrastructure resources are available for future needs and are not wasted.

• Kubernetes Memory Allocation Optimization: Helps you verify that infrastructure resources are available for future needs and are not wasted.

The following Dashboards are retained:

• Health Overview (applicable to all the objects in the environment)

• Horizontal Pod Autoscaler (the default Dashboard when selecting an HPA)

• Resource Quota

• Service Health (the default dashboard when selecting a service)

• Cluster and Node Capacity

The following Dashboards are removed:

• State Overview

• Daemonset State

• Namespace State

• Stateful State

• Nodes State

• Deployment State

• Deployment Health

• Nodes Health

• Namespace Health

• Pod State

• Pod Health

• Replica Set Health

For more information, see Pre-Defined Dashboards

Filtering Events by Scope

Events are now filtered by Scope to show the most relevant Events in Explore and Dashboards. This is an extension of the existing Event Scope functionality. You can toggle between showing Event feed from the entire infrastructure and only from the particular scope you are interested in within the infrastructure. Event scoping for Dashboards and Explore is enabled by default.

By default, Events are filtered to show only the relevant ones. However, you can turn the filtering off and see Events from the complete scope. To do so:

1. Click the Dashboard Settings (three dots) icon and select Events.

2. Use the toggle button to turn off Filter events by dashboard Scope.

   

3. Click Save.

Similarly, you can filter Events by Scope in Explore.

What’s n/a?

The Sysdig Monitor UI displays n/a in several scenarios associated with labeling. The Explore UI has now been enhanced to add a tooltip for n/a to help you understand the scenario. See The Meaning of n/a for more information.

Release 2.5.0, October 29, 2019

Upgrade Process

Kubernetes and OpenShift environments upgrade to 2.5.0 using the new installer tool (see below).

Supported Upgrade Path: 2.3.0, 2.4.1

Sysdig Platform

New Installer Tool for Kubernetes/OpenShift Environments

With this release, Sysdig platforms can be installed and upgraded using a semi-automated installer tool that greatly simplifies the installation process. Available for Kubernetes and OpenShift environments.

SeeInstaller (Kubernetes | OpenShift) 2.5.0-3.2.2 and Installer Upgrade (2.5.0+) for details.

Enhancement: New Documentation Site at docs.sysdig.com

Sysdig’s documentation platform has been upgraded and moved to docs.sysdig.com.

Improvements include:

• Look and feel: Updated to match the rest of the Sysdig branding

• Search: Enhanced search speed, accuracy, and ease

• Structure and content: Enhancements to content have been added and are being continuously updated

• Feedback: Buttons on each page enable users to communicate directly with the documentation team.

Sysdig CLI

The Sysdig CLI provides an easy way to interact with the cli via the command line. Read more here.

Usage:

Run it without parameters to get a list of all the commands.

$ sdc-cli
Usage: sdc-cli [OPTIONS] COMMAND [ARGS]...

  You can provide the monitor/secure tokens by the SDC_MONITOR_TOKEN and
  SDC_SECURE_TOKEN environment variables.

Options:
  -c, --config TEXT  Uses the provided file as a config file. If the config
                     file is not provided, it will be searched at
                     ~/.config/sdc-cli/config.yml and /etc/sdc-cli/config.yml.
  -e, --env TEXT     Uses a preconfigured environment in the config file. If
                     it's not provided, it will use the 'main' environment or
                     retrieve it from the env var SDC_ENV.
  --json             Output raw API JSON
  --version          Show the version and exit.
  --help             Show this message and exit.

Commands:
  alert       Sysdig Monitor alert operations
  backup      Backup operations
  capture     Sysdig capture operations
  command     Sysdig Secure commands audit operations
  compliance  Sysdig Secure compliance operations
  dashboard   Sysdig Monitor dashboard operations
  event       Sysdig Monitor events operations
  policy      Sysdig Secure policy operations
  scanning    Scanning operations
  settings    Settings operations
  profile     Profile operations

Sysdig Monitor

Ability to “Favorite” a Dashboard

Users can click the star icon to mark a “Favorite” dashboard, which will then be listed under “My Favorites” in the Dashboard view.

Sysdig Secure

In-Line Scanning

Images can now be analyzed locally before they are pushed to a registry. This has a few key benefits to users.

• Images can be analyzed before they’re pushed to a registry and reduce registry cost

• Customers using the Sysdig Secure SaaS offering don’t need to expose their registry to our SaaS for images to be scanned

• For OpenShift users, the in-lince scan option can be integrated into the S2I process to scan images without needing to expose a local cluster registry via a route

Learn more and access the script here: https://github.com/sysdiglabs/secure-inline-scan

SSO Configuration Pages Available in Secure

A UI for configuring Single Sign-On for Sysdig Secure is now available from the Settings menu. See Authentication and Authorization (On-Prem Options).

New Package Reports

Package name/version are now grouped together to provide easy parsing of all CVE’s associated with a package and the images using that package.

New Trigger Parameters for CVSS Score

Image Vulnerabilities can now be evaluated against their CVSS (Common Vulnerabilities Scoring System) score. If a vulnerability is =, <;>, <=, or >= to a specific score, then the rule can trigger a warn/stop action.

Time Ranges Updated

The default time range options have been updated in Sysdig Secure.

The default time ranges are now set to:

• 10 Minutes 

• 30 Minutes

• 1 HR

• 6 HRs

• 1 Day

• 3 Days

To look at a custom window of time, use the manual time window.

Sysdig Secure Summary Dashboard in Sysdig Monitor

Sysdig Monitor includes default dashboards that provide metrics about number of agents installed, active policies, events that have occurred, and the policies that have triggered them. Use these dashboards to identify trends, report on coverage, or facilitate the tuning process.

Release 2.4.1, September 18, 2019

Upgrade Process

Review the Migration Path tables in On-Premises Upgrades

Supported upgrade path: 2.3.0

Sysdig Platform

Secure Authentication for Cassandra and Elasticsearch on Replicated

Cassandra and Elasticsearch datastores now have an extra layer of security on Replicated. Sysdig Replicated install allows you to enable authentication and secure communication between Sysdig backend components and the Elasticsearch or Cassandra datastores. For more information, see Install with Replicated.

[BETA] Audit Logging

The following APIs have been introduced to support administrators to view a log of user activities and modifications to the components in the system:

• AppAttributes

• AuditEvents

Audit logs stand for chronologically cataloged events to provide a history of operational actions and to mitigate challenges. The ability to trace an event back to its origin provides proof of compliance, operational integrity, and protection from unsolicited use. For more information, see [BETA] Auditing Sysdig Platform Activities.

Known Issues

If you want to use Audit logging and have MySQL in your Kubernetes HA environment, run kubectl -n sysdigcloud delete pod -l role=worker to ensure Audit logging works as expected. This issue is observed only in Kubernetes HA environments.

Sysdig Monitor

New Default Kubernetes Grouping

Groupings for Kubernetes have been modified. This updated Grouping is available to new teams. Default groupings are immutable–-they cannot be modified or deleted other than by copying. Modifying a copy is allowed.

New Groupings:

• Clusters and Nodes (cluster.name > node.name > pod.name > container.name)

• Deployments (cluster.name > namespace.name > deployment.name > pod.name > container.name)

• Services ( cluster.name > namespace.name > service.name > pod.name > container.name)

• Statefulsets (cluster.name > namespace.name > statefulset.name > pod.name > container.name)

• Daemonsets (cluster.name > namespace.name > daemonset.name > pod.name > container.name)

• ReplicaSets (cluster.name > namespace.name > deployment.name > replicaset.name > pod.name)

• HPAs (cluster.name > namespace.name > hpa.name > pod.name > container.name)

For more information, see Grouping, Scoping, and Segmenting Metrics.

Units for Metrics

The format of metric units are the same for the following:

• The CPU and Memory metrics for Host and Container.

• Kube-state CPU and Memory metrics.

Introducing the same format now makes the comparison of those metrics easier on a chart.

Container Segmentation

Sysdig now supports segmenting all net.* metrics at container or pod level by low level net.* dimensions, such as net.http.url or net.http.status.code. Container-based teams now display segmentations for net.http.* metrics as expected. The net.http.url and net.http.status.codes are displayed if you select a container-based team as it does for a host-based team for the same cluster.

Enhanced Event Notification

The ability to customize the subject and body of alert notifications with variables has been extended to Event notifications. Event titles and notification messages are in sync in the following cases:

• Event feed on the Events page

• Event overlay on Dashboards page

For more information, see Events.

Default Dashboard for Cluster and Node Capacity

Kubernetes Cluster and Node Capacity Dashboard has been refreshed to add actual usage of CPU and Memory compared to Requests, Limits and Allocatable capacity.

Aggregation for Kubernetes Nodes Health

Aggregation method has been refreshed for Kubernetes Node metrics. The Kubernetes Node Health dashboard has been updated with metric aggregations that are ‘summed’ across all containers running on the node to reflect accurate node level data.

Bug Fixes

• Export CSV/JSON was missing columns, not all data was exported as expected. All columns from the dashboard should exist in the exported output.

• All data and columns are is now exported as expected.

Sysdig Secure

Policy Editor

*Please upgrade to an agent version 0.92.0 or greater

This UX overhaul brings three major improvements for every Sysdig Secure user:

• Runtime policies can import any number of security rules. You can scope the security policy using container, cloud and Kubernetes metadata.

• Tighter Falco integration, directly from the web UI. You will be able to define a new trigger condition or append to the list of forbidden external IPs just clicking on the rule.

• A more structured way to group, classify and lookup rules, following the standard Cloud native procedure: tags and labels.

Rules Library

Visualize your runtime rules properties in just a glance:

• Where this rule comes from (Published By). The security team can instantly recognize whether a rule came from a specific Sysdig update, from a custom rules file created within the organization or from an external rules source (like the Falco community rules).

• When was the last time it was updated (Last Updated). You can use this information to audit your rules or if you schedule periodic updates, to confirm when last happened.

• Rule tags: An effective method for organizing your rules. You can use these tags to describe the targeted entity (host, k8s, process), the compliance standard it belongs to (MITRE, PCI, CIS Kubernetes) or any other criteria you want to use to annotate your rules.

Falco Lists

Easily browse, append, and re-use lists to create new rules. Lists can also be updated directly via API if users want to add existing feeds of malicious domains, or IPs.

Falco Macros

Easily browse, append, and re-use macros to create new rules.

Image Scanning Reports

Please contact Sysdig Support to enable this feature

The reports feature allows users to query the contents of a scan against a static or run-time scope to generate a report that shows the risk, exposure, or components of an image.

Use cases could include:

• A new CVE has been announced, let me find all the running images in my US East Cluster that are exposed to that CVE

• Show me all images within my Google Container registry that have the tag prod and have a vulnerability with a fix that’s more than 30 days old

• Show me all images with a high severity vulnerability with a fix that are running in my billing namespace

Image Scanning - View Scan Results

Scan Results Page - The existing repositories page has been renamed “Scan Results” this page also includes new capabilities to filter based on where the images are deployed, and to easily browse/expand the different repositories to see the image:tag’s that were evaluated and their results

Whitelist labels available in vulnerabilities view - If a vulnerability has been added to a whitelist then that status is reflected in the Vulnerability report within the scan results.

Event Forwarding

Sysdig Secure can forward policy events to tools like Splunk or events can be forwarded via syslog as an easy way to send policy events to any downstream SIEM.

Release 2.3.0, July 29, 2019

Upgrade Process

Review the Migration Path tables in On-premise Upgrades.

Supported upgrade paths: 1929, 2435.

Important Note for Kubernetes Upgrades

Due to the new Secure Elasticsearch and Cassandra feature, Kubernetes installations must follow an Expanded Upgrade process.

Replicated Upgrades

For Replicated installations, the upgrade instructions are here: Upgrade Replicated Installations.

Sysdig Platform

Option to Secure Elasticsearch and Cassandra (Kubernetes only)

It is now possible to secure Elasticsearch and the Cassandra DB with password authentication and/or SSL/TLS protection.

Sysdig Monitor

Enhanced Dashboard Menu

The Dashboard menu features a drawer-style popover that displays on-demand to provide maximum real estate for your Dashboards. The menu displays an alphabetical list of Dashboards you own and those shared by your team. With the popover menu, you can add new Dashboards and search for existing ones. Click a Dashboard name to access the relevant Dashboard page where you can continue with the regular Dashboard settings.

Customize Alert Notification Template

Sysdig Monitor alerts now provide an option to customize the messages that are sent with alert notifications in email and other channels, such as Pagerduty and Webhook.

Use the Alert Editor to input dynamic variables, such as hostname, or a hyperlink, and to add custom messages in plain text to the notifications for intended recipients. You can modify both the subject and the body of the alert notification with a hyperlink or a variable. For example, you can add an agent id or a link to a Dashboard to the message. This can help provide context for troubleshooting the errors that triggered the alert.

For more information, see Customizing Alert Notification.

Prometheus Remote Scraping

Sysdig Monitor can now collect Prometheus metrics from remote endpoints with minimal configuration.

Remote endpoints (remote hosts) refer to hosts where the Sysdig agent cannot be deployed, e.g., a Kubernetes master node on managed Kubernetes services such as GKE and EKS, where user workload cannot be deployed. To enable remote scraping on such hosts, simply identify an agent to perform the scraping and declare the endpoint configurations in the agent configuration file.

The collected Prometheus metrics are reported under and associated with the agent that performed the scraping, rather than with a process. See Collecting Prometheus Metrics from Remote Hosts for details

Enhancements to Kafka App Check

Kafka integrations can now support authentication and SSL/TLS. If the authentication or SSL/TLS are enabled in Kafka, see Apache Kafka Example 5 for how to enable configuration details on the Sysdig side.

Two New Metrics for Accurate Pod Counts

Two new Kubernetes metrics, kubernetes.namespace.pod.desired.count and kubernetes.namespace.pod.available.count, have been added at the Namespace level to track desired and available pod counts.

Sysdig Secure

Image Scanning: New Trigger Options

• New Image Analyzed - Send notifications to different channels when images with a particular registry, repo, tag are scanned.

  • Some users implement these type of alerts for implementing workflows for image promotion, i.e.

    “Push an image from staging to prod registry after a webhook is sent that the image was scanned and it passed.”

• CVE Update - Be notified whenever a vulnerability is added, updated, or removed from an image within a registry.

Repository Alerts

Receive alerts about activity and changes that occur within your registry. See Manage Scanning Alerts.

Slack Notifications

Sample output of a CVE alert:

Sample output of an image-analyzed alert:

Image Scanning: Policies - New rule parameter available

A new field: Max days since creation is now available. This allows users to only take Stop or Warn actions if a vulnerability has been in the feed for a certain number of days.

For example: Only stop a build if an image has a high-severity CVE with a fix, and the CVE is more than 30 days old.

Image Scanning: Policy Assignments - New compliance audits available

Policy assignments now support the ability to add audit policies to provide a second step of validation of container images. Additional audit policies evaluate images against Dockerfile Best Practices, PCI, and NIST 800-190. These Audit policies have “Warn” actions set by default and are intended to validate compliance/audit use cases and not cause CI/CD builds to fail.

Updated Menu Navigation in Sysdig Secure

The top-menu navigation has been replaced by a context-sensitive drawer-style side navigation bar.

Image Scanning: Scan Results Redesign

Scan results have been expanded to help users get a better idea about the policy evaluation status and vulnerabilities present in an image. This new version of scan results allows the user to

• Get a breakdown of the different OS/Non-OS Critical, High, Medium, Low CVEs present in the image

• See the different policies the image has been evaluated against

• See which specific rules have triggered the most stop/warn actions and identify areas needing attention

A breakdown of the evaluation result has been added to give users a better idea about what has triggered warn/stop actions as part of the evaluation.

In this case, we can look at the Dockerfile Best Practice policy to see the image

• Has an effective user of root

• Doesn’t include a Healthcheck

• Uses apt-get upgrade as part of a Run instruction

• Includes an ADD instruction

The Vulnerabilities section also now supports enhanced sorting and filtering by severity level and whether or not a fix is available.

Image Scanning: PDF Reports

PDF reports, which include a summary of the policy evaluation and all vulnerabilities present in the image, can be downloaded from the console.

Bug Fixes

• Explore display fix

  Fixed an issue where, when the Explore Table had no columns configured, the Explore view showed an error.

• Enable/disable alerts fix

  Fixed a problem where users were unable to toggle alerts.

• Event posting fix

  Fixed an issue where events posted in Slack did not appear in the event stream. Now they do.

• Monitor Spotlight fix

  Fixed issue where Monitor Spotlight incorrectly alerted to update On-Premise releases all the time. Update alert now turns on only when an update is actually available.

• Improved access to kube-state metrics

  Teams based on ‘hosts’ (e.g., scoped by agent.tag.* ) will now have access to all host and container data, including kube-state metrics and dashboards. In previous versions, kube-state metrics were not available for host-based teams.

Release 2435, July 24, 2019

Upgrade Process

Review the Migration Path tables in On-premise Upgrades.

Supported upgrade paths: 1765, 1929.

(Note that if you installed 2172, 2266 or 2304, please upgrade to 2435. Otherwise, skip 2172, 2266 and 2304.)

Important Note Regarding Dashboard Migration V1 > V2

If you are upgrading from a previous version, the Dashboards will be upgraded from V1 to V2. The process requires 20-30 minutes on large systems, and the environment remains live throughout the rolling upgrade.

DO NOT create or delete dashboards during the upgrade. After upgrading, if you have saved v1 dashboards previously and need to upload them to the v2 environment, see Migrate Saved Dashboards from V1 to V2.

Sysdig Platform Fix

Custom certificates fix

Fixed an install issue caused when using custom certificates.

Release 2304, June 21, 2019

Upgrade Process

Review the Migration Path tables in On-Premises Upgrades.

Important Note Regarding Dashboard Migration V1 > V2

If you are upgrading from a previous version, the Dashboards will be upgraded from V1 to V2. The process requires 20-30 minutes on large systems, and the environment remains live throughout the rolling upgrade.

DO NOT create or delete dashboards during the upgrade. After upgrading, if you have saved v1 dashboards previously and need to upload them to the v2 environment, see Migrate Saved Dashboards from V1 to V2.

Architecture Change in the Containers

In previous releases, there was a single backend container which ran several processes.

As of version 2266, the processes have been divided into unique containers, following container best practices.

Previous:

• quay.io/sysdig/sysdigcloud-backend:<earlier release>

New:

• quay.io/sysdig/sysdigcloud-backend:2266-allinone-java

• quay.io/sysdig/sysdigcloud-backend:2266-nginx

• quay.io/sysdig/sysdigcloud-backend:2266-email-renderer

Sysdig Platform Fix

Redis Client Fix

Updated an underlying tool (Jedis 2.9.1) to Jedis 2.9.3, to address a bug in the connection pool.

Sysdig Monitor

Manage Notification Frequency for Alerts

Users now have the ability to specify how often they want to be reminded about an alert if the event is unresolved. Available under ‘Notify’ section of the alert configuration screen. See Alerts.

Advanced Scope Selection

The scope editor (for dashboards, alerts, teams, etc.) has added improved granularity, intelligent scope restriction, and the ability to add custom values on-the-fly. The editor now restricts the scope of the selection for subsequent filters by rendering values that are specific to the selected label. The values that are only relevant to the previous selection are displayed. For more information, see Dashboard Scope.

Ability to Choose Unit of Metric

Sysdig Monitor now automatically detects the type of input and scale for custom metrics. Earlier, custom metrics were marked as numbers on both Explore and Dashboard UI. The UI now supports custom unit scale for custom metrics. The supported units are byte, percent, and time. This enhancement simplifies the mapping of units of measurement with that of integrated application metrics, such as Prometheus. For more information, see Editing the Unit Scale.

Kubernetes Horizontal Pod Autoscaling (HPA) metrics

Support for the following HPA metrics has been introduced: kubernetes.hpa.replicas.min, kubernetes.hpa.replicas.max, k ubernetes.hpa.replicas.current, and k ubernetes.hpa.replicas.desired. For more information, see Resource Usage.

Expose Dashboard Scope in URL

The Dashboard URL can include scope parameters, including scope variables. Users can now share the URL with non-Sysdig Monitor users and allow them to collaborate on dashboard scope. Collaborators with a valid link can change the scope parameters without having to sign in. They can edit either on the UI or in the URL. For more information, see Share a Dashboard.

Sysdig Secure

Image Scanning: Policy Assignments

Policy assignments allow you to specify where your image scanning policies are applied. A policy assignment can include a Registry, Repository, Tag combination and has full wildcard support for each of those fields.

Policy assignments are evaluated in descending order, so be sure to specify the most important policies first.

Examples

• To evaluate all images with a “Prod” tag with your Example Prod Image Policy, use the assignment: */*/Prod

• To evaluate all images from gcr.io with an Example Google Policy, use the assignment: gcr.io/*/*

See Manage Scanning Policies.

Image Scanning: Map Internal Registries (for OpenShift environments)

The recommended way to run an image registry for an OpenShift cluster is to run it locally. The Sysdig agent will detect the internal registry names, but for the Anchore engine to pull and scan the image it needs access to the internal registry itself. There can now set this path in the Registries UI. See Manage Registry Credentials.

Compliance: Custom Report Filters

When running CIS benchmark tests, you can filter your view of the results to show only high-priority items or selected controls.

See Understanding Report Filters and Filter Report Results.

Bug Fixes

• Improved metric aggregation defaults in Explore window

  When a metric is first selected on the Explore page, the time and group aggregation will be pre-populated with the most reasonable choice, rather than average/average.

• Topology view fixes: Implemented fixes for proper loading of Topology panels in public dashboards, and proper “group by” and ‘scope" Topology Views.

  See Visualizing Metrics using Topology View.

• Non-root user security enhancements

  Added changes to permit running Sysdig applications as non-root user.

• Image scanning fix in Sysdig Secure

  Bug fix in the Jenkins plugin used to scan images in Sysdig Secure.

Release 1929, April 12, 2019

New Features

Sysdig Platform

CRI-O Support

Sysdig on Kubernetes now provides support for CRI-O, an implementation of the Kubernetes Container Runtime Interface (CRI).

See Sysdig documentation here.

CRI-O container runtimes can be identified by the symbol beside the entry in the Explore table:

Customize Data Retention Times using Sysdig REST API

The Sysdig platform has predefined data retention settings determined by license plan. Using the Sysdig REST API, it is possible to configure separate retention times (up to plan limit).

See Customize Data Retention for details.Data Retention

Sysdig Secure

Global Whitelists

Sysdig Secure allows users to manage CVEs and images that may impact builds by defining them as globally trusted or blacklisted. See Manage Vulnerability Exceptions and Global Lists for more information.

Kubernetes Audit Logging

Sysdig Secure allows users to create Falco security rules based on a stream of Kubernetes audit events, integrating Kubernetes audit logging with the Sysdig Agent. This allows users to track changes made to the cluster, and send alerts where necessary. See Kubernetes Audit Logging for more information.

Enhancements

Manual PagerDuty Notification Channel Setup

Sysdig has expanded the PagerDuty notification channel configuration process to allow users that have a team role of Manager, but a user role of Team Responder or lower, to manually configure the channel settings in order to add new channels. See PagerDuty Notifications for more details.

Agent Installation Changes

The default agent installation instructions in the UI have been updated to ensure all agents use SSL. If SSL is not required, the following JVM parameter will need to be set in the backend:

(see Integrate JMX Metrics from Java Virtual Machines).

-Ddraios.agents.installParams.sslEnabled=false

Bug Fixes

Anchore issue that caused scanning to hang when adding a registry

An issue occurred where scanning stopped functioning when adding a new image scanning registry to an environment. This was caused by a bug found in the Anchore open-source engine. This on-premises release includes the approved workaround patch that corrects the issue. The next release of the Anchore open-source engine will include the full fix.

Scanning service degradation due to orphaned services

An issue occurred in systems with substantial churn where the event system became overloaded/flooded with orphaned service events, resulting in service and performance degradation. This was caused by the Anchore engine emitting an event each time it found a service that was down/orphaned. This issue has been resolved.

Images with host/port component weren’t flagged with the correct analysis

An issue occurred where images with a host/port component were not flagged correctly, resulting in them showing as unscanned. This was caused by a bug in the scanning backend and has now been resolved.

Scan alert e-mail

An issue occurred in on-premises version 1765, where email alerts for scanning results directed users to an internal Sysdig environment, rather than their own. This has been corrected.

Some panels in self-monitored dashboards not working

An issue occurred where some panels in the Self-Monitored default dashboards were not displaying data correctly, because of an error in the default dashboard configuration file. This error has been corrected.

Relocated “Control Plane” from Default Dashboard in Explore

Kubernetes Control Plane Health dashboard has relocated to the Dashboards module. This dashboard allows users to monitor the health of Kubernetes master components (kube-apiserver, etcd, kube-scheduler, kube-controller-manager). The Kubernetes Control Plane health dashboard has been removed from the list of default dashboards available under Resource Usage.

ElasticSearch on Replicated Restarts into Split Brain

When a customer restarted their Replicated environment, ElasticSearch sometimes came up in a split-brain scenario (generally 2 + 1). This issue has now been addressed.

Install code lines for Sysdig Agent corrected

On the Agent Installation page of the Sysdig UI, the supplied install strings for Docker and Linux were incorrect and would not work “out of the box” for a Replicated deployment. This issue has been addressed.

Release 1765, March 13, 2019

Upgrade Process for Sysdig in Kubernetes Environments

If you are running Sysdig in Kubernetes, then the upgrade process for this release is comprised of two parts:

1. Run the migration script:

   This accommodates the backend transition to a different library for communicating with the database.

2. Perform the Upgrade:

   For Sysdig Monitor Only: If you have not licensed Sysdig Secure and run only Sysdig Monitor, use the Basic Upgrade instructions.

   For Sysdig Platform (including Secure): If you have licensed both Sysdig Monitor and Sysdig Secure, you must follow the v1765 Upgrade (Kubernetes) instructions. These steps add the components necessary to run the Scanning feature.

New Features

Sysdig Platform

Containerd Support

The Sysdig agent will automatically detect containerd metadata, as well as any Docker metadata, in your environment. Note that you must have agent version 0.88.1 or higher. See the agent install instructions for details.

Sysdig Monitor

Improved Notification Channels Configuration

A newly redesigned notification channels page under settings has been implemented. For more information, see Set Up Notification Channels.

New Kubernetes Dashboards

Added two new default Kubernetes dashboards to help users monitor Cluster / Node health and Namespace health. The dashboards are available under the default dashboard list in Explore.

Sysdig Secure

Improved Registry Credential UI

The user interface for adding registry credentials has been redesigned to improve user experience and add new configuration functionality. See Registries.

Event Forwarding

Sysdig Secure policy events can now be forwarded to Splunk. See Event Forwarding.

New Scanning Policies

New scanning policies have been added for compliance use cases and best practices, interpreting NIST 800-190 and PCI controls to detect misconfigured images.

Remediation Information

Remediation information has been added to assist in solving non-passing test results, in order to bring an environment into compliance. See Remediation Information.

Identify the Kubernetes Master Node

A new label has been added to the Compliance task results page to assist in identifying the Kubernetes master node. See Identify the Kubernetes Master Node.

Run a Compliance Task Manually

Users can now choose to run a compliance task immediately, rather than scheduling a task for later. See Run a Benchmark Test Manually.

Jenkins Plugin Available in Jenkins Community

The Sysdig Secure Jenkins plugin is now available here: https://wiki.jenkins.io/display/JENKINS/Sysdig+Secure+Jenkins+Plugin

Enhancements

Sysdig Monitor

User Interface Changes

The Intercom button has been moved from the bottom right corner of the Sysdig Monitor UI to the bottom left to facilitate a better user experience, as the previous location interfered with other UI elements. It can now be found below the Help, Spotlight, and User menus.

Bug Fixes

The following issues have been fixed in this release:

Dashboard data display issue

An issue occurred when users in a team scoped by container tried to access a dashboard. While building the read requests, the correct team filters were used, but the write request incorrectly set the domain to host instead of container, resulting in the backend not reading the data correctly. This issue has been resolved.

AWS data display issue

For some AWS queries, data displayed incorrectly because the backend could not determine the AWS resource type being queried, so the aws.resource.type metadata was added to the request scope.

Assign User to Team in Secure

In some cases, users could not be added to Sysdig Secure teams, because of a backend issue that occurred when loading the list of available users to add to a team. This has been resolved.

Release 1630 Hotfix, January 31, 2019

Performance Issues

A performance issue was found when creating snapshots for large number of teams and large number of custom metrics. This issue has been fixed.

Release 1586, January 21, 2019

New Features

Sysdig Monitor

New Events Feed

A redesigned Events Feed is now available. The new design unifies all of your infrastructure-related events, alerts, and other activity in a single view to help you quickly identify critical issues that need your attention. For more information, refer to the Events documentation.

New Topology is now GA

The new topology map functionality in Sysdig Monitor has moved from a labs feature to full general availability. It features a redesigned layout and enhanced interaction model to provide insight into dependencies with drill-down to the container-process level.

Authentication UI

Administrators can now configure single sign-on authentication methods (LDAP, SAML, OpenID, Google OAuth) via the Sysdig Monitor UI. For more information, refer to the Authentication and Authorization (On-Prem Options) documentation.

Enhancements

New Metrics

An additional metric (kubernetes.pod.restart.rate) has been added to show the number of pod restarts since the last check.

Kubernetes Groupings

In previous releases, the default Kubernetes groupings used kubernetes.cluster.id. This has been changed to kubernetes.cluster.name to improve user experience.

Java Virtual Machine (JVM)

The JVM flag -UseContainerSupport has been disabled for performance reasons.

Alert Delay at Startup

Sysdig alert jobs begin immediately at start-up. However, in instances where Sysdig goes down unexpectedly, or without proper shutdown/startup procedures implemented, data can be missing, triggering alert notifications.

A start-up delay in alert jobs can be configured in on-premises environments, by setting the draios.alerts.startupDelay parameter during the installation process. The parameter requires a duration value; the example below shows a duration of 10 minutes:

draios.alerts.startupDelay=10m

This parameter can be configured for either Replicated or Kubernetes environments:

• For Replicated environments, add the parameter to the Sysdig application JVM options list. For more information, refer to the Install Using the Replicated GUI documentation.

• For Kubernetes environments, add the parameter to the sysdigcloud.jvm.worker.options parameter in the configmap. For more information, refer to the Sysdig Install with Kubernetes 1.9+ documentation.

Sysdig Secure

Compliance (Benchmarks)

• CIS compliance benchmarks now support customizable schedules, using a selection of intervals, days, and times, for different compliance tasks to execute on.

• Users can now download individual compliance results as a CSV file. For more information, refer to the Download Task Results documentation.

• The Compliance scheduling page now displays when the next compliance test will run.

• An error log is now displayed when a compliance test fails.

• Users can now search the list of compliance tests by hostname.

Bug Fixes

Mesos.*percent metrics do not currently have ‘%’ as a selectable unit scale

Mesos.*percent metrics did not include percentage as an option for the metric unit scale. This has been corrected in the backend.

Split brain in Elasticsearch when launching Kubernetes HA env

A bug in the Elasticsearch container configuration created the potential for the nodes to fail to discover all of the members of their cluster at start-up. This resulted in a “split-brain” in the Elasticsearch cluster, where nodes created multiple separate clusters, instead of a single cohesive cluster.

The configuration of the container was re-tooled to allow the Kubernetes cluster to expose the existence of the pods to their peers before they finish starting up, and the cluster pods will now be aware of all of the cluster members at start-up.

Release 1511 Hotfix, January 8, 2019

Issue: Better Handle Unknown Container Runtimes

In previous releases, snapshot jobs would fail if data for computing aggregations for Kubernetes pods from unsupported container runtimes was present. Containers in unknown runtimes are now skipped when computing these aggregations to circumvent the error.

Issue: JVM Settings Fix

Prior to JVM update 191, the JVM was not container-aware, and used system-level resources for auto-configuration. Update 191 changed this behavior to use container values instead. Sysdig has now updated the default settings in order to use system-level resources for auto-configuration.

Release 1472, December 13, 2018

Tuned the configuration of metrics rollups to handle high-scale environments

Release 1402 December 3, 2018

Sysdig Monitor

Global silence alerts for scheduled downtime

Administrators can now temporarily disable alert events to mute notifications during planned downtime or maintenance. The new feature also supports sending a downtime notification to selected channels. Access the new capability via Settings > Notification Channels. See Disable or Delete a Notification Channel.

Dashboard Templating

New dashboard templating enables users to create and configure a fixed dashboard that enables alternating between multiple scope variables. Users can assign custom names for labels and choose to set fixed or variable label selection values.

Integration with AWS IAM role to grant permissions

New support for Amazon Web Services IAM roles grants permissions via IAM to applications running on Amazon.

See the Integrate AWS Account Using the Implicit Key (On-Prem Only)in the AWS integration documentation.

Updated Users and Teams Settings Pages

The Users and Teams settings pages have been updated to improve performance and now feature a streamlined full-page edit layout. See Manage Teams and Roles.

Sysdig Secure

CIS Compliance Checks

The ability to schedule CIS compliance tasks for the agent to run on your infrastructure is now available.

These tasks will generate metrics that are available in Sysdig Monitor and reports that are available in Sysdig Secure.

Bug Fixes

Several minor enhancements to improve performance and usability.

Release 1245 November 05, 2018

Enhanced connection tracking features

Security updates

• Backend updates to address security vulnerabilities.

• Teams functionality is now available in Sysdig Secure.

• Caching on image scanning run-time page for performance improvements.

Various bug fixes and improvements

Release 1149 September 14, 2018

Prerequisites

Your on-premises Sysdig installation MUST be running release v1091 before you can upgrade to this release v1149. Please upgrade to v1091 before proceeding.

Unified Events table and migration tool (Required before upgrade)

A change was introduced in how events are indexed and stored in the Sysdig platform. In prior versions, the three types of events were stored in three separate indexes based on their different sources. After migration and upgrade are complete, they will be combined in one index. Before upgrading to v1149 it is necessary to run a Unified Events migration tool.

Sysdig Agent Crash custom event

Generates a custom event if a Sysdig agent crash is experienced.

Node Ready alert reset

Enables transition of a notification from active => ok for a down node (NodeNotReady) when the node with the same scope becomes ready again (NodeReady).

Improved Mesos/Marathon label handling

Improved handling of Mesos/Marathon labeling to ensure proper display of containers within the Sysdig UI.

Various bug fixes and improvements.

Release 1091 August 16, 2018

Component updates and CVE patches

Delivers minor-minor upgrades and CVE patches for all 3rd party components in Replicated install. The Kubernetes install includes a major upgrade for MySQL from 5.6.34 to 8.0.11. Please see product README for upgrade guidance and details.

StatefulSets for Kubernetes deployment

Provides StatefulSet option for select Redis and MySQL with Kubernetes. Please see product README for usage eligibility and further details.

New ‘Standard User’ role and RBAC changes

Introduces new ‘Standard User’ role for developers that includes edit access to dashboards, alerts, events but NO access to Explore. Renames ‘Edit user’ role to ‘Advanced user’ and ‘Read only’ role to ‘View only’. See Manage Teams and Roles for details.

Team scoping performance improvement

When creating or editing teams, the first 30 labels and tags are displayed with the ability to search for additional options.

Multi-select alerts and bulk actions

New checkboxes on the alerts page enable selection of multiple alerts for bulk actions.

Kubernetes Node Ready alert

A new alert provides notification when a Kubernetes node is not ready. Default alert level is ‘warning’ (user-configurable).

Release 987 July 11, 2018

Solr dashboards update

Modifications to default Solr dashboard

Metrics aggregation fix

Fixed an issue with metrics aggregation

Release 963 June 26, 2018

LDAP enhancements

• Enabling and disabling of LDAP authentication is now performed via API configuration rather than Replicated console or K8S ConfigMap. See LDAP for details.

• An option has been added to allow chasing of referrals during LDAP authentication. See the documentation for details.

HTTPS enforcement

Sysdig is now enforcing HTTPS connectivity and using secure cookies. With this change, we have disabled TLS v1.0. Users should modify any scripts and/or applications to use HTTPS and TLS v1.2 for uninterrupted operation.

Text Panels

You can now add text panels to your dashboards to provide additional information. Text panels can be used as title headers or to provide additional context that you would like to communicate. Features limited markdown support .

Multiple segments for a single metric

You can now add up to five different segments for a given metric in time-series and stacked area panels.

Default entry point

Admins can now set a default entry point for a team to simplify the onboarding process. This determines the first page users see when they start the application (e.g., a specific dashboard, settings, etc.).

Default Istio dashboards

Sysdig provides out of the box dashboards for monitoring Istio using Prometheus exporters.

Test notification channels

New test function lets you pre-test your notification channels such as email, Slack, PagerDuty, etc.

Copy and share groupings

Copy and share unique groupings with all of your teams.

Icon labels

New icon labels appear on hover to clarify underlying function for users.

Alert on rate of change

Introducing a new ‘rate of change’ math function for metrics. Now you can alert by the rate at which a metric changes vs. a static threshold. For example, a default alert: Rate of change of disk usage alerts you if your disk usage increases more than x% in a day.

Release 925 June 10, 2018

Solr dashboards improvement

Increased number of segments for Solr default dashboard panels

Public dashboards fix

Fixed an issue that caused errors when loading public dashboards due to missing metrics

Release 917 June 7, 2018

Google OAuth fix

Fixed an issue with Google OAuth (On-Prem) login.

Upgrades in LDAP environments

Fixed an issue in upgrades with LDAP Authentication Configuration (for Platform v.1149 - 1511).

Release 914 June 6, 2018

Solr dashboards

Added application dashboards for Solr metrics.

Release 904 May 31, 2018

Performance improvements

Enhancements to improve Sysdig Monitor response time during login.

Release 893 May 9, 2018

Daily metric rollup fix

Fixed an issue caused during daily metric rollup due to Cassandra-14092.

Release 892 May 2, 2018

Various bug fixes and improvements.

Release 890 April 30, 2018

New default ports for API/Collector containers (Replicated)

New default TCP ports are exposed from Sysdig backend API/collector containers to the host level in Replicated-based installs. Read this support article for info on avoiding possible port conflicts.

‘SSO CA certificate in PEM format’ option

Replicated-based installs using SSO that access their IDP via SSL/TLS and need to import a CA certificate for Sysdig to trust the connection can now do using the SSO CA certificate in PEM formatoption. This is available under the ‘Advanced’ section of the ‘Settings’ tab in the Admin console. Kubernetes-based installs can do the equivalent as described in this README.

LDAP settings changes

LDAP authentication settings are now configured via the Sysdig Platform Admin API. Environments running releases pre-890 will have their LDAP settings automatically migrated to the new API endpoints automatically when upgrading to 890.

New UI design

Our new user interface provides a more modern framework for interacting with the product. Navigation is re-oriented from a top-of-screen menu to an icon-driven left side panel, providing more space for viewing your metrics and dashboards. Click here for a quick video introduction!.

Alert on rate of change

Introducing a new ‘rate of change’ math function for metrics. Now you can alert by the rate at which a metric changes vs. a static threshold. For example, a default alert: Rate of change of disk usage alerts you if your disk usage increases more than x% in a day.

Support for Prometheus histogram metrics

Sysdig Monitor can now ingest a Prometheus histogram metric type and visualize them in a chart to show the distribution of specific metrics.

Link to Grafana plugin

Did you know you can add Sysdig as a Grafana data source? To help you get started visualizing Sysdig-collected metrics in Grafana, we’ve added a Grafana Plugin link to the help menu that takes you to the setup instructions.

Revised alerting with Kubernetes metrics

Alert configuration settings for Kubernetes metrics now limit scope and segmentation based on the metric that is selected to allow for more accurate alerting. Check out our support page for more details.

Compare-to for timeseries

In your time series line charts you can now compare time-shifting metrics to easily spot trends and anomalies. With compare-to for time series you can configure and observe how one or more metrics have changed since a previous time (e.g., 1 hour ago or 2 days ago).

‘Compare to’ for number panels

Metric number panels now feature a configurable ‘Compare to’ function to display the change in measurement since a previous time frame. Provides insight into the increase or decrease of metrics over time.

New Metrics for CPU Core Usage

We’ve added cpu.cores.used and cpu.cores.used.percent that align with the way Kubernetes exposes CPU usage. Now you can compare values using kube-state-metrics such as kubernetes.node.capacity.cpuCores, kubernetes.pod.resourceLimits.cpuCores in order to determine if resources are oversubscribed. These metrics are also key for capacity planning and chargeback calculations.

Improved documentation for CPU metrics

The Sysdig Monitor Metrics Dictionary now features updated CPU metrics descriptions to provide more insight into each available metric.

Resizable columns

The UI now allows columns to be resized for all tables in the application including alerts, events, teams, and users.

Suggest Mode

Suggest mode auto-selects only the relevant dashboards and metrics, hiding any inapplicable views. This is now the normal mode of operation. The turn on/off option is no longer available.

Redesigned login screen

We’ve put a new, more modern face on the Sysdig Monitor login screen.

Release 858 April 12, 2018

Captures and Sysdig Inspect fix

Upgrades the open source sysdig version in on-prem build to resolve sysdig capture and Sysdig Inspect compatibility issue.

Customers running version 693 and above can upgrade directly to release 858.

Release 800 March 13, 2018

New Explore design

We’ve redesigned Sysdig Monitor’s Explore page to give you extra screen space to view your killer dashboards and metrics. The new vertical layout helps you see more and get to what you need faster.

Golden Signals dashboards

New Service Golden Signal dashboards provide out-of-the-box metrics that developers need when launching and monitoring a service or app. Includes slowest transactions, latency, request volume, error rates, and most requested URLs.

Spotlight

Want a simple way to quickly see what matters most in your environment? Spotlight helps you quickly discover, detect, and optimize your infrastructure and services. A Spotlight health check shows you new integrations, infrastructure, app, and agent status, and more at-a-glance.

Export table data as JSON/CSV

You can now download table data in JSON or CSV format for offline viewing and analysis.

UI updates

We’ve simplified the dashboard panel copy function and added a duplicate panel option in menu. We’ve also redesigned the dropdowns in the top-right header including making it easier to quickly see and select your teams.

Additional items

Various bug fixes and improvements including:

• Performance and stability fixes for metrics

• Fix for issue with ElasticSearch migration

• Configurable program retention by customer (default limit 12)

• Fix for migrations using BE mapper – now use dedicated customer mapper.

Release 760 February 23, 2018

Explore grouping and scoping enhancements

We’ve massively simplified grouping and scopes. Our new approach gives you better, more precise data - with less chance of invalid groupings (e.g. Kubernetes deployment > hostname). Have questions? Watch this video, read this article, or contact Customer Success and we’ll analyze your account for you!

kube-state-metrics

Sysdig Monitor now collects kube-state-metrics for monitoring and alerting on the state of Kubernetes objects. New dashboards provide visibility of metrics for nodes, namespaces, services, daemonSets, jobs, replicaSets and pods. Requires update to the Sysdig agent version 0.77.0 or higher.

Public URL dashboards

Ever want to share a killer dashboard with a colleague who is not a Sysdig Monitor user? Now you can! Just pick, click, and send your URL.

Team Manager role

We’ve introduced a new ‘Team Manager’ role that provides the privilege to add, delete, and modify team users as well as grant read or edit access.

Proxy support for outgoing HTTP/HTTPS connections

You can now configure outgoing HTTP/HTTPS connections to be made via proxy. Supports outgoing web connections to support notification channels, PagerDuty, Slack, Amazon SNS, VictorOps, OpsGenie, WebHooks, AWS CloudWatch data gathering. Read more here.

Suggest mode enabled by default

Last year we introduced suggest mode – available in ‘Settings>Sysdig Labs’ – as a way to boost your efficiency by showing only the views, metrics, and grouping presets applicable to your environment. This option has proven so popular that it is now enabled by default.

Custom headers for webhooks

When using webhooks, typically used to pass authentication credentials, you can now add custom headers to pass along additional details with an outgoing request.

Rename of Admin team to Monitor Operations

As part of the broader Sysdig Platform initiative, ‘Admin Team’ within Sysdig Monitor is now renamed to ‘Monitor Operations.’ The Monitor Operations team will continue to behave the same as the previous Admin team:

• The Monitor Operations team cannot be deleted.

• Monitor Operations users have full visibility to all resources.

• To change settings for any team, admins must switch to the Monitor Operations team.

Support for JMX metrics from Java 9

Sysdig Monitor now supports JMX monitoring for Java 9 applications. To enable collection of Java 9 metrics, update to the latest Sysdig Agent. For more details, review the Sysdig Agent changelogs.

Introducing read-only users

Users can have different roles for each of the teams they belong to, either ‘Read user’ or ‘Edit user’. A read user can only use the app in read-only mode, with no permission to create/edit/delete dashboards, alerts, etc while the edit user is allowed to make those changes. This is a per team role defined by Admin users.

Memcached default dashboard

A new default dashboard has been added to the Explore page where you can see the most important Memcached performance monitoring metrics: connections, commands, get hits/misses, evictions, etc.

Python client changes: Team/User configs

Changes to support Role Based Access Control (RBAC) modify how ‘Teams’ and ‘User’ configurations are stored and modified via the API. This affects the functionality of the Python client. If you currently have scripts that use these methods, click here for details on how to upgrade your Python client and make the necessary changes to your scripts.

Release 722 January 8, 2018

CPU usage host-level segmentation

CPU usage at host level can now be segmented by CPU core.

AWS and Cloudwatch improvements

Enabled more reliable AWS metadata by separating AWS metadata from Cloudwatch metrics

Additional items

Various bug fixes and improvements.