2020 Archive

Release 3.6.2 December 14, 2020

This release contains bug fixes and minor improvements.

Upgrade Process

Supported Upgrade From: 3.2.2, 3.5.1, (3.6.0 or 3.6.1 if it was installed)

See the GitHub documentation for the full supportability matrix and install/upgrade.

Bug Fixes

• Fixed email notifications error

  In some cases, including alerts with very large scopes and some others, email notifications were not sent due to a bug in the email renderer. This issue has been fixed.

• Fixed Kubernetes metadata display delay

  In 3.6.0 and 3.6.1 releases, upon connecting an agent, it would take 1h for Kubernetes metadata to appear. With this bug fixed, the metadata is displayed a couple of minutes after connecting the agent.

• Fixed dashboard display error when switching teams

  When the user switched teams, the dashboard menu was not displayed and required the user to reload the application. This has been fixed.

• Improvements to the security setup of our Intercom integrations

  We have improved the security of the Sysdig Intercom integration, as in some cases, the conversations could leak between different users.

• Fix to Activity Audit Janitor

  Fixed an Activity Audit Janitor error that stopped the AA clean-up process when a particular set of Sysdig Secure features were not enabled.

Improvements

Increased Decimal Precision from 4 to 6

With this release, we increased the decimal precision from 4 to 6 decimal places. This feature is mostly useful for customers using Prometheus metrics, as by convention, the metrics for time are given in seconds in Prometheus exporters, which does not work well for low numbers (for example - latencies in microseconds).

New Runtime Policy Events JSON Format

The JSON format for the runtime policy events has been upgraded to include full scope information, rule labels, and a single-line representation for the event field’s keys and values.

To preserve backwards compatibility with existing integrations, the former JSON format is still available (and used by default on migration).

From the Event Forwarder page, under “Data to Send,” the old JSON format is labeled “Policy Events (Legacy)” and the new one as “Runtime Policy Events.”

See also: Event Forwarding.

Release 3.5.3 December 14, 2020 (Replicated Only)

This release is a bug fix only release.

Upgrade Process

Sysdig Platform v 3.5.3 has been tested and qualified against the same components as in v. 3.5.1.

Supported Upgrade from: 3.5.1, 3.2.x, 3.0

Bug Fixes

Sysdig Platform

• Fixed email notifications error

  In some cases, including alerts with very large scopes and some others, email notifications were not sent due to a bug in the email renderer. This issue has been fixed.

• Improvements to the security setup of our Intercom integrations

  We have improved the security of the Sysdig Intercom integration, as in some cases, the conversations could leak between different users.

Sysdig Secure

• Events Forwarder improvement

  Fixed a crash condition in the Events Forwarder service stemming from a microservices connectivity issue.

Release 3.6.1 November 23, 2020

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Supportability Matrix

Sysdig Platform has been tested and qualified against the following Upgrade matrix.

* Note that as of this release, there are no upgrades for Replicated installations.

Related Documents

Sysdig Secure

The following improvements were introduced in release 3.6.1:

Node Image Analyzer: Scan “Repo-less” Images

Added support to scan images that lack a Repo tag, such as OpenShift 4.x distribution images.

Audit Tap Forwarding: Fixed Splunk Event Timestamp Metadata

The format of the “time” field included in the Splunk event metadata for forwarded Audit Tap events is now increased to millisecond granularity.

Fixed False Positives on Java Libraries Related to log4j

Fixed an issue that resulted in log4j-jboss-logmanagerand log4j-1.2-apibeing incorrectly detected as log4j, possibly generating vulnerability false positives.

NOTE: Inline Scanner v2.1

Inline Scanner v2.1 has been released.

This component is independent of the Sysdig Platform version you are running–it can be used with Sysdig On-Prem version 3.6.1 and with earlier versions.

Inline Scanner 2.1 includes the following enhancements:

• NEW

  Added ability to analyze scratch-based images

• FIXES

  Fixed a bug retrieving the PDF output for previously- scanned images

  Addressed several vulnerabilities found in the inline scanner container

See also: Integrate with CI/CD Tools.

Release 3.6.0 November 10, 2020

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Supportability Matrix

Sysdig Platform has been tested and qualified against the following Upgrade matrix.

* Note that as of this release, there are no upgrades for Replicated installations.

Related Documents

Sysdig Platform

Interactive Session Expiration Installation-Wide

With this release, you can define a period of interactive-session expiration, so that when a user is idle for a defined period of time, the session terminates. This helps enterprises with strict security and compliance requirements comply with relevant security controls, such as NIST or PCI-DSS 8.1.8 .

Currently, this feature is available for on-premises only and is configured per installation.

See also: Configure Interactive Session Expiration.

Minor Enhancements and Fixes around Users and Teams

• Team Search Available when Switching Teams

  You can now search for Teams on the Team Switcher. This feature is especially handy for Admins who are members of many teams.

  

  See also: Switching Teams in the UI.

• User search now supports many more users

  With this release, we have enhanced the performance for listing and search for users on bothSettings>Users and Settings>Teams pages. We now support tens of thousands of users comfortably.

• LDAP: Search for users by both username and email address

  For enterprises using LDAP, this release enables search on both username and user email address in the Settings > Users and Settings > Teams pages. Users are listed by name but can be searched by email as well.

• LDAP: Default team role respected

  This fix ensures that when LDAP users are created upon login, the default user role for the team is respected.

Inline Scanner 2.0

A new version of the Sysdig inline scanner script has been released.

Major improvements:

• The inline analysis container doesn’t need to spawn any additional containers

  • This removes the requirement for the Docker client, docker-in-docker, etc.

  • This enables usage in environments where docker-in-docker is not feasible or hard to instrument (e.g., Tekton).

• Additional analysis workflows and formats:

  • Added support to analyze a docker archive

    • A .tar.gz file containing the image, i.e. the output from a “docker save”

    • Example execution

• Added support to analyze OCI images (both and directory and archive)

  • Uncompressed or compressed OCI image format

  • Added support to retrieve an image from the container storage (CRI-O and others)

    • Example execution

Additional improvements:

• Faster image ingestion

• More verbose logs available for troubleshooting and diagnosis

• Machine-readable JSON output via --format JSON command

To upgrade an earlier Sysdig Inline Scanning version to 2.0, you need to take into account the new invocation parameters, which are not backward compatible.

Sysdig Inline scanner can be used stand-alone or as a step inside a CI/CD pipeline (Jenkins, Tekton, CircleCI, etc). In the upcoming weeks, we will update the different integrations to provide out-of-the-box support for the 2.0 version.

Sysdig Secure

Regulatory Compliance Control Validation & PCI Checks

A new feature has been added to Sysdig Secure for checking controls from various compliance standards. For the first release, we provide checks against specific controls in PCI 3.2. Future releases will include SOC2, NIST-800-53, and more.

Compliance Validator and Reports

The validator checks many Sysdig Secure features, including: image scanning policies, Falco runtime policies and rules, scheduled benchmark testing, Admission Controller, Network Security Policies, Node Image Analyzer, and more. Over time we will add new compliance coverage.

Disclaimer: Sysdig cannot check all controls within a framework, such as those related to physical security.

PCI Control Details

The PCI Quick Reference describes the full range of controls required to pass a PCI 3.2 audit. In this release, Sysdig Secure will check the following subset:

Controls 1.1.2, 1.1.3, 1.1.6.b, 2.2, 2.2.1, 2.2.2, 2.2.a, 2.4, 2.6, 4.1, 6.1, 6.2, 6.4.2, 6.5.1, 6.5.6, 6.5.8, 7.1.2, 7.2.3, 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.6, 10.2.7, 10.3, 10.5.5, 10.6.1, 11.4, 11.5.a, 11.5.b.

Replacing RHSA Advisories with CVE Advisories

In new images scanned, RHSA advisories will be replaced with CVE advisories.

Benchmarks support for Kubernetes Benchmark 1.6

• Kubernetes Bench upgraded to version 1.6

• Using the Kubernetes benchmark, we now provide customer-selected benchmark checks for GKE and EKS (rather than just the Kubernetes default).

Vulnerability Exceptions Handling Enhanced

The Vulnerability Exceptions feature in Sysdig Secure has been redesigned and enhanced.

It now offers:

• Additional vulnerability and feed context

• Precise mapping between images and their associated exceptions

• A better exception management lifecycle

• Multiple vulnerability lists, which can be flexibly assigned to different image sets (or just a particular image), using the scanning policy assignments

• Additional information displayed to improve team awareness and security context

  • Vulnerability description

  • User-defined notes

  • Vulnerability feed info, with severities and links as provided per feed

• Configurable expiration dates:

  • An exception is automatically disabled when the expiration date is met

  • Day resolution, all times relative to 0:00 UTC

• Enhanced workflow integration with the “Scan results” page for an individual image, with the ability to quickly append a flagged vulnerability to a list.

Migration: The exception and evaluation behavior in the current environment will be maintained after the feature upgrade. In particular:

• Pre-existing vulnerability exceptions will be migrated to the “Default exceptions list”

• The “Default exceptions list” will be assigned to every pre-existing policy assignment

• All the pre-existing vulnerability exceptions expiration date will be set to “Never.”

See also: Manage Vulnerability Exceptions and Global Lists.

Event Forwarding: Kafka and Webhook Added

Two new supported integrations have been added to the Sysdig Secure Event Forwarder:

• Kafka topic

• Generic webhook

The Kafka topic integration includes support for:

• Multiple Kafka brokers

• Partitioner/Balancer algorithms: Murmur2, Round robin, Least bytes, Hash, CRC32

• Compression algorithms: LZ4, Snappy, Gzip, Zstandard

The Webhook integration includes support for:

• Authentication methods: Basic authentication, Bearer Token, and Signature Header

• Custom headers defined by the user to accommodate any additional parameter required on the receiving end

Image Exclusion on Policy Events

Users often want to tune policy events. We’ve added a button on the event detail that will add an exclusion to a specific container.image.repo for the policy that triggered the event. Once that exclusion is applied to the scope, policies will no longer fire for that container.image.repo.

Captures Filter on the Policies Page

Policies can now be filtered to display if a capture is associated with an active or inactive policy.

Quick Menu to Captures from Runtime Events

For runtime policy events that have an associated capture, we now offer a contextual menu for performing quick actions over the event capture, rather than a simple link to the Captures interface. You can:

• View the capture directly in Sysdig Inspect

• Directly download or delete the capture

Additionally, if the event is scoped to a particular container, Sysdig Inspect will automatically filter the displayed information to the scope of that Container ID.

Image Scan Results Page Redesigned to Improve Load Times & User Experience

The user interface is cleaned up, reorganized, and provides the following functional improvements:

• Load times are significantly decreased because the last known evaluation for the image is automatically fetched

  • View the latest evaluation time directly in the scan summary Evaluated at

  • Use the new Re-evaluate button to fetch current data if desired

• View the image origin/reporting mechanism in the new “Added By” field.

  Possible values are: Sysdig Secure UI, Node Image Analyzer, API, Sysdig Inline Scanner, or Scanning alert.

• Copy the Image Digest and Image ID to the clipboard using a quick pop-up panel.

  

Forwarding the Activity Audit Information

The Sysdig Secure Event Forwarder has added support to forward Activity Audit data to external platforms.

Sysdig Monitor

Time Navigation in Events Feed

You can now browse and find historic events easily by using time navigation.

Zooming Out Dashboards

You now have the ability to zoom out Dashboards. This feature doubles the selected timeframe for a better context surrounding a problem when troubleshooting an incident.

Release 3.5.1 August 24, 2020

NOTE: Version 3.5.1 includes a fix for vulnerabilities that were detected in version 3.5.0. It is recommended to skip version 3.5.0 and install version 3.5.1 instead. As of this release, all on-premises installs and upgrades include oversight services from Sysdig support.

Oversight Services Now Offered for All Installs and Upgrades

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Platform

Endpoint for Feeds Update Has Changed

We no longer point to ancho.re for feeds update but tohttps://api.sysdigcloud.com/api/scanning-feeds/v1/feeds. This could require a change to your firewall rules, as an exception to your proxy for ancho.re would impact the feeds update.

Sysdig Secure

New Sysdig Secure Overview Page

The Sysdig Secure Overview provides an at-a-glance view of the critical areas of your security posture.

Scoping

Panels can be scoped by Cluster or Namespace. The scope will update all panels that are displaying run-time data and the corresponding drill-down views.

Panels

• Build Time - Images Scanned: Image scan results for all static image scans

  Drill-down - To Image Scanning Reports page.

• Build Time - CVEs Found by Severity: The total number of CVEs present in each image scanned.

  Drill-down - Available in a future release

• Run-time - Images Scanned: The pass/fail status of images running now and their trend over time.

  Drill-down - To Runtime Scanning Image page.

• Run-time - CVEs by Severity: The total number of CVEs present in each running image

  Drill-down - Available in a future release

• Run-time - Policy Events by Severity: The total number of policy events by severity.

  Drill-down - Secure Events page.

• Benchmarks Tests Failing: The total number of benchmark tests that have failed.

New Get Started Page

The Get Started page provides the key steps to ensure users are getting the most value out of Sysdig Secure. We’ll update this page with new steps as we add new features to Sysdig Secure.

The Get Started page also serves as a linking page for:

• Documentation

• Release Notes

• The Sysdig Blog

• Self-Paced Training

• Support

Users can access the page at any time by clicking the rocketship in the side menu.

Feeds Status Page Added

It’s useful to understand the last time the feeds were updated, especially in self-hosted environments. The Feeds Status page shows the different vulnerability feeds we integrate with, their feed group (often the distro version), the time of the last sync, and how many CVE records are present in the feed group.

See also: Feeds Status.

Secure Events Feed Overhaul

The Events feed in Sysdig Secure (formerly called Policy Events) has been redesigned, both visually and functionally.

Apart from the styling and user experience improvements, these are the major new features and use cases

Advanced Filtering

We are deprecating the grouping/clustering of events present in the old version in favor of a much more powerful set of filtering capabilities:

• Severity filters: Presented as quick buttons at the top, supporting multi-select

• Attribute filters: Provide a simplified syntax to filter events by the attributes they contain. For example ruleType="Falco - Syscall" or image.repo!="sysdig/agent"

  • Open the event details side panel to find quick filtering widgets to include or exclude the attribute values associated with the displayed event

• Event type selector: Supports runtime scanning alerts on top of policy runtime events (see section below), with an easy multi-selector in the UI.

• Free text search: Allows you to search the event titles and scope label values. I.e. Terminal shell inor my-k8s-cluster.

• New scope selector: Allows for additional selector logic (in, not in, contains, startswith, etc), improving the scoping flexibility over earlier versions. This scope selector also provides scope variables, allowing you to quickly switch between, for example, Kubernetes namespaces without having to edit the panel scope.

All these filters can be combined additively to further refine your search.

Multiple Event Types

The new event feed displays not only the policy runtime events, but also runtime image scanning alerts.

The backend architecture, filtering, and UX have been designed to accommodate additional types of security events that will be pushed to the Event Feed in the future, upgrading the interface from a policy-runtime-centric experience to a full security center control panel.

Additional Event Details

Policy runtime events: These now display the rule that was fired together with the rule labels. You can use the quick filters mentioned above to further refine the search.

Richer scope: Every security event now displays all the scope labels retrieved for the event, not just those configured in the scope selector.

See also: Secure Events.

Additional Considerations/Limitations

Events in the old and new format will be stored separately:

• No event or event data will be lost during the transition

• Events that were registered before the new feed is deployed can be browsed using the old feed interface, which is available from the burger menu in the top-right corner

• Events that happen after the new feed is deployed will appear in the new event feed

• Eventually, all events within the retention period will be present in the new interface, at which point the version switcher will disappear

Team, Role, and Channel Updates

A variety of enhancements have been added to the team, role, and notification channel options.

Service Manager Role Added to Sysdig Secure

RBAC capability was previously added to Sysdig Secure. (See also January 27, 2020 and User and Team Administration.)

Now a new role, Service Manager, is also available in Secure. It has the same permissions as the Standard User, plus the ability to invite existing users to the team and manage the notifications channels assigned to the team. See Team-Based Roles and Privileges

Configurable Default Team Role

You can now define the default user role to apply when a new member is added to the team. The Admin can change this default on a per-team basis. See also: Create a Team.

RBAC and Team Assignment for Notification Channels

Previously, notification channels in Sysdig Secure and Monitor were treated as global entities, visible and editable for most users of the platform regardless of team configurations.

We are enhancing the management and RBAC controls in the following ways:

• Notification channels can now be “global” or limited to a particular team

• Global channels can be managed by admins and can be viewed/used by other roles, while team-limited channels are available only to team members

• Team Manager , Advanced User, and Service Manager (Secure) roles can create/update/delete team-scoped notification channels, they can also read and use the global ones

• Standard and View Only roles can read team-limited and global notification channels

• Admins will be able to create global notification channels and migrate channels from “global” to “team-limited”, and also from one team to another.

See also: Set Up Notification Channels and the Share With field in each individual channel setting page.

Optimized Runtime Page

We’ve released a new Runtime page for the Image Scanning module within Sysdig Secure. Improvements include:

• Filtering based on pass/fail/unscanned

• The ability to search results for a specific image

• Optimized queries to improve response times

For more information, see Review Scan Results.

Menu Update

The ordering of the side menu has been changed.

Image Scanning Updates

The image scanning navigation bar has changed.

• The side menu is reorganized into Analyze and Configure sections

  • Analyze: Different areas of scanning that allow users to view scan results

  • Configure: The areas of scanning that involve the setup of the application

• Whitelist terminology with CVEs has been removed.

  “CVE whitelist” is now CVE Exceptions.

CLI-Based Admission Controller for Image Scanning

An additional tool for evaluating and admitting images is now available.

Sysdig Admission Controller

Sysdig’s Admission Controller (UI-based) combines the Sysdig Secure image scanner with a policy language to evaluate scan results and the admission context, providing great flexibility in the admission decision. It also provides the first line of defense against image-based security threats.

By using Kubernetes API extensions to perform image scanning and other security checks on admission, we cover a major threat-prevention and hardening use case: “Only the images that are explicitly approved will be allowed to run on my cluster”.

The admission decision relies not only on the image name and tag but also on additional context from the admission review, including namespace, pod metadata, etc.

Features

• Registry and repository whitelist / blacklist

• Global and per-namespace admission configuration

• Configurable pre-scan and post-scan behavior, i.e.:

  • Accept only the images that pass the scan (default)

  • Directly reject non-whitelisted registries / repos, without scanning

  • Accept the image even if it doesn’t pass the scan

  • Do not accept any image that hasn’t been scanned already

• Pod mutation: image tag is replaced by digest to prevent TOCTOU (Time of Check, Time of Use) issue if the tag is updated between the scan and the pod scheduling

Requirements

• Helm 3

• Kubernetes 1.15 or higher

For more information, see Admission Controller .

Added Automatic Image Scanning using Node Analyzer

The (node) image analyzer (NIA) provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agentcontainer.

This component was introduced to reduce dependencies on analyzing images within the Sysdig backend (SaaS or On-prem). Some advantages include:

• Sharing credentials with the Sysdig backend in order to pull images is not required

• Sharing the image content and potentially code with the Sysdig backend is not required; only metadata will be sent out

• Opening a network route to allow the Sysdig backend to reach the user’s registries is not required

For more information, see Scan Running Images.

Added Image Scanning Integration Options

Two new scanning integrations are available for CI/CD pipelines. Sysdig provides:

• A reference implementation with Tekton Pipelines (prototype)

• A fully supported integration with Amazon Elastic Container Registry (ECR) for triggering auto-scans from the registry

Integrating Secure Image Scanning with Tekton Pipelines

Tekton Pipelines allow you to implement CI/CD workflows using a highly modular, cloud-native approach that:

• Uses containers as the building blocks for individual tasks

• Runs directly on Kubernetes/OpenShift without requiring a dedicated infrastructure

• Uses tasks that are purely declarative and described using their own CRD, making them easily composable and reusable

Sysdig’s reference implementation details the prototype task to invoke Sysdig Secure image scanning as a pluggable step in your CI/CD pipeline with just a YAML file:

Leveraging Tekton integration with the orchestration layer, you can retrieve the image scanning policy evaluation and state (pass/fail) directly from the logs of the task pod.

Read the “Securing Tekton pipelines in OpenShift with Sysdig” blog post for additional details

Integrating Secure Image Scanning with Amazon ECR

Automatically scan images pushed to your Amazon Elastic Container Registry (ECR) using AWS-native technologies and Sysdig Secure.

Sysdig image scanner integration is deployed as a CloudFormation template that listens to ECR registry events and uses AWS resources to streamline the image scanning process.

• ECR itself will trigger the scan, no need for your CI/CD pipelines to actively pull from the registry

• Deployed in a few clicks, you just provide basic configuration parameters such as the Sysdig API token or the Sysdig backend URL

• No need to configure registry scanning credentials on the Sysdig Secure side

This integration offers two different operation modes

Inline scanning:

• Scanning will be performed inside an AWS CodeBuild pipeline allocating ephemeral resources

• No need to configure any registry credentials for Sysdig Secure

• No need to expose your ECR registry to the Sysdig Secure backend

• Sysdig Secure will not retrieve the image contents, only the metadata that is required to perform the policy evaluation

Backend scanning:

• Sysdig Secure will retrieve the full image contents in order to perform the scan

• Your ECR registry must be reachable by the Sysdig Secure backend

• Registry credentials are required, but they are pushed automatically by a lambda function, no need for manual configuration

Updated Inline Scan Script

• Added header values for import API for better supportability.

• Upgraded to Anchore engine v0.6.1.

• Use docker:dindinstead of ubuntu for the base image. This reduces the image size and speeds up downloading.

The latest version of the inline script will always be available at https://download.sysdig.com/stable/inline_scan.sh

Link to repo for script source code: https://github.com/sysdiglabs/secure-inline-scan

Inline Scanning Reporting Improvements and Documentation

This script from SysdigLabs is useful for performing image analysis on locally built container images and posts. The only dependency for this script is access to docker-engine, Sysdig Secure endpoint (with the API token) and network connectivity to post image analysis results.

Here are examples of using the inline scanner in different pipelines:

• Gitlab

• Github Actions

• AWS Codepipeline

• Azure Pipelines

• CircleCI

PDF Reports from the Inline Scanner

A new option

-R  [optional] Download scan result pdf report

will generate a PDF artifact that is available for developers to consume in the pipeline.

Updates to Default Rules and Policies

The following changes have been made to default Policies in Sysdig Secure, and to default Falco rules:

• New rule tags added that map Falco rules to PCI and NIST controls

• New default policies added specifically for PIC/NIST compliance

• Tuning modifications for:

  • Write below etc

  • Write below root

  • Change thread namespace

  • Run shell untrusted

  • Detect outbound connections to common miner pool ports

For more information, see also Falco Rules Changelog.

New Vulnerability Feed Available: VulnDB

We’ve added VulnDB as an additional 3rd-party vulnerability source to improve Sysdig’s coverage in non-OS package vulnerabilities.

In addition, a new page is available for each VULNDB-linked advisory. It lists the CVEs and details about the Common Vulnerability Scoring System (CVSS) scores and external references.

See also: Vulnerability Databases Used.

Linux CIS Benchmark Test Added

Sysdig Agents can run the Independent Linux benchmark against the underlying host where the agent is installed. The Linux benchmark can be scheduled to run at a chosen interval in your environment and emits results and metrics about the status of the tests.

Openshift Hardening Guide

The Openshift hardening guide implements configuration checks run by the agent against Openshift environments.

See https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/container_security_guide/index

Note: This is supported for 3.x versions of Openshift. When Openshift releases a hardening guide for 4.x versions, we will update the configuration checks.

Captures can be Routed to Specific Storage Locations

As a user, you may have different S3 buckets where you’d like to store Sysdig captures, based on the environment where the policy event was triggered. New options are available for deciding what storage option you’d like to use for each policy event.

Sysdig Monitor

New Dashboards is GA

Sysdig Monitor offers a new version of dashboards. Its improved editing experience provides you with more flexibility and the new set of functionalities offers additional ways to visualize and consume your Sysdig data.

Features and Enhancements

Improved User Experience

The New Dashboard offers a more fluid, natural dashboard building experience.

Dashboard Sharing

You can now share your dashboard with members within your Sysdig team or share it across teams with fine-grained access controls. Define who should be able to see the dashboards and what level of access they should be granted: view only or collaborator with edit privileges.

Time Series Name Templating

Customize the time series names on the legend on the panel editor by using the labels associated with Prometheus metrics and segments to gain context faster.

Multi-Metric, Multi-Segmentation Options

Configure multiple queries within a single panel, and configure each query with multiple segmentation and scoping options. Individual queries can be customized to render as a line or stacked area. .

Event Overlay

Contextualize metrics and understand the “why” faster with a unified view of both metrics and events. Configure event overlay to display events from Kubernetes environments as well as alert events, and any other events ingested using Sysdig’s open REST API.

Dashboard Library

Formerly, Dashboard Templates.

You can quickly view your infrastructure through the lens of one of Sysdig’s curated dashboards, or use it as a base to start building your own. You can find dashboards in the Library for managing Kubernetes capacity and health, hosts and server performance, applications and services telemetry, and the security posture of your infrastructure with data fed from Sysdig Secure. See Dashboard Library to learn more.

Mapping Values to Text

Instantly understand what’s going on by mapping number panel values to text. If you have a metric that returns 1 for up, and 0 for down, map those values to “UP” and “DOWN” respectively. By defining thresholds and mapping to text, you don’t need to be concerned about the values. This is critically valuable when dashboards are shared between team members. For more information, see Text.

Granular Axes and Legend Controls

You have more flexibility when customizing the axes, as well as better support for time series with long names. You can now configure the legend by toggling its visibility and moving it to the bottom of the panel.

Major Changes

Significant changes have been introduced to enhance the usability of the existing functionalities. Review the changes before you explore the functionalities.

Topology Maps

Topology maps are no longer available in Dashboard. Access Topology maps through Explore, as you explore your microservices and Kubernetes applications.

Dashboard Wizard

My Dashboards are no longer accessible in Explore. Additionally, Dashboard Wizard has been removed. Instead, the concept of Templates has been introduced in Dashboards to help you get started with a library of templates addressing key use cases.

Histogram and Summary Metric Type

Histogram and summary metrics are no longer supported in the Histogram panel type. You can continue to use them within Explore.

APIs and Integrations

API endpoints for the legacy dashboards (v2) will soon be deprecated. If you are directly integrating into the API, please contact Sysdig for guidance. Additionally, our Python SDK and CLI have been updated to support the new dashboards APIs.

Sysdig Monitor Rebranding

The Monitor app has been refreshed with new logos and icons. The navigation pane has been re-organized. The Explore tab is moved below Dashboards.

The New Get Started Page

The Get Started page provides the key steps to ensure that you are getting the most value out of Sysdig Monitor. We’ll update this page with new steps as we add new features to Sysdig Monitor.

The Get Started page also serves as a linking page for:

• Documentation

• Release Notes

• The Sysdig Blog

• Self-Paced Training

• Support

You can access the page at any time by clicking the rocketship icon in the left navigation bar. See Getting Started with Sysdig Monitor.Getting Started with Sysdig Monitor

RBAC and Team Assignment for Notification Channels

Previously, notification channels in Sysdig Secure and Monitor were treated as global entities, visible and editable for most users of the platform regardless of team configurations.

We are enhancing the management and RBAC controls in the following ways:

• Notification channels can now be “global” or limited to a particular team

• Global channels can be managed by admins and can be viewed/used by other roles, while team-limited channels are available only to team members

• Team Manager , Advanced User, and Service Manager (Secure) roles can create/update/delete team-scoped notification channels, they can also read and use the global ones

• Standard and View Only roles can read team-limited and global notification channels

• Admins will be able to create global notification channels and migrate channels from “global” to “team-limited”, and also from one team to another.

See also: Set Up Notification Channels and the Share With field in each individual channel setting page.

AWS Role Delegation

Sysdig Monitor can now utilize the Amazon Web Service (AWS) AssumeRole functionality and discover cloud assets, grab CloudWatch metrics from your AWS account, and use custom S3 bucket for storing captures. Upon integrating with an AWS role, you can delegate access to AWS resources that are not associated with your Sysdig AWS account.

Role delegation is an alternative to the existing integration method using the access keys. This method is considered secure as sharing developer access keys with third-parties is not recommended by Amazon.

For more information, see Integrate with AWS Role Delegation.

Configurable Default Team Role

You can now define the default user role to apply when a new member is added to the team. The Admin can change this default on a per-team basis. See also: Create a Team.

Default Dashboards for Istio 1.5

Default dashboards (Overview and Services dashboards) are now available for Istio v1.5 in addition to the existing ones for Istio v1.0.

Release 3.2.2, June 11, 2020

This is a hotfix release for Benchmarks. See Defect Fixes for details.

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Secure

Defect Fixes

Problem: On a cluster running Kubernetes v1.12 or later versions with Sysdig agent v9.7.0 or later versions, the CIS Kubernetes benchmark result could not be interpreted, resulting in an infinite spinner displayed in the UI.

Resolution: Sysdig agents v9.7.0 or later versions can now be used with Kubernetes v1.12 or later versions. The CIS Kubernetes versions included are 1.3, 1.4, and 1.5.

Sysdig Monitor

This release contains no new features or defect fixes.

Sysdig Platform

This release contains no new features or defect fixes.

Release 3.2.1-Onprem (Replicated Only), March 23, 2020

This is a hotfix release that enforces a minimum Replicated Console version to include a necessary security patch. This release contains no new Sysdig functionality and is not a required upgrade.

Release 3.2.0, March 04, 2020

Upgrade Process

Sysdig Platform has been tested and qualified against the following:

Related Documents

Sysdig Secure

Data Retention Limits for Scan Results

Use this feature to set limits on how long image scan metadata is stored, either by tags or days. This removes stale data and helps keep scan results easy to read.

See Data Retention for details.Data Retention

RBAC Capability Available in Sysdig Secure

The new role-based access control (RBAC) model available in Sysdig Secure allows you to define the access privileges granted to each user in a Sysdig Secure team.

Besides the Admin role, which has full access and belongs to every team, there are four roles that can be assigned when adding a user to a team. (Note that the role names are the same in Monitor and Secure, but the privileges differ slightly. Users must be assigned Monitor team roles and Secure team roles separately.)

• View Only: Read access to every Secure feature within the team scope. A View Only user cannot modify runtime policies, image scanning policies, or any other content.

• Standard User: Can push container images to the scanning queue and view the image scanning reports. Standard Users can also display the runtime security events within the team scope. They cannot access the Benchmarks, Activity Audit. or Policy definition sections of the product.

• Advanced User: Can access every Sysdig Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage other users.

• Team Manager: Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.

See User and Team Administration for details.

Vulnerability Scan Results Comparison

In image scanning reports, the vulnerability comparison feature allows users to compare two different tags within the same repo to see which vulnerabilities are new or have been fixed in version X compared to version Y.

This allows developers easily to compare the latest image to a previous version to easily report on which vulnerabilities have been addressed and which are new.

See Review Vulnerability Summaries for details.Review Vulnerability Summaries

Redesigned Captures Page

The Captures function in Sysdig Secure has a new look and the following usability improvements:

• Bulk deletion of capture files

• Ability to see whether a capture was triggered manually or by a policy

• Search across all capture files

File Data Source Support for Activity Audit

Sysdig Secure’s Activity Audit now supports a new data source element: File activity.

• You can now filter the activity by file type or specific file attributes:

  • File name

  • Directory

  • Command (used to access the file)

  • Access mode

• File activity is also visible in the time-series graph at the top (pink color):

  

• Activity Audit will capture non-read file operations executed by interactive commands

Sysdig Monitor

This release contains various bug fixes and improvements. There are no new features in v3.2.0.

Sysdig Platform

S3-Compatible Storage for Capture Files

Configuring S3-compatible storage (such as Minio or IBM Cloud Object Storage) for your Sysdig captures is now supported on Sysdig Platform on-prem deployments. The capability can be turned on by configuring the system appropriately, as given in (On-Prem) Configure Custom S3 Endpoint.