Host Shield for Linux Release Notes
Starting from version 13.9.0, the new Linux Host Shield release notes will be available on this page.
14.0.0 June 17, 2025
- Supported
sysdig-deploy
version:1.86.0
- Supported Falco Engine version:
1000.45.0
- Supported
shield
chart version:1.9.0
This release introduces major changes, including performance improvements, new defaults, and component deprecations. Review carefully, as some updates may require action.
Enhancements
Dynamic Syscall Filtering
Host Shield introduces a new capability, Dynamic Syscall Filtering, to improve performance and resilience while reducing the resource requirements. This feature is enabled by default. It monitors the system calls required for active features, plugins, and policies, significantly reducing system call volume and system overhead. This dynamic filtering improves performance and resilience, especially in lightweight Host Shield modes and high-load environments, by lowering CPU and memory usage. For more details, see Dynamic Syscall Filtering.
Secure Light Default Mode
The shield
and sysdig-deploy
helm charts now switch to secure_light
mode by default when monitor features are not enabled, delivering significantly improved performance and reliability out of the box.
Improved Posture Connectivity Resiliency
Changed the default transport protocol for the Posture feature from nats
to https
to improve resilience against transient network failures and round-trip communication issues.
New Option to Skip Failed DNS Request
Previously, the dns_detection
feature did not raise events for failed DNS requests. Now, dns_detection
processes all DNS requests, including failed ones, and consequently applies policies on the raised events. You can enable the new dns_detection.skip_failed_requests
option (disabled by default) in the shield
chart to restore the previous behavior of skipping failed DNS requests and prevent related events from being raised. This helps reduce noise if these types of errors are not relevant to your environment.
Flatcar OS supported
Flatcar OS is now supported on Sysdig Shield.
Deprecations
Custom App Checks Sunset
Custom App Checks are no longer supported.
AppChecks Python 2.7
App Checks using Python 2.7 is no longer supported.
Minimum Kernel Version Set to 3.10
Linux kernel versions older than 3.10 are no longer supported.
Defect Fixes
Fixed Kernel Header Install on Debian
- Fixed an issue where the install script on Debian-based systems was unexpectedly installing Kernel headers even when universal eBPF was selected.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
- CVE-2025-30698
- CVE-2025-30691
- CVE-2025-24528
- CVE-2025-22872
- CVE-2025-22871
- CVE-2025-21587
- CVE-2025-4802
- CVE-2023-4752
- CVE-2025-0938
- CVE-2025-0395
- CVE-2024-12243
- CVE-2024-12133
- CVE-2024-8176
13.9.2 May 22, 2025
- Supported
sysdig-deploy
version:1.84.2
- Supported Falco Engine version:
1000.42.0
- Supported
shield
chart version:1.6.3
Defect Fixes
- The install script now skips unnecessary kernel header installation on Debian systems when universal eBPF is selected, enabling faster, cleaner installs with reduced dependencies.
Vulnerability Fixes
This release addresses the following security vulnerability:
13.9.1 May 09, 2025
- Supported in chart
sysdig-deploy
version:1.83.0
- Supported Falco Engine version:
1000.42.0
- Supported in chart
shield
version:1.6.0
Defect Fixes
Fixed an issue in the Universal eBPF driver that introduced increased latency for the sendmmsg
and recvmmsg
syscalls.
13.9.0 May 1, 2025
- Supported in chart
sysdig-deploy
version:1.81.0
- Supported Falco Engine version:
1000.42.0
- Supported in chart
shield
version:1.4.0
Known Issue
If you’re using Agent version 13.9.0 with the universal_ebpf
probe, you may experience high CPU usage and reduced system performance. This issue is related to how the agent handles the sendmmsg
and recvmmsg
syscalls.
To reduce the impact, update your agent configuration to skip these events.
skip_events_by_type:
- recvmmsg
- sendmmsg
Enhancements
Network Security on Secure Light mode
Network Security (NetSec) is now supported in Secure Light mode, providing feature parity with Secure mode, significantly reducing resource consumption while preserving key security functionalities.
Activity Audit container interactive processes tracking
Activity Audit now focuses on interactive processes inside containers by default, making collected data more relevant and reducing noise. By default only interactive commands (i.e: Actions with a bound TTY) will generate Activity Audit events.
For example:
kubectl -it exec POD -- COMMAND
: Event is reported (interactive).kubectl exec POD -- COMMAND
: Event is not reported (non-interactive).
If you prefer to also include non-interactive executions, you can revert to the previous behavior by enabling this option in your dragent.yaml
secure_audit_streams:
container_processes_include_non_interactive_exec: true
Response Actions
The fresh new Response Actions feature has been added, allowing you to execute actions on your workloads from Sysdig, to respond to ongoing threats and incidents. The actions included in this release are:
- Container kill/stop/pause
- Process kill
- File quarantine
- File acquire
They are also complemented with the possibility to be reverted, when applicable.
For additional information, see Response Actions
Enhanced overhead of JMX instrumentation
Java process metrics can be scraped only if a corresponding hsperfdata
file exists. Processes without the hsperfdata
file will be skipped.
New configuration option allows you to specify a minimum age for hsperfdata
files. If an hsperfdata
file is younger than this configured threshold, the corresponding Java process will not be scraped.
jmx:
enforce_hsperfdata_exists: true
jmx_scrape_delay_seconds: 120
Defect Fixes
- Ensured adherence to agent HTTP health
status_port
configuration option. - Optimized performance in processing data received from the
recvmsg
syscall. - Improved PostgreSQL protocol parsing in Monitor mode to correctly handle potentially malformed packets.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.