Host Shield for Linux Release Notes

13.9.2 May 22, 2025

• Supported sysdig-deploy version: 1.84.2
• Supported Falco Engine version: 1000.42.0
• Supported shield chart version: 1.6.3

Defect Fixes

• The install script now skips unnecessary kernel header installation on Debian systems when universal eBPF is selected, enabling faster, cleaner installs with reduced dependencies.

Vulnerability Fixes

This release addresses the following security vulnerability:

• CVE-2025-46569

13.9.1 May 09, 2025

• Supported in chart sysdig-deploy version: 1.83.0
• Supported Falco Engine version: 1000.42.0
• Supported in chart shield version: 1.6.0

Defect Fixes

Fixed an issue in the Universal eBPF driver that introduced increased latency for the sendmmsg and recvmmsg syscalls.

13.9.0 May 1, 2025

• Supported in chart sysdig-deploy version: 1.81.0
• Supported Falco Engine version: 1000.42.0
• Supported in chart shield version: 1.4.0

Known Issue

If you’re using Agent version 13.9.0 with the universal_ebpf probe, you may experience high CPU usage and reduced system performance. This issue is related to how the agent handles the sendmmsg and recvmmsg syscalls.

To reduce the impact, update your agent configuration to skip these events.

skip_events_by_type:
  - recvmmsg
  - sendmmsg 

Enhancements

Network Security on Secure Light mode

Network Security (NetSec) is now supported in Secure Light mode, providing feature parity with Secure mode, significantly reducing resource consumption while preserving key security functionalities.

Activity Audit container interactive processes tracking

Activity Audit now focuses on interactive processes inside containers by default, making collected data more relevant and reducing noise. By default only interactive commands (i.e: Actions with a bound TTY) will generate Activity Audit events.

For example:

• kubectl -it exec POD -- COMMAND : Event is reported (interactive).
• kubectl exec POD -- COMMAND : Event is not reported (non-interactive)

If you prefer to also include non-interactive executions, you can revert to the previous behavior by enabling this option in your dragent.yaml

secure_audit_streams:
  container_processes_include_non_interactive: true

Response Actions

The fresh new Response Actions feature has been added, allowing you to execute actions on your workloads from Sysdig, to respond to ongoing threats and incidents. The actions included in this release are:

• Container kill/stop/pause
• Process kill
• File quarantine
• File acquire

They are also complemented with the possibility to be reverted, when applicable.

For additional information, see Response Actions

Enhanced overhead of JMX instrumentation

Java process metrics can be scraped only if a corresponding hsperfdata file exists. Processes without the hsperfdata file will be skipped. New configuration option allows you to specify a minimum age for hsperfdata files. If an hsperfdata file is younger than this configured threshold, the corresponding Java process will not be scraped.

jmx:
  enforce_hsperfdata_exists: true
  jmx_scrape_delay_seconds: 120

Defect Fixes

• Ensured adherence to agent HTTP health status_port configuration option.
• Optimized performance in processing data received from the recvmsg syscall.
• Improved PostgreSQL protocol parsing in Monitor mode to correctly handle potentially malformed packets.

Vulnerability Fixes

This release addresses the following security vulnerabilities:

• CVE-2025-30204
• CVE-2024-40635
• CVE-2024-8176
• CVE-2024-7592
• CVE-2025-29923