Host Shield for Linux Release Notes
Deprecation Notice
Upcoming Changes to Sysdig Product Line
In an upcoming release, expected after May 2025, the following changes will take effect:
Updated Kernel Support Policy
The minimum supported Linux kernel version will be 3.10.
Users running older kernel versions should plan to upgrade to maintain compatibility and support.End of Support for Python 2.7
- To enhance security, stability, and performance, support for Python 2.7 will be discontinued.
- Python 2.7 reached its official End of Life in January 2020.
- Sysdig recommends updating to a supported Python version.
Deprecation of Custom AppChecks
To improve Sysdig Monitor functionality and streamline integrations, Sysdig will sunset Custom AppChecks.
Sysdig strongly recommends transitioning to Monitoring Integrations for better performance and support.
Starting from version 13.9.0, the new Linux Host Shield release notes will be available on this page.
13.9.1 May 09, 2025
- Supported in chart
sysdig-deployversion:1.83.0 - Supported Falco Engine version:
1000.42.0 - Supported in chart
shieldversion:1.6.0
Defect Fixes
Fixed an issue in the Universal eBPF driver that introduced increased latency for the sendmmsg and recvmmsg syscalls.
13.9.0 May 1, 2025
- Supported in chart
sysdig-deployversion:1.81.0 - Supported Falco Engine version:
1000.42.0 - Supported in chart
shieldversion:1.4.0
Known Issue
If you’re using Agent version 13.9.0 with the universal_ebpf probe, you may experience high CPU usage and reduced system performance. This issue is related to how the agent handles the sendmmsg and recvmmsg syscalls.
To reduce the impact, update your agent configuration to skip these events.
skip_events_by_type:
- recvmmsg
- sendmmsg
Enhancements
Network Security on Secure Light mode
Network Security (NetSec) is now supported in Secure Light mode, providing feature parity with Secure mode, significantly reducing resource consumption while preserving key security functionalities.
Activity Audit container interactive processes tracking
Activity Audit now focuses on interactive processes inside containers by default, making collected data more relevant and reducing noise. By default only interactive commands (i.e: Actions with a bound TTY) will generate Activity Audit events.
For example:
kubectl -it exec POD -- COMMAND: Event is reported (interactive).kubectl exec POD -- COMMAND: Event is not reported (non-interactive)
If you prefer to also include non-interactive executions, you can revert to the previous behavior by enabling this option in your dragent.yaml
secure_audit_streams:
container_processes_include_non_interactive: true
Response Actions
The fresh new Response Actions feature has been added, allowing you to execute actions on your workloads from Sysdig, to respond to ongoing threats and incidents. The actions included in this release are:
- Container kill/stop/pause
- Process kill
- File quarantine
- File acquire
They are also complemented with the possibility to be reverted, when applicable.
For additional information, see Response Actions
Enhanced overhead of JMX instrumentation
Java process metrics can be scraped only if a corresponding hsperfdata file exists. Processes without the hsperfdata file will be skipped.
New configuration option allows you to specify a minimum age for hsperfdata files. If an hsperfdata file is younger than this configured threshold, the corresponding Java process will not be scraped.
jmx:
enforce_hsperfdata_exists: true
jmx_scrape_delay_seconds: 120
Defect Fixes
- Ensured adherence to agent HTTP health
status_portconfiguration option. - Optimized performance in processing data received from the
recvmsgsyscall. - Improved PostgreSQL protocol parsing in Monitor mode to correctly handle potentially malformed packets.
Vulnerability Fixes
This release addresses the following security vulnerabilities:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
