Host Shield for Linux Release Notes

14.0.0 June 17, 2025

• Supported sysdig-deploy version: 1.86.0
• Supported Falco Engine version: 1000.45.0
• Supported shield chart version: 1.9.0

Enhancements

Dynamic Syscall Filtering

Host Shield introduces a new capability, Dynamic Syscall Filtering, to improve performance and resilience while reducing the resource requirements. This feature is enabled by default. It monitors the system calls required for active features, plugins, and policies, significantly reducing system call volume and system overhead. This dynamic filtering improves performance and resilience, especially in lightweight Host Shield modes and high-load environments, by lowering CPU and memory usage. For more details, see Dynamic Syscall Filtering.

Secure Light Default Mode

The shield and sysdig-deploy helm charts now switch to secure_light mode by default when monitor features are not enabled, delivering significantly improved performance and reliability out of the box.

Improved Posture Connectivity Resiliency

Changed the default transport protocol for the Posture feature from nats to https to improve resilience against transient network failures and round-trip communication issues.

New Option to Skip Failed DNS Request

Previously, the dns_detection feature did not raise events for failed DNS requests. Now, dns_detection processes all DNS requests, including failed ones, and consequently applies policies on the raised events. You can enable the new dns_detection.skip_failed_requests option (disabled by default) in the shield chart to restore the previous behavior of skipping failed DNS requests and prevent related events from being raised. This helps reduce noise if these types of errors are not relevant to your environment.

Flatcar OS supported

Flatcar OS is now supported on Sysdig Shield.

Deprecations

Custom App Checks Sunset

Custom App Checks are no longer supported.

AppChecks Python 2.7

App Checks using Python 2.7 is no longer supported.

Minimum Kernel Version Set to 3.10

Linux kernel versions older than 3.10 are no longer supported.

Defect Fixes

Fixed Kernel Header Install on Debian

• Fixed an issue where the install script on Debian-based systems was unexpectedly installing Kernel headers even when universal eBPF was selected.

Vulnerability Fixes

This release addresses the following security vulnerabilities:

• CVE-2025-30698
• CVE-2025-30691
• CVE-2025-24528
• CVE-2025-22872
• CVE-2025-22871
• CVE-2025-21587
• CVE-2025-4802
• CVE-2023-4752
• CVE-2025-0938
• CVE-2025-0395
• CVE-2024-12243
• CVE-2024-12133
• CVE-2024-8176

13.9.2 May 22, 2025

• Supported sysdig-deploy version: 1.84.2
• Supported Falco Engine version: 1000.42.0
• Supported shield chart version: 1.6.3

Defect Fixes

• The install script now skips unnecessary kernel header installation on Debian systems when universal eBPF is selected, enabling faster, cleaner installs with reduced dependencies.

Vulnerability Fixes

This release addresses the following security vulnerability:

• CVE-2025-46569

13.9.1 May 09, 2025

• Supported in chart sysdig-deploy version: 1.83.0
• Supported Falco Engine version: 1000.42.0
• Supported in chart shield version: 1.6.0

Defect Fixes

Fixed an issue in the Universal eBPF driver that introduced increased latency for the sendmmsg and recvmmsg syscalls.

13.9.0 May 1, 2025

• Supported in chart sysdig-deploy version: 1.81.0
• Supported Falco Engine version: 1000.42.0
• Supported in chart shield version: 1.4.0

Known Issue

If you’re using Agent version 13.9.0 with the universal_ebpf probe, you may experience high CPU usage and reduced system performance. This issue is related to how the agent handles the sendmmsg and recvmmsg syscalls.

To reduce the impact, update your agent configuration to skip these events.

skip_events_by_type:
  - recvmmsg
  - sendmmsg 

Enhancements

Network Security on Secure Light mode

Network Security (NetSec) is now supported in Secure Light mode, providing feature parity with Secure mode, significantly reducing resource consumption while preserving key security functionalities.

Activity Audit container interactive processes tracking

Activity Audit now focuses on interactive processes inside containers by default, making collected data more relevant and reducing noise. By default only interactive commands (i.e: Actions with a bound TTY) will generate Activity Audit events.

For example:

• kubectl -it exec POD -- COMMAND : Event is reported (interactive).
• kubectl exec POD -- COMMAND : Event is not reported (non-interactive).

If you prefer to also include non-interactive executions, you can revert to the previous behavior by enabling this option in your dragent.yaml

secure_audit_streams:
  container_processes_include_non_interactive_exec: true

Response Actions

The fresh new Response Actions feature has been added, allowing you to execute actions on your workloads from Sysdig, to respond to ongoing threats and incidents. The actions included in this release are:

• Container kill/stop/pause
• Process kill
• File quarantine
• File acquire

They are also complemented with the possibility to be reverted, when applicable.

For additional information, see Response Actions

Enhanced overhead of JMX instrumentation

Java process metrics can be scraped only if a corresponding hsperfdata file exists. Processes without the hsperfdata file will be skipped. New configuration option allows you to specify a minimum age for hsperfdata files. If an hsperfdata file is younger than this configured threshold, the corresponding Java process will not be scraped.

jmx:
  enforce_hsperfdata_exists: true
  jmx_scrape_delay_seconds: 120

Defect Fixes

• Ensured adherence to agent HTTP health status_port configuration option.
• Optimized performance in processing data received from the recvmsg syscall.
• Improved PostgreSQL protocol parsing in Monitor mode to correctly handle potentially malformed packets.

Vulnerability Fixes

This release addresses the following security vulnerabilities:

• CVE-2025-30204
• CVE-2024-40635
• CVE-2024-8176
• CVE-2024-7592
• CVE-2025-29923