What's New in Sysdig - July 2023

“What’s New in Sysdig” is back with the July 2023 edition! My name is Curtis Collicutt, based in Toronto, Canada, and the Sysdig team is excited to share our latest feature releases with you.

This month, Sysdig Secure Live has been enabled for all the users!

Secure Live is a powerful tool that assists in the response and investigation into security events, vulnerabilities, and misconfigurations in your infrastructure under one pane of glass, with a simple way to scope the part of the infrastructure you are investigating.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Sysdig Secure Live Is Enabled for All Users

Sysdig Secure Live has been enabled for all users. For more information on this feature, see the following:

Policy Scope Deprecation: Kubernetes Workload Labels

Deprecation Notice: To improve agent performance and decrease load on the Kubernetes API, the Kubernetes workload metadata will no longer be a valid scope configuration, starting Oct. 18, 2023.

Why: When a policy with one of these scopes is applied, every agent must request the metadata from the Kubernetes API for all clusters. We have found that most policies are created for namespaces, clusters, or other metadata local to the agent. Many of the policies that used this metadata in the scope were used to make an exception for all rules in that policy. Sysdig supports Falco exceptions that are more targeted to a process, container, image, etc. in a specific rule, making for more targeted security rules that provide better performance and security coverage.

What: The following workload metadata will be deprecated from policy scoping:

kubernetes.daemonset.name
kubernetes.deployment.name
kubernetes.statefulset.name
kubernetes.replicaset.name
kubernetes.cronjob.name
kubernetes.cron.name*

Outcome: Existing policies with these scopes will continue to work but cannot be modified with the same labels. New policies cannot be created with these labels in the scope.

Recommendation: If you have used one of these scopes to apply a rule or set of rules, replace with scope for kubernetes.namespace.name + container.name.

Example: Replacing kubernetes.deployment.name

Old scope:

kubernetes.namespace.name 	= default AND
kubernetes.deployment.name 	= nginxCode language: Perl (perl)

Supposing a container called nginx exists inside the deployment nginx. Replace it with:

kubernetes.namespace.name 	= default AND
container.name 			= nginxCode language: Perl (perl)

You can also get more specific by using images:

kubernetes.namespace.name	= default AND
container.name 			= nginx AND
container.image.repo 		= quay.io/nginxCode language: Perl (perl)

Admission Controller v0.11.3 Released

Admission Controller v0.11.3 is released. This release removes the Kubernetes workload name from legacy scan secure events, allowing those events to be aggregated in the Secure Events Overview dashboard.

Vulnerability Management APIs Added

The following new API endpoints have been released in Technical Preview to list and filter vulnerability scan results for Pipeline, Registry, and Runtime, as well as to fetch detailed scan results in JSON format:

Get a list of pipeline scan results: GET /secure/vulnerability/v1beta1/pipeline-results
Get a list of registry scan results: GET /secure/vulnerability/v1beta1/registry-results
Get a list of runtime scan results: GET /secure/vulnerability/v1beta1/runtime-results
Get full scan results: GET /secure/vulnerability/v1beta1/results

These API endpoints are applicable only to the current Vulnerability scanning engine.

Sysdig Monitor

OpenID Single Logout Support

Sysdig added support for OpenID Single Logout. Using Single Logout, a user can initiate a logout and terminate all sessions without having to log out from each one individually.

For more information, see Configure OpenID Single Logout.

Enhanced Sysdig Platform Audit

The Sysdig Platform Audit has been enhanced to include username and team name in the audit information in addition to user ID and team ID. The feature is Generally Available.

For more information, see Sysdig Platform Audit.

Support for Inspecting and Initiating Captures

The Captures page has been improved by providing you with the ability to inspect captures as well as initiate captures. Earlier, you could initiate captures only in the old Explore.

For more information, see Captures.

Sysdig Agents

12.15.0 June 28, 2023

Feature enhancements

Process Tree

This version of the Sysdig Agent adds support in Sysdig Secure for the Process Tree visualization which enriches the Events feed for workload-based events. This helps with identifying all the processes that led up to the offending process.

To enable this feature:

Modify the agent ConfigMap and set enrich_with_process_lineage=true.
Log into Sysdig Secure as administrator and select Settings | Sysdig Labs to toggle the feature on.
The process tree will be visible in the Events detail pane for the events related to workloads that are triggered from that point on.

Added support for Java 7

In Sysdig Agent versions 12.10.0 to 12.14.1, a Java dependency was upgraded to a version that didn’t support Java 7. As a result, those versions cannot run the Java process which collects JMX metrics on any Java 7 JDKs/JREs. This release downgrades the dependency back to a version that supports Java 7.

Added support for Node Cost Metrics

Sysdig Agent now supports node cost metrics when using the thin cointerface.

Vulnerability fixes

Addressed CVE-2023-0286 by upgrading the OpenSSL version in the agent to 1.1.1t.

Defect fixes

Metrics parity between Secure and Secure Light modes

The Sysdig Agent will now report the same set of metrics in both secure and secure_light modes, which means that the program metrics in secure mode will also be restricted to the dragent process or container.

Enhanced execution time accounting

Fixed system execution time accounting for certain events which would cause incorrect reporting of agent I/O metrics.

Support for s390x for Ubuntu

Recent s390x Linux distributions, including Ubuntu v20.04, require the compiler to support the -march=z13/-mtune=z15 flags when building kernel modules. The gcc version used in agent-kmodule image for the s390x platform has been upgraded to gcc-12, which supports the required flags.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

The Python SDK remains at v0.16.6

Terraform Provider

We have just released the 1.10.0 version of terraform provider. This release includes:

Ability to manage posture zones
Ability to fetch posture policies
Ability to set zones on secure teams

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

AWS Sysdig Secure for Cloud remains unchanged at v10.0.9.
GCP Sysdig Secure for Cloud remains unchanged at v0.9.10.
Azure Sysdig Secure for Cloud remains unchanged at v0.9.5.

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector release (v0.16.43) under helm chart 0.8.2:

Fix: add aws-cloudtrail-s3-sns-sqs ingestor type for CIEM
Fix: FALCO rules error on appending exceptions

Admission Controller

New Admission Controller release (v3.9.24 ) under helm chart 0.11.3.

Sysdig CLI Scanner

Sysdig CLI Scanner remains at v1.5.0.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

A new release of Prometheus Integrations is available:

https://github.com/draios/prometheus-integrations/releases/tag/v1.16.0

Integrations:

Fix: Preserve istio_build and pilot_proxy_convergence_time_bucket metrics on IstioD job
Feat: Add support for Istio 1.16
Docs: Fix k8s-PVC integration prerequisites
Feat: Add in Windows Installer an option to change the Prometheus agent port
Fix: Some control plane integrations have wrong label used for aggregation
Feat: Tweak PromQL filters in order to avoid great amount of TS in the subqueries
Test: Create a test to check the Prometheus jobs files are correct

Sysdig On-premise

On-prem release v6.3 is live since July 11th

Risk Spotlight feature is now available for on-premise deployments
Process Tree Visualization in Events Feed as well
Full release notes and further information

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

Reduced false positives for the following rules:
- AWS SSM Agent File Write
- Possible Backdoor using BPF
- Change thread namespace
Improved performance for the following rules
- Shell binaries opening connections
- Drop and execute new binary in container
- Updated the IoCs Ruleset with new findings

Open Source

Falco

Falco 0.35.1 is now available.

https://github.com/falcosecurity/falco/releases/tag/0.35.1

New Website Resources

Vulnerability Management Landing Page (video) – https://www.youtube.com/watch?v=1_uPQnVKZAI

Sysdig Live – https://www.youtube.com/watch?v=bo1D-jQssw8

Process Trees – https://www.youtube.com/watch?v=wqf_ZY_cqwQ

What’s New in Sysdig – July 2023