Introducing Pluggable Authentication Modules (PAM) credential enrichment support. Incidents and audit events now contain user and group information from users who authenticated via PAM using LDAP, Kerberos, or other PAM modules
Tampering with SMEP and SMAP (processor-level security mechanisms on Linux) is likely to result in a bad time for your hosts. This is why we now support detecting SMEP/SMAP tampering attempts in Linux 5.3 kernels and later.
New Userfaultfd detection: detects when suspicious activity using the userfaultfd syscall occurs from a newly executed file
New interactive shell detection: detects shells descending from common web servers and taints shells that execute suspicious commands
New arbitrary uprobe policy type: allows monitoring custom behaviours in userland programs
Key Improvements
Using newer kernels? You can now apply resource limits (CPU or memory usage) on systems with cgroupsv2
Tougher under pressure: we improved event handling under heavy load and when experiencing event loss
The privilege escalation detection was improved to reduce false positives
We made filtering of detection rules and allowlists/blocklists more efficient by adding performance optimizations around rule evaluation
We don’t want you to cry-o, which is why there’s now better out-of-the-box performance for users running CRI-O as their container runtime
Startup performance and memory usage was given a boost. When indexing the state of the system at startup, we now only subscribe to a small subset of events
To minimize false positive alerts during sensor startup, alerts can no longer be generated from data gathered during baselining
The remote interactive shell detection now subscribes to less data from the kernel
Hosts running Linux kernels v. 5.7 are now supported
Want to monitor the health of connectivity between the C8 sensor and your SIEM? You can now do so via the metrics endpoint, which now contains a count of failed alert dispatches
Dropped alerts are now reflected in the lost data Investigations table
Internal event queue sizes are now tunable to allow for reduced memory usage
YARA signatures may now be deployed via the Capsule8 console
For users with container-based deployments, the C8 sensor container’s base image has now been updated to Alpine 3.11
A stack trace is now logged when SIGUSR1 is sent to the sensor, making certain kinds of debugging and troubleshooting easier
Can’t get enough of MITRE ATT&CK? We refined the category mappings in Default Detections for more precise mapping to the MITRE ATT&CK framework
Notable Bug Fixes
The resource limiter now properly sets CPU affinity to run on all cores instead of only the first core when enabled
An infrequent deadlock when starting the sensor on a busy system has been resolved
Alerts are now dispatched in a predictable order when multiple detections produce an alert from the same event
It is once again possible to monitor specific cgroups instead of the whole system
Failure to set probes due to missing kernel functions are now reported as errors when starting the sensor
Attempting to scan with YARA signatures that are invalid now warns and proceeds instead of aborting the scan with an error message
The sensor now properly updates the kretprobe maxactive setting on kernels 5.6 and later to avoid data loss
A memory leak that occurred when remote policy fetching was enabled has been fixed
Autodetection of kernel information no longer fails when VFS subsystem is inlined by compiler optimizations
The sensor now descriptively prints an error and exits when the required /proc filesystem mount is missing or inaccessible instead of crashing
The sensor now descriptively prints an error when the analytics configuration is incorrect instead of crashing
Comments
0 comments
Please sign in to leave a comment.