Release Notes: Sensor 4.4.1

4.4.1

Package Downloads

What's New

• Using Prometheus for your metrics collection? You can now forward agent health metrics to a push gateway
• Preserve confidentiality in your investigations storage by redacting sensitive data via the new ability to discard sensitive fields
• VMWare vSphere users can now important node UUID as metadata
• Save time when installing Capsule8 with a new, simplified script that installs the sensor and default detections, sets up standard configurations, and optionally pairs with a console instance

Key Improvements

• Using newer kernels? You can now deploy Capsule8 on Linux kernels 5.7 and 5.8
• It’s good security hygiene to only allow signed packages and images in production environments. That’s why our Debian and RPM packages are now signed
• Improved system performance when handling telemetry samples under heavy load and resource limitation
• Improved performance of event processing, alert processing, and sensor heartbeats
• Improved performance with workloads that change working directory frequently
• Remote configuration features via the console are now limited to configuration of detection policy only
• You can now configure the Prometheus monitoring port bind address where the sensor’s operational metrics are published
• If you try to use deprecated alert output configuration options, you will now receive a warning message
• Alerts now report which version of detection content is installed
• You will now receive more explicit errors when SELinux and AppArmor detections are enabled on hosts where these Linux Security Modules are not present
• Error messages for kprobe dmesg are now minimized on modern kernels with functions marked as “notrace”
• Added dynamic enabling of debug endpoints
• The privilegeEscalation policy type has been renamed to UnauthorizedKernelCredentialChange to more accurately reflect the nature of the event
• Improved performance when interactive shell detections are enabled
• Improved performance when connection policies are enabled
• The sensor now supports a complete set of container events on Docker 19.0
• You can now disable inotify-based write tracking to avoid overhead
• When investigations is disabled, you will now experienced reduced overhead of container and lost events
• Investigations streaming JSON format now includes a field describing each event record
• Failure to flush investigations data is now reported as lost data

Bug Fixes

• Fixed extended container metadata not showing in alerts in some circumstances
• Error handling of absent telemetry collection mechanisms is now non-fatal if the telemetry type is not used by any enabled detections
• Fix leak of kretprobes on kernel versions 5.6 and later when the sensor is uncleanly shut down
• Fix crash resulting from specific edge-case data loss scenarios
• Systemd unit file now specifies cgroup delegation to properly support cgroup migration when systemd reloads

Capsule8 sensor now requires the cap_syslog capability. Package-based installations will provide this capability automatically, but Kubernetes-based deployments or other setups that limit capabilities by default may need to be updated to provide this capability.