4.4.1
What's New
- Using Prometheus for your metrics collection? You can now forward agent health metrics to a push gateway
- Preserve confidentiality in your investigations storage by redacting sensitive data via the new ability to discard sensitive fields
- VMWare vSphere users can now important node UUID as metadata
- Save time when installing Capsule8 with a new, simplified script that installs the sensor and default detections, sets up standard configurations, and optionally pairs with a console instance
Key Improvements
- Using newer kernels? You can now deploy Capsule8 on Linux kernels 5.7 and 5.8
- It’s good security hygiene to only allow signed packages and images in production environments. That’s why our Debian and RPM packages are now signed
- Improved system performance when handling telemetry samples under heavy load and resource limitation
- Improved performance of event processing, alert processing, and sensor heartbeats
- Improved performance with workloads that change working directory frequently
- Remote configuration features via the console are now limited to configuration of detection policy only
- You can now configure the Prometheus monitoring port bind address where the sensor’s operational metrics are published
- If you try to use deprecated alert output configuration options, you will now receive a warning message
- Alerts now report which version of detection content is installed
- You will now receive more explicit errors when SELinux and AppArmor detections are enabled on hosts where these Linux Security Modules are not present
- Error messages for kprobe dmesg are now minimized on modern kernels with functions marked as “notrace”
- Added dynamic enabling of debug endpoints
- The privilegeEscalation policy type has been renamed to UnauthorizedKernelCredentialChange to more accurately reflect the nature of the event
- Improved performance when interactive shell detections are enabled
- Improved performance when connection policies are enabled
- The sensor now supports a complete set of container events on Docker 19.0
- You can now disable inotify-based write tracking to avoid overhead
- When investigations is disabled, you will now experienced reduced overhead of container and lost events
- Investigations streaming JSON format now includes a field describing each event record
- Failure to flush investigations data is now reported as lost data
Bug Fixes
- Fixed extended container metadata not showing in alerts in some circumstances
- Error handling of absent telemetry collection mechanisms is now non-fatal if the telemetry type is not used by any enabled detections
- Fix leak of kretprobes on kernel versions 5.6 and later when the sensor is uncleanly shut down
- Fix crash resulting from specific edge-case data loss scenarios
- Systemd unit file now specifies cgroup delegation to properly support cgroup migration when systemd reloads
Capsule8 sensor now requires the cap_syslog
capability. Package-based installations will provide this capability automatically, but Kubernetes-based deployments or other setups that limit capabilities by default may need to be updated to provide this capability.
Comments
0 comments
Please sign in to leave a comment.