Running SuSE or OpenSuSE? Packages are now available for both distributions
Detection of unwanted BPF Programs is now more tightly scoped to cover only potentially dangerous actions and has much better performance on systems running other BPF-enabled monitoring agents
You can now filter Investigations data before it is transferred to a durable store off-host to avoid leaking sensitive data
Telemetry clients can now specify specify a list of PIDs and TGIDs to filter in their subscriptions
Key Improvements
The Spectre/Meltdown detection now disables itself automatically in virtualized environments where hardware performance counters are unavailable
The Processor-Level Protections Disabled detection now disables itself automatically on host kernels where this feature is inaccessible
Customers with file detections enabled will experience improved performance
File descriptor resource limit requirements are now appropriately validated on startup
You can now query the average delay of event processing via the metrics endpoint
Determination of whether or not a shell is considered interactive is now more accurate
Improved performance and memory usage of basic process state tracking
Using program allowlists? You’ll now experience improved performance and reduced event drops for allowlisted programs that perform frequent events, which are now filtered in the kernel
Kernel support data is now bundled for version 5.9 Linux kernels
The Cloud Metadata API Accessed detection now has lower CPU overhead
When a kernel supports BTF, you will experience reduced memory usage by the sensor
The sensor now prints an error message when its configuration files are world-readable or world-writable to avoid accidental leaks of authentication keys and policy configuration
Bug Fixes
The CmdLine process information field is now usable within alert templates
Capabilities are now properly set during installation on old userlands
Fixed cases of missing credentials when an alert is emitted after process events are lost
Exits of network services are now properly tracked
Unprivileged users can no longer customize where the sensor reads its configuration from Alert templates containing Parent and CurrentWorkingDirectory references now function as they did in version 4.3
Breaking Changes
The sensor now refuses to start on outdated, unsupported kernels
Legacy NATS and Go Micro-based protocol has been retired
Conflicting configurations for alert outputs are now rejected
Comments
0 comments
Please sign in to leave a comment.