Skip to content
Last update: 2022-05-12

Release Notes: Sensor 4.3.0

4.3.0

What's new

  • Introducing Pluggable Authentication Modules (PAM) credential enrichment support. Incidents and audit events now contain user and group information from users who authenticated via PAM using LDAP, Kerberos, or other PAM modules
  • Tampering with SMEP and SMAP (processor-level security mechanisms on Linux) is likely to result in a bad time for your hosts. This is why we now support detecting SMEP/SMAP tampering attempts in Linux 5.3 kernels and later.
  • New Userfaultfd detection: detects when suspicious activity using the userfaultfd syscall occurs from a newly executed file
  • New interactive shell detection: detects shells descending from common web servers and taints shells that execute suspicious commands
  • New arbitrary uprobe policy type: allows monitoring custom behaviours in userland programs 

Key improvements

  • Using newer kernels? You can now apply resource limits (CPU or memory usage) on systems with cgroupsv2 
  • Tougher under pressure: we improved event handling under heavy load and when experiencing event loss
  • The privilege escalation detection was improved to reduce false positives 
  • We made filtering of detection rules and allowlists/blocklists more efficient by adding performance optimizations around rule evaluation
  • We don't want you to cry-o, which is why there's now better out-of-the-box performance for users running CRI-O as their container runtime 
  • Startup performance and memory usage was given a boost. When indexing the state of the system at startup, we now only subscribe to a small subset of events
  • To minimize false positive alerts during sensor startup, alerts can no longer be generated from data gathered during baselining 
  • The remote interactive shell detection now subscribes to less data from the kernel
  • Hosts running Linux kernels v. 5.7 are now supported
  • Want to monitor the health of connectivity between the sensor and your SIEM? You can now do so via the metrics endpoint, which now contains a count of failed alert dispatches 
  • Dropped alerts are now reflected in the lost data Investigations table
  • Internal event queue sizes are now tunable to allow for reduced memory usage
  • For users with container-based deployments, the sensor container's base image has now been updated to Alpine 3.11
  • A stack trace is now logged when SIGUSR1 is sent to the sensor, making certain kinds of debugging and troubleshooting easier
  • Can't get enough of MITRE ATT&CK? We refined the category mappings in Default Detections for more precise mapping to the MITRE ATT&CK framework 

Notable bug fixes

  • The resource limiter now properly sets CPU affinity to run on all cores instead of only the first core when enabled 
  • An infrequent deadlock when starting the sensor on a busy system has been resolved 
  • Alerts are now dispatched in a predictable order when multiple detections produce an alert from the same event
  • It's once again possible to monitor specific cgroups instead of the whole system
  • Failure to set probes due to missing kernel functions are now reported as errors when starting the sensor
  • Attempting to scan with YARA signatures that are invalid now warns and proceeds instead of aborting the scan with an error message 
  • The sensor now properly updates the kretprobe maxactive setting on kernels 5.6 and later to avoid data loss
  • A memory leak that occurred when remote policy fetching was enabled has been fixed
  • Autodetection of kernel information no longer fails when VFS subsystem is inlined by compiler optimizations
  • The sensor now descriptively prints an error and exits when the required /proc filesystem mount is missing or inaccessible instead of crashing 
  • The sensor now descriptively prints an error when the analytics configuration is incorrect instead of crashing 
Back to top