Skip to content
Last update: 2022-05-18

Release Notes: Sensor 4.4.1

4.4.1

What's new

  • Using Prometheus for your metrics collection? You can now forward agent health metrics to a push gateway
  • Preserve confidentiality in your investigations storage by redacting sensitive data via the new ability to discard sensitive fields
  • VMWare vSphere users can now important node UUID as metadata
  • Save time when installing the sensor with a new, simplified script that installs the sensor and default detections, sets up standard configurations, and optionally pairs with a console instance

Key improvements

  • Using newer kernels? You can now deploy the sensor on Linux kernels 5.7 and 5.8
  • It's good security hygiene to only allow signed packages and images in production environments. That's why our Deb and rpm packages are now signed
  • Improved system performance when handling telemetry samples under heavy load and resource limitation
  • Improved performance of event processing, alert processing, and sensor heartbeats
  • Improved performance with workloads that change working directory frequently
  • Remote configuration features via the console are now limited to configuration of detection policy only
  • You can now configure the Prometheus monitoring port bind address where the sensor's operational metrics are published
  • If you try to use deprecated alert output configuration options, you will now receive a warning message
  • Alerts now report which version of detection content is installed
  • You will now receive more explicit errors when SELinux and AppArmor detections are enabled on hosts where these Linux Security Modules are not present
  • Error messages for kprobe dmesg are now minimized on modern kernels with functions marked as "notrace"
  • Added dynamic enabling of debug endpoints
  • The privilegeEscalation policy type has been renamed to UnauthorizedKernelCredentialChange to more accurately reflect the nature of the event
  • Improved performance when interactive shell detections are enabled
  • Improved performance when connection policies are enabled
  • The sensor now supports a complete set of container events on Docker 19.0
  • You can now disable inotify-based write tracking to avoid overhead
  • When investigations is disabled, you will now experienced reduced overhead of container and lost events
  • Investigations streaming JSON format now includes a field describing each event record
  • Failure to flush investigations data is now reported as lost data

Bug fixes

  • Fixed extended container metadata not showing in alerts in some circumstances
  • Error handling of absent telemetry collection mechanisms is now non-fatal if the telemetry type is not used by any enabled detections
  • Fix leak of kretprobes on kernel versions 5.6 and later when the sensor is uncleanly shut down
  • Fix crash resulting from specific edge-case data loss scenarios
  • Systemd unit file now specifies cgroup delegation to properly support cgroup migration when systemd reloads

the sensor now requires the cap_syslog capability. Package-based installations will provide this capability automatically, but Kubernetes-based deployments or other setups that limit capabilities by default may need to be updated to provide this capability.

Back to top