Release date 2/21/2018
In the 1.6.9 release we added security and stability improvements and enhanced the following agent features:
- Threat Stack Agent: Increased capture of supplementary event data.
- Docker Integration: Updated caching to improve containerId mapping to events.
- Logging: Updated logging output for cleaner results.
Archived Agent Release Information
Release date 12/18/2017
The Agent 1.6.8 release focuses on improved agent performance. Threat Stack made the following enhancements to the 1.6.8 Agent release:
- CoreOS: enhanced the CoreOS installer (updated instructions here)
- Containers: enhanced images and systems analysis for more in depth security assessments
- FIM: enhanced FAnotify and debugging mode to improve agent robustness
Additionally, Threat Stack no longer supports Amazon Linux distro 2012.03.
Release date 10/18/2017
In the 1.6.7 release we added numerous security improvements and enhanced the following agent features:
- Docker: updated Docker event publishing implementation for better resource utilization
- CoreOS support: new installation script provides silent mode and clean exit
- Threat Stack Agent: standardized format for operating systems and hosts across major and minor linux versions
- FIM: implemented a lightweight communication system for better performance
Additional agent improvements include:
- CoreOS support:
- filename description
- single command to initiate installation and setup
- Threat Stack Agent
- output agent package information on startup to improve support
- changed the default vulnerability collection method
- better use of CPU resources
- increased data accuracy surrounding timestamps
- Alerts: increased alert details to include usernames and IP fields
- FIM and Docker: better handling of large bursts of events
Release date 8/24/2017
We improved the following feature functionality:
- Switching `agent_type` from Investigate to Monitor, no longer sends extra audit events
- Switching `agent_type` from Monitor to Investigate, updates to send audit events
- Unlink is now consistently captured and checked for success. This should fix application instability or crashing if memory is not available.
With the 1.6.5 release, we improved the:
- Agent performance by using the Docker API for container identification
- File system performance for agents using Docker integration
- Container tracking across restarts of Docker daemon
- Additional information pulled from 2FA login failure events.
- FIM and login events
Threat Stack will no longer support the Ubuntu 12.04 (precise) agent
- CoreOS installer automatically configures Agent container support
- Improved performance and reliability on Docker hosts with a large number of paused containers
- Using the --force option with the CoreOS installer will no longer report "integer expression expected"
- Additional cleanup, logging improvements and updates to internal libraries
- Support for CoreOS:
- Agent has been qualified for CoreOS Stable v1353.8.0 and later
- We ship an installer script for customers to facilitate installing the agent and its dependencies, as well as a systemd service configuration
- README.md with additional information
- Improved handling of deployment scenarios where the agent is started by the OS before being properly configured and registered
- Improved handling of cases with large amounts of Docker container metadata
- Performance improvements for Docker container support
- Improved connection handling and detection of connection issues to Threat Stack platform
- Expanded the agent status check to allow customers to query whether the agent is sending data to the platform
- Resolved an issue where agent installation would create files in /mnt/jenkins
- Improved support for authentication failures on CentOS 6 - user and source IP are now sent as discrete data available for alerting and searching
- Support for new Threat Stack Monitor and Investigate plans
- Support for Docker 1.13.0
- Resolved an issue where a Docker event could become unassociated with its originating container
- Major upgrade to agent core engine optimizing CPU utilization, memory consumption and providing additional security and stability enhancements
Not publicly released
- Added support for Docker 1.12.4
- Added support for Docker 1.12
- Fixed an issue where using yum erase to remove the Threat Stack agent on a system without perl installed could cause issues with /etc/pam.d/sshd configuration
- Added additional configuration options to drop specific kernel audit messages from raw audit log
- Improved handling of group modification events for local accounts
- Added support for capturing authentication failures for Google Authenticator
- Faster updating of File Integrity Monitoring (FIM) rules in the agent
- Additional Docker integration enhancements
- Updated Docker integration to reduce CPU load
- Upgraded internal components for performance, reliability and security
- Resolved directory permissions issue on /opt/threatstack/etc
- Resolved an issue where the tscontainersd sensor for Docker events could crash under certain circumstances on Amazon Linux
- The agent now outputs its configuration parameters into a JSON-formatted file at /opt/threatstack/cloudsight/config/config.json. This lists all the variables that configured with the agent and can be used to inspect agent state
- Added a configuration option to output raw audit framework messages to a log file
Not publicly released
- Improved efficiency in calling Docker APIs, resulting in lower CPU utilization
- Better handling of Docker registry format changes to handle Docker 1.1x and greater
- Improved login failure tracking to catch failed public key authentication attempts
- Stability and performance enhancements
- Reduced occurrences of encoded process names, from deleted processes, showing up in Threat Stack UI
- Updated installed package scanning to better support Amazon Linux and Red Hat distributions
- Enhanced login failure tracking to provide more information on attempts by users
- Resolved an issue where in certain circumstances FIM rule changes aren't pushed to the agent in a timely manner
- Added support for an upcoming feature for scanning locally installed packages for vulnerabilities
- Additional improvements to our internal process control to reduce instances where we restart our sensors due to a system issue
- Resolved an issue where, under certain load circumstances, the agent could consume more CPU than necessary
- Improved upgrade performance
- Logging kernel, distro, and Threat Stack server data
- Ability for customers to redact process arguments
- Additional information for FIM events
Removed unused network features from the agent to reduce CPU and network load on the host system
Upgraded embedded node.js to v0.10.41
- Resolved an issue in v1.3.2 when starting the agent on Amazon Linux
v1.3.3 - not publicly released
v1.3.2 - release 10/29/2015
- Includes host system information in cloudsight.log when the agent starts
- Resolves an issue on Ubuntu 12.04 where the installer doesn’t properly configure login tracking
- Fix for handling large Docker containers
v.1.3.1 - release 10/5/2015
- Support for auditing events from Docker Containers
- Upgraded internal libraries
- Packaging improvements
- Agent will warn at runtime if we detect an incompatible kernel version and shutdown
- Stability and performance enhancements
v1.2.4 - released 9/14/2015
- Fixed another issue with process supervision
v1.2.3 - released 9/10/2015
- Fixed an issue where our process supervisor was too aggressive with restarting agent components
- Stability and performance improvements
v1.2.1 - released 7/22/2015
- Improved support for Stacked Ruleset feature
- File integrity rule exclusions no longer require a full path
- Improved performance for systems under heavy network load
v1.2.0 - released 6/30/2015
- Support for an upcoming feature release to support multiple policies per agent
- Added timestamps to log files
- This is the last version of the agent that will be provided for 32-bit systems and for Ubuntu 10.04
v1.1.11 - released 5/20/2015
- Fixed a bug related to an issue where a user could not register an agent using a configuration file and the --config= run time flag.
v1.1.10 - released 5/1/2015
- Set hard package conflict on linux-image-3.13.0-51-generic - disallow the ability for the TS agent and that kernel to run together. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1450442 for more info
- Update the post-install files to ensure the audit rules get loaded correctly on install and upgrade.
v1.1.9 - released 4/28/2015
- Refactor and improve init script to include better pid file management
- Include basic support for Debian 7.x - official packages will be available soon.
v1.1.7 - released 3/11/2015
- Fix issue related to race condition where the tsfim process could start twice and the agent could fail to bind and cause the agent to fail startup
- Ignore FIM events from Cloudsight agent.
- Cache user lookups
- Ensure when threatstack system user is created we explicitly set a false login shell.
v1.1.6 - released 3/2/2015
- Add configuration option (cloudsight config disable_fim=1) to allow disabling file integrity monitoring on the agent.
- Disable DNS resolution queries by default. (To enable use cloudsight config disable_dns_lookups=0)
- Performance fixes related to reading tsaudit.log on restart.
- With additional tuning we no longer need larger logs on nodes - reduced the max tsauditd.log size to 50MB
v1.1.4 - released 2/9/2015
- Set tsaudit.log to roll at 100MB max log size.
- Add better restart logic when tsaudit is idle
- Fixed a few bugs related to DNS resolution that could contribute to high CPU and network usage.
v1.1.3 - released 1/19/2015
- Send up internal IP addresses so the UI can display on the agents page (vs just sending external IP address)
- Add a --hostname configuration flag, which at new agent registration allows user to define the friendly name the agent will display in the UI. This defaults to the systems hostname when not set.
v1.1.2 - released 1/19/2015
- Add memory stats to agent tracking for logging rss memory usage.
- Update local logging to not include superfluous heartbeat logging messages.
- Fix packaging to properly remove /opt/threatstack when uninstalling agent
- Add a check to fail when ts_fanotifyLL_new init fails
- Check for kernel version >= 2.6.37 to enable fanotify
v1.1.1 - released 1/15/2015
- Fix and update various Info log messages to Debug.
v1.1.0 - released 1/14/2015
- Updates to the agent to support Signed Apt and Yum repositories
- Threat Stack Agent package name is now "threatstack-agent"
- Updates to how the agent can be registered - now supports command line flags as well as path to a file with deploy key and policy name/ID.
- Add tunable for disabling DNS resolution for network connections.
- Removed sys_socket syscall as it's no longer required and can cause performance issues.
- Numerous performance updates and improvements around File Integrity Monitoring and audit improvements
v1.0.24 - released 11/8/2014
- Resolves an issue where agents running on Amazon EC2 instances may not properly register their instance-id, resulting in agent status not displaying properly