Release date 8/10/2017
With the 1.6.5 release, we improved the:
- Agent performance by using the Docker API for container identification
- File system performance for agents using Docker integration
- Container tracking across restarts of Docker daemon
- Additional information for user and source IP pulled from 2FA login failure events
- FIM event handling on CentOS 7
- Logging for better problem diagnosis
Threat Stack will no longer support the Ubuntu 12.04 (precise) agent
Archived Agent Release Information
- CoreOS installer automatically configures Agent container support
- Improved performance and reliability on Docker hosts with a large number of paused containers
- Using the --force option with the CoreOS installer will no longer report "integer expression expected"
- Additional cleanup, logging improvements and updates to internal libraries
- Support for CoreOS:
- Agent has been qualified for CoreOS Stable v1353.8.0 and later
- We ship an installer script for customers to facilitate installing the agent and its dependencies, as well as a systemd service configuration
- README.md with additional information
- Improved handling of deployment scenarios where the agent is started by the OS before being properly configured and registered
- Improved handling of cases with large amounts of Docker container metadata
- Performance improvements for Docker container support
- Improved connection handling and detection of connection issues to Threat Stack platform
- Expanded the agent status check to allow customers to query whether the agent is sending data to the platform
- Resolved an issue where agent installation would create files in /mnt/jenkins
- Improved support for authentication failures on CentOS 6 - user and source IP are now sent as discrete data available for alerting and searching
- Support for new Threat Stack Monitor and Investigate plans
- Support for Docker 1.13.0
- Resolved an issue where a Docker event could become unassociated with its originating container
- Major upgrade to agent core engine optimizing CPU utilization, memory consumption and providing additional security and stability enhancements
Not publicly released
- Added support for Docker 1.12.4
- Added support for Docker 1.12
- Fixed an issue where using yum erase to remove the Threat Stack agent on a system without perl installed could cause issues with /etc/pam.d/sshd configuration
- Added additional configuration options to drop specific kernel audit messages from raw audit log
- Improved handling of group modification events for local accounts
- Added support for capturing authentication failures for Google Authenticator
- Faster updating of File Integrity Monitoring (FIM) rules in the agent
- Additional Docker integration enhancements
- Updated Docker integration to reduce CPU load
- Upgraded internal components for performance, reliability and security
- Resolved directory permissions issue on /opt/threatstack/etc
- Resolved an issue where the tscontainersd sensor for Docker events could crash under certain circumstances on Amazon Linux
- The agent now outputs its configuration parameters into a JSON-formatted file at /opt/threatstack/cloudsight/config/config.json. This lists all the variables that configured with the agent and can be used to inspect agent state
- Added a configuration option to output raw audit framework messages to a log file
Not publicly released
- Improved efficiency in calling Docker APIs, resulting in lower CPU utilization
- Better handling of Docker registry format changes to handle Docker 1.1x and greater
- Improved login failure tracking to catch failed public key authentication attempts
- Stability and performance enhancements
- Reduced occurrences of encoded process names, from deleted processes, showing up in Threat Stack UI
- Updated installed package scanning to better support Amazon Linux and Red Hat distributions
- Enhanced login failure tracking to provide more information on attempts by users
- Resolved an issue where in certain circumstances FIM rule changes aren't pushed to the agent in a timely manner
- Added support for an upcoming feature for scanning locally installed packages for vulnerabilities
- Additional improvements to our internal process control to reduce instances where we restart our sensors due to a system issue
- Resolved an issue where, under certain load circumstances, the agent could consume more CPU than necessary
- Improved upgrade performance
- Logging kernel, distro, and Threat Stack server data
- Ability for customers to redact process arguments
- Additional information for FIM events
Removed unused network features from the agent to reduce CPU and network load on the host system
Upgraded embedded node.js to v0.10.41
- Resolved an issue in v1.3.2 when starting the agent on Amazon Linux
Not publicly released
- Includes host system information in cloudsight.log when the agent starts
- Resolves an issue on Ubuntu 12.04 where the installer doesn’t properly configure login tracking
- Fix for handling large Docker containers
- Support for auditing events from Docker Containers
- Upgraded internal libraries
- Packaging improvements
- Agent will warn at runtime if we detect an incompatible kernel version and shutdown
- Stability and performance enhancements
- Fixed another issue with process supervision
- Fixed an issue where our process supervisor was too aggressive with restarting agent components
- Stability and performance improvements
- Improved support for Stacked Ruleset feature
- File integrity rule exclusions no longer require a full path
- Improved performance for systems under heavy network load
- Support for an upcoming feature release to support multiple policies per agent
- Added timestamps to log files
- This is the last version of the agent that will be provided for 32-bit systems and for Ubuntu 10.04
- Fixed a bug related to an issue where a user could not register an agent using a configuration file and the --config= run time flag.
- Set hard package conflict on linux-image-3.13.0-51-generic - disallow the ability for the TS agent and that kernel to run together. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1450442 for more info
- Update the post-install files to ensure the audit rules get loaded correctly on install and upgrade.
- Refactor and improve init script to include better pid file management
- Include basic support for Debian 7.x - official packages will be available soon.
- Fix issue related to race condition where the tsfim process could start twice and the agent could fail to bind and cause the agent to fail startup
- Ignore FIM events from Cloudsight agent.
- Cache user lookups
- Ensure when threatstack system user is created we explicitly set a false login shell.
- Add configuration option (cloudsight config disable_fim=1) to allow disabling file integrity monitoring on the agent.
- Disable DNS resolution queries by default. (To enable use cloudsight config disable_dns_lookups=0)
- Performance fixes related to reading tsaudit.log on restart.
- With additional tuning we no longer need larger logs on nodes - reduced the max tsauditd.log size to 50MB
- Set tsaudit.log to roll at 100MB max log size.
- Add better restart logic when tsaudit is idle
- Fixed a few bugs related to DNS resolution that could contribute to high CPU and network usage.
- Send up internal IP addresses so the UI can display on the agents page (vs just sending external IP address)
- Add a --hostname configuration flag, which at new agent registration allows user to define the friendly name the agent will display in the UI. This defaults to the systems hostname when not set.
- Add memory stats to agent tracking for logging rss memory usage.
- Update local logging to not include superfluous heartbeat logging messages.
- Fix packaging to properly remove /opt/threatstack when uninstalling agent
- Add a check to fail when ts_fanotifyLL_new init fails
- Check for kernel version >= 2.6.37 to enable fanotify
- Fix and update various Info log messages to Debug.
- Updates to the agent to support Signed Apt and Yum repositories
- Threat Stack Agent package name is now "threatstack-agent"
- Updates to how the agent can be registered - now supports command line flags as well as path to a file with deploy key and policy name/ID.
- Add tunable for disabling DNS resolution for network connections.
- Removed sys_socket syscall as it's no longer required and can cause performance issues.
- Numerous performance updates and improvements around File Integrity Monitoring and audit improvements
- Resolves an issue where agents running on Amazon EC2 instances may not properly register their instance-id, resulting in agent status not displaying properly