Linux Agent Release Changelog

Release Announcement


Release date 04/02/2020

Threat Stack enhanced the following features in the 2.2 Agent release:

  • The Linux 2.2 Agent release is focused primarily on FIM enhancements, such as performance improvements with file descriptor handling.
    • File Integrity Monitoring (FIM) has been refactored in Go. It still uses the same underlying filesystem APIs, fanotify and inotify.
    • TSFIM sub-processes have been replaced with tsagentd and tsauditd processes.
    • FIM is now enabled by default, and configuring FIM enables Threat Stack to monitor user access to specific file paths designated in the Threat Stack Cloud Security PlatformⓇ (CSP).
  • Linux 2.2 improvements also include:
    • Dropping unsuccessful network audit events.
    • Removing drop rules at the Agent level.

Additionally, this release includes assorted minor bug fixes.


Release date 10/3/2019

Threat Stack enhanced the following features in the 2.1.3 Agent release:

  • Threat Stack Agent: Enhancements to telemetry captured for system calls (syscalls) including system date/time.

Additionally, this release includes assorted minor bug fixes.


Release date 9/11/2019

Threat Stack enhanced the following features in the 2.1.2 Agent release:

  • Threat Stack Agent: Addresses an issue where a reinstall is not required to upgrade from Agent v1.9 to v2.1.x.

Additionally, this release includes assorted minor bug fixes.


Release date 8/7/2019

Threat Stack enhanced the following features in the 2.1.1 Agent release:

  • Threat Stack Agent: Addresses an issue to ensure events are mapped correctly for short-lived containers.
  • Performance:
    • New configuration database for better stability.
    • Critical performance and memory fixes.


      To take advantage of recent performance optimizations and critical fixes, we strongly recommend that customers upgrade from v2.1 to v2.1.1 or any subsequent release, to avoid any impact to running workloads.

  • Command Line: Some command line items (CLI) are different for Agent 2.1.1.

Additionally, this release includes assorted minor bug fixes.


Release date 5/9/2019

Threat Stack enhanced the following features in the 2.1 Agent release:

  • Installation:
    • Full support of systemd commands for users who manage the Agent through the systemd service

      NOTE: The TSwatchdog service does not automatically start when the Agent uses systemd commands.

  • Kubernetes:
    • The Threat Stack Cloud Security PlatformⓇ (CSP) receives and processes behavioral and configuration events.
    • Agent backend integrates with Kubernetes API to deliver more information about the state of your Kubernetes integration.
  • Improvements to Agent stability and efficiency.

Additionally, this release includes assorted minor bug fixes.


Release date 1/18/2019

Threat Stack enhanced the following features in the 2.0 Agent release:

  • OS Support:
    • This release begins support for Amazon Linux 2.
    • Beginning with this release, CentOS / RedHat OS version 6 are no longer supported.
    • Beginning with this release, Ubuntu version 14.04 is no longer supported.
  • Installation:
    • New Git repos for Agent 2.0
    • Supports both host-based and container-based (Docker) installation
    • New installation scripts available:
      • Chef:
      • Puppet:
      • New Ansible and Salt scripts available for Agent 2.0.
    • The .secret file no longer exists. It has been replaced with /opt/threatstack/etc/tsagentd.cfg.
  • Command Line: Command line items (CLI) are different for Agent 2.0.
  • Containers: The containerized Agent no longer needs to run as a privileged container
  • Performance: Many stability enhancements provided through a revised code base

Additionally, this release includes assorted minor bug fixes.

Archived Agent Release Information

2018 Agent Releases


Release date 10/15/2018

Threat Stack enhanced the following features in the 1.9.0 Agent release:

  • OS Support:
    • This release only supports host-based agents.
    • Beginning with this release, CoreOS will only be supported by the containerized Agent.
  • Performance: Greatly reduced memory consumption by custom Lua filters
  • Rules: FIM exclusion of specific files is now enabled
  • Containers: Added support for cgroup version 2.0

Additionally, this release includes assorted minor bug fixes.


Release date 9/25/2018

Threat Stack enhanced the following features in the 1.8.0C Agent release:

  • Containers:

    This release also includes all fixes included in the 1.8.0 release.


Release date 6/11/2018

Threat Stack enhanced the following features in the 1.8.0 Agent release:

  • OS Support:
    • Implemented a new OS support model. Threat Stack now supports a current OS plus the previous two releases of that OS. Refer to the updated Agent and OS Support Policy and the updated System Requirements list for additional information.
    • Added support for Ubuntu 18.04 and CoreOS 1745.4.0. Refer to the System Requirements list for additional information.
  • Events: Added several event types to tsaudit syscalls, which, when included in rules, alert users to potentially malicious changes to time and/or date changes on the system. The event types are:
    • adjtimex
    • clock_settime
    • settimeofday

Additionally, this release includes assorted minor bug fixes.


Release date 4/17/2018

Threat Stack enhanced the following features in the 1.7.0 Agent release:

  • OS Support: Added support for Debian 9. Refer to the System Requirements list for additional information.
  • Security: Upgraded Node.js for improved performance, stability, and to comply with life cycle requirements.
  • Logging: Increased granularity of logs for improved support enablement.

Additionally, this release includes assorted minor bug fixes.


Release date 2/21/2018


In the 1.6.9 release we added security and stability improvements and enhanced the following agent features:

  • Threat Stack Agent: Increased capture of supplementary event data.
  • Docker Integration: Updated caching to improve containerId mapping to events.
  • Logging: Updated logging output for cleaner results.
2017 Agent Releases


Release date 12/18/2017


The Agent 1.6.8 release focuses on improved agent performance. Threat Stack made the following enhancements to the 1.6.8 Agent release:

  • CoreOS: enhanced the CoreOS installer (updated instructions here)
  • Containers: enhanced images and systems analysis for more in depth security assessments
  • FIM: enhanced FAnotify and debugging mode to improve agent robustness

Additionally, Threat Stack no longer supports Amazon Linux distro 2012.03.


Release date 10/18/2017


In the 1.6.7 release we added numerous security improvements and enhanced the following agent features:

  • Docker: updated Docker event publishing implementation for better resource utilization
  • CoreOS support: new installation script provides silent mode and clean exit
  • Threat Stack Agent: standardized format for operating systems and hosts across major and minor linux versions
  • FIM: implemented a lightweight communication system for better performance


Additional agent improvements include:

  • CoreOS support:
    • filename description
    • single command to initiate installation and setup
  • Threat Stack Agent
    • output agent package information on startup to improve support
    • changed the default vulnerability collection method
    • better use of CPU resources
    • increased data accuracy surrounding timestamps
  • Alerts: increased alert details to include usernames and IP fields
  • FIM and Docker: better handling of large bursts of events


Release date 8/24/2017

We improved the following feature functionality:

  • Switching `agent_type` from Investigate to Monitor, no longer sends extra audit events
  • Switching `agent_type` from Monitor to Investigate, updates to send audit events
  • Unlink is now consistently captured and checked for success. This should fix application instability or crashing if memory is not available.


Release 8/10/2017

With the 1.6.5 release, we improved the:

  • Agent performance by using the Docker API for container identification
  • File system performance for agents using Docker integration
  • Container tracking across restarts of Docker daemon
  • Additional information pulled from 2FA login failure events.
  • FIM and login events
  • Logging


Threat Stack will no longer support the Ubuntu 12.04 (precise) agent


Release 7/5/2017

  • CoreOS installer automatically configures Agent container support
  • Improved performance and reliability on Docker hosts with a large number of paused containers
  • Using the --force option with the CoreOS installer will no longer report "integer expression expected"
  • Additional cleanup, logging improvements and updates to internal libraries


Release 6/12/2017

  • Support for CoreOS:
    • Agent has been qualified for CoreOS Stable v1353.8.0 and later
    • We ship an installer script for customers to facilitate installing the agent and its dependencies, as well as a systemd service configuration
    • with additional information
  • Improved handling of deployment scenarios where the agent is started by the OS before being properly configured and registered
  • Improved handling of cases with large amounts of Docker container metadata
  • Performance improvements for Docker container support


Release 3/30/2017

  • Improved connection handling and detection of connection issues to Threat Stack platform
  • Expanded the agent status check to allow customers to query whether the agent is sending data to the platform
  • Resolved an issue where agent installation would create files in /mnt/jenkins


Release 3/9/2017

  • Improved support for authentication failures on CentOS 6 - user and source IP are now sent as discrete data available for alerting and searching


Release 2/21/2017

  • Support for new Threat Stack Monitor and Investigate plans
  • Support for Docker 1.13.0
  • Resolved an issue where a Docker event could become unassociated with its originating container


Release 1/23/2017

  • Major upgrade to agent core engine optimizing CPU utilization, memory consumption and providing additional security and stability enhancements


Not publicly released

2016 Agent Releases


Release 12/20/2016

  • Added support for Docker 1.12.4


Release 10/18/2016

  • Added support for Docker 1.12


Release 9/20/2016

  • Fixed an issue where using yum erase to remove the Threat Stack agent on a system without perl installed could cause issues with /etc/pam.d/sshd configuration
  • Added additional configuration options to drop specific kernel audit messages from raw audit log
  • Improved handling of group modification events for local accounts


Release 7/28/2016

  • Added support for capturing authentication failures for Google Authenticator
  • Faster updating of File Integrity Monitoring (FIM) rules in the agent


Release 7/12/2016

  • Additional Docker integration enhancements


Release 6/20/2016

  • Updated Docker integration to reduce CPU load
  • Upgraded internal components for performance, reliability and security


Release 5/17/2016

  • Resolved directory permissions issue on /opt/threatstack/etc
  • Resolved an issue where the tscontainersd sensor for Docker events could crash under certain circumstances on Amazon Linux
  • The agent now outputs its configuration parameters into a JSON-formatted file at /opt/threatstack/cloudsight/config/config.json. This lists all the variables that configured with the agent and can be used to inspect agent state
  • Added a configuration option to output raw audit framework messages to a log file


Not publicly released


Release 4/28/2016

  • Improved efficiency in calling Docker APIs, resulting in lower CPU utilization
  • Better handling of Docker registry format changes to handle Docker 1.1x and greater
  • Improved login failure tracking to catch failed public key authentication attempts


Release 3/28/2016

  • Stability and performance enhancements
  • Reduced occurrences of encoded process names, from deleted processes, showing up in Threat Stack UI


Release 2/24/2016

  • Updated installed package scanning to better support Amazon Linux and Red Hat distributions
  • Enhanced login failure tracking to provide more information on attempts by users


Release 2/17/2016

  • Resolved an issue where in certain circumstances FIM rule changes aren't pushed to the agent in a timely manner


Release 2/16/2016

  • Added support for an upcoming feature for scanning locally installed packages for vulnerabilities
  • Additional improvements to our internal process control to reduce instances where we restart our sensors due to a system issue


Release 1/11/2016

  • Resolved an issue where, under certain load circumstances, the agent could consume more CPU than necessary


Release 1/4/2016

  • Improved upgrade performance
  • Logging kernel, distro, and Threat Stack server data
  • Ability for customers to redact process arguments
  • Additional information for FIM events
2015 Agent Releases


Release 12/7/2015

  • Removed unused network features from the agent to reduce CPU and network load on the host system

  • Upgraded embedded node.js to v0.10.41


Release 10/30/2015

  • Resolved an issue in v1.3.2 when starting the agent on Amazon Linux

v1.3.3 - not publicly released

v1.3.2 - release 10/29/2015

  • Includes host system information in cloudsight.log when the agent starts
  • Resolves an issue on Ubuntu 12.04 where the installer doesn’t properly configure login tracking
  • Fix for handling large Docker containers

v.1.3.1 - release 10/5/2015

v1.2.4 - released 9/14/2015

  • Fixed another issue with process supervision

v1.2.3 - released 9/10/2015

  • Fixed an issue where our process supervisor was too aggressive with restarting agent components
  • Stability and performance improvements

v1.2.1 - released 7/22/2015

  • Improved support for Stacked Ruleset feature
  • File integrity rule exclusions no longer require a full path
  • Improved performance for systems under heavy network load 

v1.2.0 - released 6/30/2015

  • Support for an upcoming feature release to support multiple policies per agent
  • Added timestamps to log files
  • This is the last version of the agent that will be provided for 32-bit systems and for Ubuntu 10.04

v1.1.11 - released 5/20/2015

  • Fixed a bug related to an issue where a user could not register an agent using a configuration file and the --config= run time flag.

v1.1.10 - released 5/1/2015

  • Set hard package conflict on linux-image-3.13.0-51-generic - disallow the ability for the TS agent and that kernel to run together.  See for more info
  • Update the post-install files to ensure the audit rules get loaded correctly on install and upgrade.

v1.1.9 - released 4/28/2015

  • Refactor and improve init script to include better pid file management
  • Include basic support for Debian 7.x - official packages will be available soon.

v1.1.7 - released 3/11/2015

  • Fix issue related to race condition where the tsfim process could start twice and the agent could fail to bind and cause the agent to fail startup
  • Ignore FIM events from Cloudsight agent.
  • Cache user lookups
  • Ensure when threatstack system user is created we explicitly set a false login shell.

v1.1.6 - released 3/2/2015

  • Add configuration option (cloudsight config disable_fim=1) to allow disabling file integrity monitoring on the agent.
  • Disable DNS resolution queries by default. (To enable use cloudsight config disable_dns_lookups=0)
  • Performance fixes related to reading tsaudit.log on restart.
  • With additional tuning we no longer need larger logs on nodes - reduced the max tsauditd.log size to 50MB

v1.1.4 - released 2/9/2015

  • Set tsaudit.log to roll at 100MB max log size.
  • Add better restart logic when tsaudit is idle
  • Fixed a few bugs related to DNS resolution that could contribute to high CPU and network usage.

v1.1.3 - released 1/19/2015

  • Send up internal IP addresses so the UI can display on the agents page (vs just sending external IP address)
  • Add a --hostname configuration flag, which at new agent registration allows user to define the friendly name the agent will display in the UI.  This defaults to the systems hostname when not set.

v1.1.2 - released 1/19/2015

  • Add memory stats to agent tracking for logging rss memory usage.
  • Update local logging to not include superfluous heartbeat logging messages.
  • Fix packaging to properly remove /opt/threatstack when uninstalling agent
  • Add a check to fail when ts_fanotifyLL_new init fails
  • Check for kernel version >= 2.6.37 to enable fanotify

v1.1.1 - released 1/15/2015

  • Fix and update various Info log messages to Debug.

v1.1.0 - released 1/14/2015

  • Updates to the agent to support Signed Apt and Yum repositories
  • Threat Stack Agent package name is now "threatstack-agent"
  • Updates to how the agent can be registered - now supports command line flags as well as path to a file with deploy key and policy name/ID.
  • Add tunable for disabling DNS resolution for network connections.
  • Removed sys_socket syscall as it's no longer required and can cause performance issues.
  • Numerous performance updates and improvements around File Integrity Monitoring and audit improvements
2014 Agent Releases

v1.0.24 - released 11/8/2014

  • Resolves an issue where agents running on Amazon EC2 instances may not properly register their instance-id, resulting in agent status not displaying properly.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request