Linux EDR Sensor Release Notes

Docker tag: 1.9.0-24205 Added eBPF Telemetry: Added support for the `btrfs` filesystem. Prior to this release the sensor would not launch using eBPF if installed under a `btrfs` mount. Note that launching the sensor under Audit mode would work b...

Docker tag: 1.8.0-23707 Added Added off-by-default experimental feature to use a temporary file when buffering events prior to offload in order to reduce memory consumption. Better support for getting pod metadata when using the `cri-docker...

Docker tag: 1.7.4-23352 Added Off-by-default experimental feature to offload process ancestry of emitted events when that ancestry had been previously filtered out due to its similarity to a previous event. Changed Re-use network clients...

Docker tag: 1.7.22699 Added Support fetching metadata of containers using a socket in the host's filesystem when the sensor is deployed inside a container. Support for tracking containers and emitting container metadata for systems using Redh...

Docker tag: 1.7.0-22468 Added For docker, kubernetes, and podman containers we now start collecting extra metadata such as: container name container hostname image name image ref image tags pod namespace pod n...

Docker image tag: 1.6.0-21823 Added Support was added for patching the stable releases of the latest and previous minor version of the sensor IMDS metadata fetching now includes Azure and GCP Cloud endpoint type discovery now includes Az...

Docker Image Tag 1.5.4-21043 Fixed  Audit telemetry: In Oracle kernels that deviate from mainline, handle hardlink events from filemod. Changed Only hash files that are executables for filemod events. Previously, hashing f...

Fixed In rare cases, the sensor could hang during shutdown if too many containers were started/stopped at the same time Audit telemetry: Do not emit filemod related errors for audit telemetry on unsupported kernels Audit telemetry: Do not e...

Docker tag: 1.5.1-19963 Bugs We are aware of an issue with sensor degradation on Linux EDR sensors using auditD as their telemetry collection method. Since we are only seeing this on those sensors we recommend that you use eBPF as the pref...

Docker tag: 1.5.0-19853 Fixed Avoid potential hanging when trying to find cgroups of ancestor processes. In practice we only encountered this problem with older, unsupported distros (e.g., Centos 6 which is past its EOL). The sensor no longer...

Docker Tag: 1.4.19-18993 Fixed The sensor id no longer recreates itself if it is restarted too early in boot up. The parent process id used to report the grandparent, even when the 'CLONE_PARENT' fork flag was not set. Audit telemetry: In ...

Fixed eBPF Telemetry: Support for kernels that had anonymous integers/floats as part of their BTF file. In practice, this has only been seen in [GCOS Milestone 97 using kernel 5.10.161+ ]( https://cloud.google.com/container-optimized-os/docs/rel...

Fixed Do not error on user/login/effective ids Do not prepend the current working directory to process starts that were executed from a memfd instead of a real path Protect against symlink loops when resolving metadata for files inside c...