- Audit telemetry: In Oracle kernels that deviate from mainline, handle hardlink events from filemod.
- Only hash files that are executables for filemod events.
- Previously, hashing filemod events for large files like logs would take an excessively long time. As a result, the watchdog misinterpreted the delay as a hang.
- Improved memory efficiency by not waiting on DNS requests for incoming network connections.
- Because incoming network connections do not trigger a DNS request, this was filling up the sensor DNS cache unnecessarily while expecting DNS information to eventually fill in for these connections.
- eBPF Telemetry: Minimum supported mainline kernel is now 5.5+ for aarch64/arm64 updated from 5.8+.
- In the native telemetry, process start events now contain an additional field for marking as shell activity.
Docker Image Tag
Hashes ## MD5