The latest version of the Cmd Audit agent improves your ability to monitor Kubernetes deployments that use the containerd runtime by collecting data about the Node, Pod, and container where it is running (this feature is not supported for other container runtimes, including Docker). This enables more precise search, reporting, and alerting based on Kubernetes objects. Version 1.2.1 also includes several unrelated minor changes.


  • To enable this feature, you will need to update your existing Cmd Daemonset templates as per the updated DaemonSet guide.

  • Collecting K8s data from containerd is fully supported in GKE and AKS, and experimentally supported in EKS. Since Amazon only recently started supporting the containerd runtime, support for this feature on EKS should be considered experimental.

Kubernetes support

Cmd Audit 1.2.1 can monitor six additional characteristics of your Kubernetes deployments that use the containerd runtime. These characteristics are included as fields in exported event data, and available in the web app as Cmd Query Language (CQL) properties — see below.
Note: CRI refers to the Kubernetes Container Runtime Interface

New data export fields

Exported Cmd data now includes the following new fields, which are populated for data recorded by agent versions 1.2.1+ installed on Kubernetes deployments that use containerd:


  • The process' Kubernetes namespace (e.g.default”, “kube-system”)


  • The process' Kubernetes pod name (e.g. “cmd-nginx”)


  • The process' Kubernetes node name (e.g. “node-1234”)


  • The process' runtime container ID, i.e. the containerd container ID (e.g. "0c4e3b80c0b3fb798b4163dbc489ed739e67435bdfd83545c7fc45c0419c135c")


  • The process' container image's hash (e.g. “sha256:bd0ad0dd8520627a4478298cd74fead558b7819167a5b40d09ea6aaee9c92153”)


  • The process' container name (e.g. “nginx”)

New CQL properties

The new *cri* fields are available in the web app as Cmd Query Language (CQL) properties. You can use them to construct Command Triggers, build Reports, or search the Sessions page. They are also available as columns in the Sessions table to help you identify and sort your Kubernetes objects:


  • The session's Kubernetes namespace (e.g.default”, “kube-system”)


  • The session's Kubernetes pod name (e.g. “cmd-nginx”)


  • The session's Kubernetes node name (e.g. “node-1234”)


  • The session's runtime container ID, i.e. the containerd container ID (e.g. "0c4e3b80c0b3fb798b4163dbc489ed739e67435bdfd83545c7fc45c0419c135c")


  • The session's container image's hash (e.g. “sha256:bd0ad0dd8520627a4478298cd74fead558b7819167a5b40d09ea6aaee9c92153”)


  • The session's container name (e.g. “nginx”)

Minor changes

  • Tightened the permissions for individual eBPF probes within /var/lib/cmd/probes.

  • Added support for amzn2extra kernels.

  • Fixed a bug that could cause the agent to crash during startup.

  • Fixed a bug that could prevent debug info from saving during a crash.

  • Fixed a bug that caused probe builds to fail on some pre-4.17 kernels.

Did this answer your question?