Skip to main content
Red Canary help

Why do Linux EDR components take up so much CPU?

  • Updated .

When evaluating the resources used by the Red Canary Linux Endpoint Detection and Response (EDR) service and plugins, it is typical to see that they consume more resources than expected. Most of the time, this is because top's Irix/Solaris modes provide different display values and the processes are not using more resources than the default/configured limits.

Components

  • cfsvcd: Main telemetry service
  • cfpmid: Process Memory Integrity plugin
  • cfbrkd: Behavioral Rootkit Detection plugin
  • More plugins are likely to be introduced over time

Irix Mode vs. Solaris Mode

When monitoring resource utilization using top, Irix mode displays CPU percentage based on a summation of all CPU/cores available. For example, a system with four processors can have up to 400 percent CPU utilization displayed. In this case, one running process can take up to 100 percent CPU of a single core. This can appear alarming when monitoring CPU utilization in Irix mode even though that only accounts for a quarter of the maximum.

By contrast, when using Solaris mode, the CPU percentage column’s values are divided by the number of cores in the system. In this view all running processes’ CPU utilization totals 100 percent.

Toggling Between Irix and Solaris Modes

Press I to toggle between the two modes while running top.

Main Page Description

'I' :Irix/Solaris_Mode_toggle

When operating in 'Solaris mode' ('I' toggled Off), a task's cpu usage will be divided by the total number of CPUs. 
After issuing this command, you'll be informed of the new state of this toggle.

Configuring Linux EDR Plugins’ CPU Limit Model

Set the parameter value, cpu_limit_model in the configuration file to enforce Linux EDR plugins to use either Solaris or Irix mode. This is available in plugin version 1.1.1+ for cfpmid and cfbrkd. By default, Solaris mode is enabled for plugins running 1.1.1+. Note that this is separate from Linux EDR's sensor version.

Configuration File

/opt/redcanary/config.json

Parameter Values

  • irix
  • solaris

Sample config.json

{
    "access_token": "xxxxxxxxxxxxxx",
    "subscription_plan": "Managed",
    "cpu_limit_model": "irix"
}

Number of Cores

While beyond the scope of this article, common tools such as lscpu and nproc can be used to find the number of cores. The file /proc/cpuinfo can be reviewed for this information as well.

Htop

The command htop provides similar functionality to top but it does not have a toggle between Irix and Solaris modes. By default, htop only displays values in Irix mode.

Comments

0 comments

Please sign in to leave a comment.