You can configure your endpoints to collect telemetry using eBPF instead of AuditD.
Overview
Before making any changes to your sensors, check the Linux EDR system requirements to determine whether eBPF data collection is supported for your endpoints.
Enable eBPF
- Update the sensor configuration file.
- Optionally disable the DebugFS automount feature.
- Restart the sensor.
Update the sensor configuration file
- Go to
/opt/redcanary/. - Open
config.json, and add the following lines:
"telemetry": {
"source": "ebpf"
} - Save the file.
Note: If the eBPF initialization fails, the sensor defaults to using AuditD. If you’d prefer the sensor to turn off by default, add "restricted": true to the "telemetry" object.
Optional: Disable DebugFS automount
In order to collect telemetry using eBPF, your endpoint must be able to access the debug file system, also known as DebugFS. DebugFS is mounted by default on most Linux systems. If DebugFS isn’t already mounted, the sensor will try to mount it for you. You can disable the automount feature by adding "automount": false to the "telemetry" object.
Restart the sensor
Your configuration changes won't take effect until you restart the sensor. For instructions on restarting the Linux EDR sensor service, see Agent Debugging.
Comments
2 comments
the json attribute "restricted" looks like a json boolean (no quotes around true in example) but the other attribute "automount" is in quotes for "false". Is the second one meant to be a string or a boolean?
a full documented example for all parameter options for config.json would be great to link to.
Thank you - the Linux team reviewed and you are correct. The correction has been made.
Please sign in to leave a comment.