Troubleshooting the Client Recorder Extension

Identify Linux endpoints missing auditd

If Linux endpoint events are not being recorded, they might be missing the audit daemon and audispd. Ideally, the audit daemon is installed and configured before installing the Trace module, but it is possible for endpoints to come online at a later time.

  1. (Optional) Create the auditd package.

    You can either create a general installation package and put the logic in the scripts or you can have a simple script and put the logic in the Tanium query. See Tanium Core Platform User Guide: Creating and managing packages.

    Create saved actions that periodically check for and deploy this package in the future.

  2. Ask the question: Get Installed Application Exists[audit] from all machines with Is Linux containing "true".
  3. Use your preferred method to deploy the appropriate auditd package to the identified endpoints.

    If you need to distribute the package to a large number of endpoints, spread the changes out over time to avoid a negative impact on the network.

Resolve details returned by the Recorder - Is BPF Supported Details sensor

To determine if endpoints support eBPF as an event source, you can use the Recorder - Is BPF Supported Details sensor. The following table provides an explanation of the possible results the sensor returns and possible resolutions when the sensor returns false for any key.

Key Description Possible cause and potential remediation for false
BPF Headers found If true, this indicates that headers were detected on the endpoint that are required to run BPF. If not found, the kernel is either too old or compiled without BPF support explicitly.
Kernel Headers match running kernel version If true, this indicates that the requirement for the version of the kernel-headers package matching the version of the kernel running has been met. The newest kernel-headers have been installed on the endpoint, but the endpoint is running an old kernel. To remediate this cause, a reboot is recommended. This could also indicate that there are no headers installed.
Kernel-devel package patch running kernel version If true, this indicates that the requirement for the version of the kernel-devel package matches the version of the kernel running. The newest kernel-devel has been installed on the endpoint, but the endpoint is running an old kernel. To remediate this cause, a reboot is recommended. This could also indicate that there are no headers installed.
Possible BTF Support This kernel supports running in libbpf mode, and is most likely a new endpoint (RHEL 8.2+, CentOS 8.2+, Ubuntu 20.10+).Recorder runs in libbpf mode on this endpoint. If false, kernel is probably too old to support LibBPF.
Supported Operating System Recorder supports running BPF (either mode) on this OS / distribution. RHEL is supported, Amazon Linux (although RHEL based) is currently not. The operating system is not supported.
Supported Platform The platform is supported. Linux, returns true. Anything else should be false. The platform is not supported.
Kernel Without Confidentiality Mode Enabled BPF cannot run on OEL endpoints if the kernel is set to confidentiality mode. Confidentiality mode in OEL prevents BPF programs from running.