Check for Unhealthy Agents: Audit DOWN

Overview

Beginning with Linux Agent 2.3.4, you can check which Agent components are running and whether or not the Agent is in a healthy state.

The Agent runs its own version of auditd, which sends audit activity to the F5 Distributed Cloud App Infrastructure Protection (AIP) platform to generate events and alert data. The Agent and the host operating system (OS), auditd, can conflict over the use of the kernel socket to consume this audit information. The Agent Health Status feature indicates if you have hosts experiencing this conflict by displaying DOWN.

Additionally, an Agent may capture excessive audit events when the journald service configuration monitors the OS’s audit socket. Because the Distributed Cloud AIP Agent also watches the OS's audit socket, this may lead to a redundancy that causes audit DOWN. To remediate this issue:

Note

Agent Health displays on the Servers page under the Agent Health column. If you do not see this column on Distributed Cloud AIP, click the Edit Columns button and select a server. Selecting a server displays a pop-up window that contains information about the Agent components and indicates which service is Up, Down, or Disabled. For information about how to display this column, see Select and Sort Columns on Servers Page.

Linux Host Agent
    1. To confirm auditd is active and running, run the following command:
      sudo systemctl status auditd
    2. Once you have confirmed that auditd is active and running, run the following commands separately:
      sudo service auditd stop
      sudo systemctl disable auditd
    3. Restart the Agent with the following command:
      sudo systemctl restart threatstack
    4. To ensure that the Agent Audit Collection is UP, run the following command:
      sudo tsagent status

Note

If you deploy with a configuration management tool, then you need to account for auditd in any future deployments to avoid conflicts with the auditd socket.

Linux Containerized Agent

Example 1

If you deploy the Agent with the Distributed Cloud AIP DaemonSet, you can insert these bash commands to stop and disable auditd:

command: ["bash"] 
args: ["-c", "chroot /threatstackfs /bin/bash -c 'service auditd stop; systemctl disable auditd'; eval tsagent setup $THREATSTACK_SETUP_ARGS; eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd"]

Insert the bash command only for the DaemonSet kind that deploys the Agent to all nodes in the cluster.

Screen_Shot_2022-08-24_at_11.02.40_AM.png

Example 2

If you deploy the Agent using the Distributed Cloud AIP Helm chart, see the values.yaml file for provided OS-specific flags:

  • Container OS: gkeContainerOs 
  • Ubuntu: gkeUbuntu 
  • Amazon Linux 2: eksAmazon2 

Simply edit the OS field for your distribution to true.

Screen_Shot_2022-08-24_at_11.06.16_AM.png

If you continue to experience issues, or if you use an alternate deployment method, please contact Distributed Cloud AIP Support at aipsupport@f5.com

Was this article helpful?
0 out of 0 found this helpful