Check for Unhealthy Agents: Missing Container Capabilities

Overview

Beginning with Linux Agent 2.3.4, you can check which Agent components are running and whether or not the Agent is in a healthy state.

The Agent runs its own version of auditd, which sends audit activity to the F5 Distributed Cloud App Infrastructure Protection (AIP) platform to generate events and alert data. The Agent and the host operating system (OS), auditd, can conflict over the use of the kernel socket to consume this audit information. The Agent Health Status feature indicates if you have hosts experiencing this conflict by displaying DOWN.

Note

Agent Health displays on the Servers page under the Agent Health column. If you do not see this column on Distributed Cloud AIP, click the Edit Columns button and select a server. Selecting a server displays a pop-up window that contains information about the Agent components and indicates which service is Up, Down, or Disabled. For information about how to display this column, see Select and Sort Columns on Servers Page.

Missing Container Capabilities

Linux Agent 2.5.0 introduced SYS_NICE, a required capability that makes the Agent's tsauditd process run as non-root.

Agent 3.0.0 added SYS_RESOURCE and IPC_LOCK for the optional eBPF sensors Net Tracer and DNS Tracer.

If you upgrade your Agent to 2.5.0 or later, be sure to add the required capabilities for your Agent version to avoid any disruption in the Agent's ability to return telemetry.

The minimum required capabilities for Agent 2.5.0:

--cap-add=AUDIT_CONTROL \
--cap-add=SYS_ADMIN \
--cap-add=SYS_PTRACE \
--cap-add=SYS_NICE \

The minimum required capabilities for Agent 3.x:

--cap-add=AUDIT_CONTROL \ 
--cap-add=SYS_ADMIN \
--cap-add=SYS_PTRACE \
--cap-add=SYS_NICE \
--cap-add=SYS_RESOURCE \
--cap-add=IPC_LOCK \
Was this article helpful?
0 out of 0 found this helpful