How the Linux EDR Sensor Ensures Stability
    • 29 Jul 2024
    • 1 Minute to read
    • PDF

    How the Linux EDR Sensor Ensures Stability

    • PDF

    Article summary

    How does the Red Canary sensor work? Is it possible for Red Canary updates to have a similar impact as the recent Crowdstrike outage?

    The running piece of software that gathers our Linux EDR telemetry on endpoints is referred to as an agent, also often known as the sensor. Red Canary’s sensor uses a “lean sensor” model, which means it simply collects and sends data to Red Canary’s XDR platform for analysis. We do not deliver security content or configuration updates in a manner similar to how CrowdStrike does.

    Red Canary’s sensor does not use kernel modules. Instead, it interacts with the kernel using eBPF, which is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. Learn more about eBPF here.

    How does Red Canary deliver updates to its sensors?

    The Linux EDR sensor is composed of the core daemon and plugins. The daemon is responsible for core capabilities, whereas plugins provide specific, targeted capabilities.

    Plugins are obtained dynamically from Red Canary’s Cloud, once the sensor has been installed and the daemon is running successfully. The daemon utilizes the plugins as needed.

    Our sensors are extensively tested in-house and used in Red Canary’s production environments before ever being released to our customers.

    There are three things worth knowing about our sensors:

    • Auto-update: The sensor has an auto-update option. By default, this feature is enabled through Red Canary’s configurations, but the customer can request to have it disabled if desired.

    • Plugins: Plugins are designed to auto-update in a customer’s environment, but they are rarely updated because there hasn’t been demand for new plugin features. Unlike the sensor, these plugins operate in userspace and periodically scan, so they generally don’t operate in a manner that would cause kernel panics.

    • Remote config: The sensor includes a “remote config” that contains general settings, such as which plugins are enabled. This remote config is a JSON blob that is rarely updated because the settings typically remain the same. The sensor checks for changes periodically and is processed entirely in userspace.

    Learn more about how Linux EDR uses eBPF here.


    Was this article helpful?