Login
      Contents x
      Linux EDR Components
      • 21 Jun 2024
      • 1 Minute to read
      • PDF
      Contents

      Linux EDR Components

      • Updated on 21 Jun 2024
      • 1 Minute to read
      • PDF
      Article summary

      When evaluating the resources used by the Red Canary Linux Endpoint Detection and Response (EDR) service and plugins, it is typical to see that they consume more resources than expected. Most of the time, this is because top’s Irix/Solaris modes provide different display values and the processes are not using more resources than the default/configured limits.

      Components

      • cfsvcd: Main telemetry service

      • cfpmid: Process Memory Integrity plugin

      • cfbrkd: Behavioral Rootkit Detection plugin

      • More plugins are likely to be introduced over time

      Irix Mode vs. Solaris Mode

      When monitoring resource utilization using top, Irix mode displays CPU percentage based on a summation of all CPU/cores available. For example, a system with four processors can have up to 400 percent CPU utilization displayed. In this case, one running process can take up to 100 percent CPU of a single core. This can appear alarming when monitoring CPU utilization in Irix mode even though that only accounts for a quarter of the maximum.

      By contrast, when using Solaris mode, the CPU percentage column’s values are divided by the number of cores in the system. In this view all running processes’ CPU utilization totals 100 percent.

      Toggling Between Irix and Solaris Modes

      Press I to toggle between the two modes while running top.

      Main Page Description

      'I' :Irix/Solaris_Mode_toggle

When operating in 'Solaris mode' ('I' toggled Off), a task's cpu usage will be divided by the total number of CPUs. 
After issuing this command, you'll be informed of the new state of this toggle.

      Configuring Linux EDR Plugins’ CPU Limit Model

      Set the parameter value, cpu_limit_model in the configuration file to enforce Linux EDR plugins to use either Solaris or Irix mode. This is available in plugin version 1.1.1+ for cfpmid and cfbrkd. By default, Solaris mode is enabled for plugins running 1.1.1+. Note that this is separate from Linux EDR's sensor version.

      Configuration File

      /opt/redcanary/config.json

      Parameter Values

      • irix

      • solaris

      Sample config.json

      {
    "access_token": "xxxxxxxxxxxxxx",
    "subscription_plan": "Managed",
    "cpu_limit_model": "irix"
}

      Number of Cores

      While beyond the scope of this article, common tools such as lscpu and nproc can be used to find the number of cores. The file /proc/cpuinfo can be reviewed for this information as well.

      Htop

      The command htop provides similar functionality to top but it does not have a toggle between Irix and Solaris modes. By default, htop only displays values in Irix mode.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout