eBPF

Verify eBPF on endpoints

There are many ways by which you can confirm if an asset has eBPF enabled or osquery is running in eBPF mode.
  1. Check if the asset has eBPF enabled using realtime query : 
    1. select (count(*) != 0) as ebpf_enabled from ebpf_dedup_stats;
      Generally the count will be atleast 4 in ebpf_dedup_stats if the asset has eBPF enabled, so this query will let us know if the asset has eBPF enabled.
    2. This query is helpful from osquery_version 5.11.0.1-Uptycs
  2. Check if we are receiving events in eBPF mode using below query :
    1. select distinct(source) from process_events where upt_asset_id='' and upt_day>= ;
  3. If in the asset, osquery was once running in audit mode, but is currently running in eBPF mode ( current source of events is eBPF ), please confirm it using realtime queries:
    1. select * from audit_rules;
    2. If the above realtime query returns results ( atleast 1 row ) , then it still has audit rules enabled, but as asset is already running in eBPF we should clean these audit rules. Below are few steps to follow:
      1. Executing the command AuditCtl -D to clear the system of any residual audit rules or utilize the configuration/remediation check in GUI for this purpose.
      2. Else do the following changes to remove audit_rules;
        1. In the flag profile, set --try_audit_based_events_first to true 
          1. Please wait for osquery to restart and for the flag changes to reflect in realtime, this will ensure that the asset runs in audit mode now may not require specific audit rules to be configured now.
          2. Now run the below realtime query to confirm that there are no audit_rules existing:
            1. select * from audit_rules;
          3. After this make below flag changes on the endpoint:
            1. set --try_audit_based_events_first to false
            2. set --disable_audit = always 
            3. These flag changes will ensure that the osquery will no longer interfere with audit in the endpoint

    • Related Articles

    • Install Uptycs Protect (AIX) without process blocking

      Currently, in AIX with Uptycs-protect installation process blocking and dns blocking are not supported. Thus after the installation below steps need to be followed to install the uptycs-protect sensor. The below method of procedure describes the step ...

    • Steps to manually install/uninstall Osquery on CentOS Linux

      Overview This document outlines the procedure on how to install/uninstall osquery on CentOS-based Linux. Procedure Installation Download the installer. Copy the Ubuntu installer (osquery-<version>-rpm) to the endpoint (to a directory such as /tmp) cp ...

    • How To Limit Endpoint Resource Utilization

      Introduction The Uptycs osquery agent is designed for low resource utilization on your endpoints, however there may still be some cases where you need to limit resource utilization, this article describes how.  Watchdog  'Configuration -> Flag ...

    • Installing Uptycs osquery on Kubernetes

      Copy the your YAML manifest file (uptycs_osq_daemonset_<customer>.yaml) to the kubernetes client machine (a machine with the command: kubectl).   1. Create the daemon set using following command:    kubectl create -f ...

    • Steps to manually install/uninstall Osquery on Ubuntu based Linux

      Overview This document outlines the procedure on how to install/uninstall osquery on Ubuntu-based Linux. Procedure Installation Download the installer. Copy the Ubuntu installer (osquery-<version>-deb) to the endpoint (to a directory such as /tmp) cp ...