There have been instances where Linux EDR service (cwp.service) is unexpectedly put into the “Stopped” state, according to systemd. This occurs when a desired state system manager decides to run Auditd since our service conflicts with it.
This causes a crash-on-startup loop, which causes systemd to stop a crashing service. This is seen often when a customer wants to run auditD and the Linux EDR sensor using eBPF, at the same time.
In the packaged systemd unit file that we ship with the sensor, there is a line: Conflicts=auditd.service which causes this behavior. It also often occurs with customers running configuration management tools such as Puppet.
If you experience this issue, please replace the `cwp.service` file in /etc/systemd/system/multi-user.target.wants/ with the following contents:
[Unit]
Description=Red Canary Cloud Workload Protection Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
Conflicts=shutdown.target
[Service]
WorkingDirectory=/opt/redcanary
ExecStart=/opt/redcanary/cwp-launch
Restart=always
TimeoutSec=15
[Install]
WantedBy=multi-user.target
Once you’ve replaced this unit file, restart the sensor.
Comments
0 comments
Please sign in to leave a comment.