Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2061
Views
15
Helpful
2
Replies

RHEL 7.6 AMP Connector Exclusion Policy

Go to solution
Milne301
Level 1
Level 1

‎02-16-2021 10:11 AM - edited ‎02-16-2021 10:42 AM

Hi Guys

 

I'm having an issue where our Server running Redhat 7.6 is hanging due to high cpu and memory usage.   the system becomes unresponsive for about an hour - then sometimes goes back to normal or we need to reset it.  

 

I've managed to capture the top information and ampdaemon seems to ramp up along side a database, to me that sounds like the db is getting scanned ?  Once this happens it then becomes unresponsive for an hour and no one can login, load goes over 150 (it has 7CPU Processors).  Swap also gets eaten up and zombie processes are present (around 8).  However when the server becomes respsonive again these are gone (obviously released and parent has been terminated finally).

 

We have Oracle 12.2 running on it and we were told the server has exclusions on it for certain directories (DB's) but im seeing the following in the ciscodaemon logs:

 

Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@821]:[139630454748928]: Excluding only 0 of 12 paths for file create
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/etc/shadow" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/local/code" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/nsr" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/opt/OV/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/STORE/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/tmp" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u01/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u02/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u03/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u04/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/u05/app/" in driver: Operation not supported
Feb 16 13:35:03 hostname ampdaemon[2541] [fileop]:[notice]-[fileop_support.c@832]:[139630454748928]: Unable to exclude "/var/log" in driver: Operation not supported

 

Does this mean that the policy is not working and these are not being excluded? Is there a driver or compatibility issue?

 

I did see on the amp connector page that it says compatibility is 1.9.1+ - however there is a column saying 1.12.5+, does that mean if you are on 1.12 then you should be running at least 1.12.5? or does it mean anything over 1.9.1 will work even if you are on 1.12.3?

 

We are running 1.12.3.

 

Thanks in advance for your help.

 

Thanks

Craig

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milne301
Level 1
Level 1
In response to David Janulik

‎02-18-2021 12:12 PM

Thanks for the reply.

 

We got in touch with Cisco Amp Security directly and they told us its a BUG in 1.12.x and that we need to upgrade to 1.13.x+ in order to get rid of the bug.  We have done that in SIT and will be doing it in pre-prod and prod shortly but the upgrade seems to have fixed it (fingers Crossed).

View solution in original post

2 Replies 2

Go to solution
David Janulik
Cisco Employee
Cisco Employee

‎02-17-2021 06:59 AM

Hi Craig,

basically this should go via opening a support ticket with TAC.
Briefly there is nothing in the partial log presented. To tune exclusions for Oracle DB or any other application installed:


https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214656-amp-for-endpoints-process-exclusions-in.html

And this looks like policy exclusion issue, however without support logs we cannot do much here.
To answer your question about compatibility with Redheat 7.6 is AMP 1.9.1 +newer. Your version is good to work with it:

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215163-amp-for-endpoints-linux-connector-os-com.html

 


David

 

Cyber security escalation engineer

Go to solution
Milne301
Level 1
Level 1
In response to David Janulik

‎02-18-2021 12:12 PM

Thanks for the reply.

 

We got in touch with Cisco Amp Security directly and they told us its a BUG in 1.12.x and that we need to upgrade to 1.13.x+ in order to get rid of the bug.  We have done that in SIT and will be doing it in pre-prod and prod shortly but the upgrade seems to have fixed it (fingers Crossed).

Customers Also Viewed These Support Documents