Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

mdatp_audisp_plugin

Copper Contributor

I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin  is used for on RHEL.

 

I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.

6 Replies

@roger_jr  If you find out the answer to this query, please let me know

@kalyan190 mdatp_audisp_plugin
The issue is, mdatp_audisp_plugin has a bug which the plugin might ingest unnecessary logs from audit logs.

My suggestion is open a ticket with Microsoft TAC and they can provide a work around.



Sure, will open a ticket with Microsoft. Thanks Roger

@kalyan190 Hi Kalyan, were you able to get any workaround for the issue. 

We are currently getting similar issue in Ubuntu 16.04 where below errors  in /var/log/syslog are quickly filling up the hard drive. 

Oct 8 00:35:15 hatchdpdeceallocator01 audispd: Starting reconfigure
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: priority_boost_parser called with: 4
Oct 8 00:35:15 hatchdpdeceallocator01 audispd: max_restarts_parser called with: 10

Check if you have any additional rules in /etc/audit/rules.d/ dir. We had 30-ospp-v42-*.rules and it generated very high load with mdatp.

Short answer: For RHEL8
echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rules

reboot


Medium answer:
MDATP uses auditd to analyze ALL SYSCALLS.
From the man page for audit.rules:
"only use syscall rules when you have to since these affect performance"

 

Long answer:
Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...

 

NOTE: Advanced auditd users would need a more customized solution.