Seccomp default policy is missing clock_nanosleep

izaneuski · November 23, 2022, 9:28am

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.

During investigation with strace found out:

clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)

Fixed by adding to beat config:

seccomp:
  syscalls:
  - action: allow
    names:
    - clock_nanosleep

andrewkroh · November 23, 2022, 12:06pm

Thanks for the report. Can you open an an issue on github for this.

Can you include the OS version and glibc deb pkg version there too.

izaneuski · November 23, 2022, 1:03pm

github.com/elastic/beats

Seccomp default policy is missing clock_nanosleep

opened 01:02PM - 23 Nov 22 UTC

izaneuski

needs_team

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) …and journalbeat(7.15.2) with default config. During investigation with `strace` found out: ``` clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) ``` Fixed by adding to beat config: ``` seccomp: syscalls: - action: allow names: - clock_nanosleep ``` - Version: ``` ldd --version ldd (Ubuntu GLIBC 2.31-0ubuntu9.9) 2.31 ``` - Operating System: ``` cat /etc/os-release NAME="Ubuntu" VERSION="20.04.5 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.5 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ``` ``` uname -a Linux ip-10-224-140-239 5.15.0-1023-aws #27~20.04.1-Ubuntu SMP Wed Oct 26 20:02:26 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` - Discuss Forum URL: https://discuss.elastic.co/t/seccomp-default-policy-is-missing-clock-nanosleep/319637/1

system · December 21, 2022, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule Beats auditbeat	2	476	December 22, 2021
Auditbeat 7.17 high cpu usage Beats docker , auditbeat	1	390	April 14, 2023
Disable fileintegrity and dataset module in auditbeat Beats auditbeat	2	1006	May 23, 2019
Confining Beats (aka SELinux policy for beats on EL) Beats	4	1526	February 8, 2018
Auditbeat installation replaces custom config with example Beats auditbeat	3	782	October 5, 2018

Seccomp default policy is missing clock_nanosleep

Related Topics