Seccomp default policy is missing clock_nanosleep

izaneuski · November 23, 2022, 9:28am

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.

During investigation with strace found out:

clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)

Fixed by adding to beat config:

seccomp:
  syscalls:
  - action: allow
    names:
    - clock_nanosleep

andrewkroh · November 23, 2022, 12:06pm

Thanks for the report. Can you open an an issue on github for this.

Can you include the OS version and glibc deb pkg version there too.

izaneuski · November 23, 2022, 1:03pm

github.com/elastic/beats

Seccomp default policy is missing clock_nanosleep

opened 01:02PM - 23 Nov 22 UTC

izaneuski

needs_team

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) …and journalbeat(7.15.2) with default config. During investigation with `strace` found out: ``` clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted) ``` Fixed by adding to beat config: ``` seccomp: syscalls: - action: allow names: - clock_nanosleep ``` - Version: ``` ldd --version ldd (Ubuntu GLIBC 2.31-0ubuntu9.9) 2.31 ``` - Operating System: ``` cat /etc/os-release NAME="Ubuntu" VERSION="20.04.5 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.5 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ``` ``` uname -a Linux ip-10-224-140-239 5.15.0-1023-aws #27~20.04.1-Ubuntu SMP Wed Oct 26 20:02:26 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` - Discuss Forum URL: https://discuss.elastic.co/t/seccomp-default-policy-is-missing-clock-nanosleep/319637/1

system · December 21, 2022, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat triggers seccomp violations? Beats auditbeat	6	809	July 8, 2019
Configuring Auditbeat to only report modifications to files I want to monitor Beats auditbeat	7	1222	October 23, 2018
Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule Beats auditbeat	2	477	December 22, 2021
Auditbeat is devouring the CPU Beats auditbeat	3	552	September 10, 2019
Auditbeat consuming almost 90% cpu some times Beats auditbeat	3	341	August 31, 2020

Seccomp default policy is missing clock_nanosleep

Related topics