Carbon Black Cloud for Linux: How To Restrict the Disk Utilization For Endpoint Standard and Enterprise EDR Events

Carbon Black Cloud for Linux: How To Restrict the Disk Utilization For Endpoint Standard and Enterprise EDR Events

Environment

  •     Carbon Black Cloud (Linux) Sensor: 2.9.0 and Higher
  •     Linux: All Supported Versions

Objective

To restrict disk usage on Linux endpoints with limited disk storage, particularly in /var.

Resolution

  1. Uninstall the old agents from the systems
  2. Completely remove the /var/opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40 directory
  3. Install sensor 2.9.0.312585 or higher. 
  4. Create the file th.ini:
    sudo touch /var/opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/th.ini
  5. Add the lines below to the newly created file:
    • For sensors 2.9.1 and higher:
      [ThreatHunter]
      THMaxDiskUsageMb=<Limit In megabytes>
      BulkBehaviorMaxDiskUsageMb=<Limit in megabytes>
    • For sensor versions prior to 2.9.1:
      [ThreatHunter]
      MaxTotalArchiveSize=<Limit In bytes>
      BulkBehaviorHighDiskUsageMb=<Limit in megabytes, must be ~80% of BulkBehaviorMaxDiskUsage>
      BulkBehaviorMaxDiskUsageMb=<Limit in megabytes>
  6. Restart the sensor:
sudo systemctl restart cbagentd
  1. Ensure not to move any files while the sensor is running or at all

Additional Notes

  • The default size for each directory is 1Gb and is hardcoded. Creating the .ini file overrides the default hardcoded value. The lower this is set the fewer events the sensor will store before they are purged. Once purged that data is then permanently lost.
  • THMaxDiskUsageMb and MaxTotalArchiveSize control the size of the "events" directory, which contains Enterprise EDR (Formerly CB Threathunter) events before they get sent to the backend.
  • BulkBehaviorMaxDiskUsageMb controls the size of the "behavior-events" directory, which contains Endpoint Standard (Formerly CB Defense) events before they get sent to the backend.
  • BulkBehaviorHighDiskUsageMb tells the sensor that the disk is getting full and that it should prioritize certain types of events for storage once it reaches the set threshold. This should be set slightly lower than the other settings - approximately 80%.
  • Formerly BulkBehaviorMaxDiskUsageMb was dependent upon and required a value for BulkBehaviorHighDiskUsageMb, the dependency was removed effective with the 2.9.1 sensor release
  • MaxTotalArchiveSize will continue to work on 2.9.1+ should the sensor be upgraded.
  • Note that MaxTotalArchiveSize is in bytes, while BulkBehaviorMaxDiskUsageMb and BulkBehaviorMaxDiskUsageMb are in MB.
  • These should be set to 128Mb at an absolute minimum, closer to the defaults is better.
  • The following example would limit the Enterprise EDR (formerly ThreatHunter) events to take 256Mb, and Endpoint Standard (formerly CB Defense) events to take 256Mb (for a net total of half a GB, excluding the logs which currently don't have their size configurable):
    [ThreatHunter]
    MaxTotalArchiveSize=268435456
    BulkBehaviorHighDiskUsageMb=200
    BulkBehaviorMaxDiskUsageMb=256

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎10-07-2020
Views:
918
Contributors