cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vtgt
Level 10
Report Inappropriate Content
Message 1 of 4
‎02-24-2023 03:36 AM

Incompatibility issue between Trellix EDR and Auditd for RHEL

When installing Trellix EDR 4.1.0.2243 on Redhat Linux 7.9 we noticed that Auditd service crashes.
We were able to identify that Trellix EDR Trace feature is responsible for this crash.

According to the product documentation of Redhat the Auditd service only can forward events to one destination service.


With https://kcm.trellix.com/corporate/index?page=content&id=KB92460 a knowledge base article was already published that there is an incompatibility issue with ACC and Auditd.
Do we have the same issue with Trellix EDR Trace feature?

A confirmation of the product team is much appreciated.

0 Kudos
Reply
3 Replies
Pravas
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎02-25-2023 09:16 PM

Re: Incompatibility issue between Trellix EDR and Auditd for RHEL

Hi @vtgt ,

As per KB92460 Trellix EDR is incompatible when ACC & Auditd are installed together.

The only work-around it to use either ACC or Auditd but not both.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
vtgt
Level 10
Report Inappropriate Content
Message 3 of 4
‎03-14-2023 01:44 AM

Re: Incompatibility issue between Trellix EDR and Auditd for RHEL

Hi @Pravas 

We do not use ACC on RHEL but we are using Auditd for internal monitoring.

Now we have the issue that Trellix EDR does not collect any process activities on RHEL.

We are wondering whether Trellix EDR has the same issue with Auditd if this service is used for kernel monitoring?  

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 4
‎04-12-2023 07:54 AM

Re: Incompatibility issue between Trellix EDR and Auditd for RHEL

What version of RHEL?  I think they latest release isn't yet supported.  

 

Edit:  You said 7.9.  I'm pretty sure it isn't supported until the next release.  I have the same issue there.  

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC