Merge pull request #22417 from MicrosoftDocs/siosulli-patch-9

siosulli · web-flow · commit 2e7913032c9a · 2023-10-08T22:03:59.000+01:00
Update linux-support-ebpf.md
diff --git a/microsoft-365/security/defender-endpoint/linux-support-ebpf.md b/microsoft-365/security/defender-endpoint/linux-support-ebpf.md
@@ -21,9 +21,6 @@ ms.date: 07/19/2023
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
-> Some information relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
@@ -47,7 +44,8 @@ With eBPF, events previously obtained from the auditd event provider now flow fr
 In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.
 
 > [!NOTE]
-> In the preview version eBPF will be used in conjunction with auditd while auditd will be used only for logging data and network protection events and will capture these events without any custom rules and flow them automatically. Be aware that auditd will be removed in future versions.
+> eBPF will be used in conjunction with auditd. Auditd will be used to capture user login events only and flow them automatically. Be aware that auditd will be gradually removed in future versions.
+
 
 ## System prerequisites
 
@@ -64,22 +62,34 @@ The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the
 | Oracle Linux RHCK  | 7.9                  | 3.10.0-1160    |
 | Oracle Linux UEK   | 7.9                  | 5.4            |
 
-When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf.
-
 ## Use eBPF
 
-The eBPF sensor will be automatically turned on and gradually rolled out across all insider machines over the coming days following this publication. You will need Microsoft Defender for Endpoint version 101.23062.0005 or later to experience the most recent improvements using the new sensor.
+The eBPF sensor will be automatically enabled for all customers on agent versions “101.23082.0006” and above. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf.
 
 :::image type="content" source="../../media/defender-endpoint/ebpf-subsystem-linux.png" alt-text="ebpf subsystem highlight in the mdatp health command" lightbox="../../media/defender-endpoint/ebpf-subsystem-linux.png":::
 
-If you're running a production build and interested in evaluating the eBPF preview functionality, you can use the following mdatp config command (requires privileges):
+If you want to manually disable eBPF, you can run the following command:
 
 ```bash
 sudo mdatp config ebpf-supplementary-event-provider --value [enabled/disabled]
 ```
 
 > [!IMPORTANT]
-> If you disable eBPF, the supplementary event provider switches back to auditd.
+> If you disable eBPF, the supplementary event provider switches back to auditd. </br>
+> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules.
+
+### Immutable mode of Auditd
+
+After enabling eBPF, customers using auditd in immutable mode must reboot their system in order to clear the audit rules added by Microsoft Defender for Endpoint. This is because immutable mode of auditd freezes the rules file and prevents it from being edited or overwritten. To verify that the audit rules have been cleared, run the following command after the reboot:
+
+```bash
+% sudo auditctl -l
+```
+The output of the command should show no rules or any user added rules. If the rules weren't removed, follow these steps to clear the audit rules file:
+
+  1. Switch to ebpf mode
+  2. Remove the file /etc/audit/rules.d/mdatp.rules
+  3. Reboot the machine
 
 ### Troubleshooting and diagnostics
 
@@ -95,9 +105,6 @@ The following two sets of data help analyze potential issues and determine the m
 
 2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-> [!NOTE]
-> In the preview version, diagnostic capabilities for top processes consuming eBPF resources and troubleshooting capabilities for configuring eBPF exclusions are not supported. These functionalities will be available in future versions.
-
 ## See also
 
 - [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)
