To configure Carbon Black Cloud Linux Sensor to use limited memory and/or CPU resources

• Carbon Black Cloud Linux Sensor: All Supported Versions
  • Endpoint Standard 
  • Enterprise EDR
• Linux: All Supported Versions

WARNING: These instructions should not be used without first confirming the performance issue is not a problem with the sensor but a resource allocation issue on the Linux endpoint itself; Specifically, that processes on the system are truly in contention, meaning total CPU usage is near 200% or at least high enough that there isn’t CPU time available for all processes that need it.

1. Edit the /usr/lib/systemd/system/cbagentd.service file

   sudo vi /usr/lib/systemd/system/cbagentd.service

2. Add the line MemoryLimit=<value> or CPUQuota=<percentage%> for RAM or CPU usage, 2G or 40% for example
3. After adding this make sure to monitor /var/log/messages in another window just in case there is an error during implementation

   tail -f /var/log/messages

4. Run this command to restart the daemon

   systemctl daemon-reload

5. To verify the memory limitation in place run the following

   systemctl status cbagentd

• Limiting CPU time available to the sensor may result in events that would have otherwise been reported being dropped, which could reduce the security efficacy of the sensor. Events resulting from malicious behavior may never be reported.
• As noted above, please confirm the performance issue is not a problem with the sensor but a resource allocation issue on the Linux endpoint itself.
• If limiting memory monitor the SWAP memory usage to make sure it's not growing, restarting the sensor may be needed to reset memory growth.