Merge pull request #2031 from lakshmyav/docs-editor/linux-support-ebpf-1732697199

Add documentation about ksplice issue

Author: denisebmsft

defender-endpoint/linux-support-ebpf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux
@@ -116,7 +116,9 @@ Post reboot, run the following command to check if audit rules were cleared:
 The output of previous command should show no rules or any user added rules. In case where the rules weren't removed, do the following steps to clear the audit rules file:
 
 1. Switch to ebpf mode.
+
 2. Remove the file `/etc/audit/rules.d/mdatp.rules`.
+
 3. Reboot the machine.
 
 ### Troubleshooting and Diagnostics
@@ -131,23 +133,29 @@ uname -a
 
 1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a distro version higher than RHEL 8.1.
-    - Switch to AuditD mode if you need to use RHEL 8.1 version.
+   - Use a distro version higher than RHEL 8.1.
+   - Switch to AuditD mode if you need to use RHEL 8.1 version.
 
 2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
-    - Switch to AuditD mode if you need to use the same kernel version
+   - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
+   - Switch to AuditD mode if you need to use the same kernel version
 
-```bash
-sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-```
+      ```bash
+      sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+      ```
+
+   - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+
+      1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-The following two sets of data help analyze potential issues and determine the most effective resolution options.
+      2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 
-2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+    - Auto-install patching of ksplice simply adds a cron job to the endpoint.
+    - To mitigate the hang issue, you can create a cron job which will first stop the mdatp service, apply ksplice based patching, then start the service.  
+    - As kernel patching is few seconds activity so this will not have major exposure in terms of security.  
 
 #### Troubleshooting performance issues