Environment
- Linux: All Supported Versions
- Linux Agent: All Supported Versions
Objective
How to run the FAPREDEP script as provided by VMware Carbon Black.
Resolution
- Download the script here: FAPREDEP
- Temporarily stop the Linux Agent process, and unload the module via Terminal:
lsmod | grep b9k (Take a note of the version number)
cd /opt/bit9/bin
./b9cli --password GlobalCLIPassword
./b9cli --tamperprotect 0
./b9cli --shutdown
pgrep b9daemon (Confirm b9daemon is shutdown cleanly)
rmmod b9k_87816 (Match the b9k version taken from Step 1)
lsmod | grep b9k (Confirm the module is unloaded)
- Run FAPREDEP on Linux device
sudo ./fapredep.sh
- Allow the script to run for the designated 10 minutes.
- Collect fapredep.tar.gz from /tmp directory and upload to the Vault for review.
- Start the Agent:
./b9cli --startup
Additional Notes
- If collecting FAPREDEP logs on multiple devices, please change the filename to HOSTNAME-fapredep.tar.tz
- If inotifywatch returns Error 127, the file may need to be copied into the relevant SCRIPTDIR for fapredep.
- If inotifywatch returns Error 126, you will have to add executable permissions to the files inotifywait and inotifywatch inside the fadredep folder.