Environment
- EDR Sensor: 7.0.0 and Higher
- RHEL: 7.8 and Higher
- CentOS: 7.8 and Higher
- SUSE Linux: All Supported Versions
- Ubuntu Linux: All Supported Versions
Symptoms
Following error seen in cbebpf_ereror.log of EDR Sensor: "Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) Unable to initialize BPF program"
Cause
- Kernel_devel package missing
- Incorrect kernel_devel package installed (does not match kernel package version)
Resolution
Install kernel_devel package that matches the version of the kernel installed on the endpoint:
- Check if kernel-default-devel package is installed. If it is installed then the packages will show up, and the cbkernelupdate service status will be in a good state. If the kernel-default-devel package is not installed then the packages will not show up, and the cbkernelupdate service status will be in an error state and the sensor will not work.
rpm -qa | grep kernel | grep devel
service cbkernelupdate status
- Manually install the kernel-default-devel package that matches the running kernel and restart the cbdaemon service:
zypper -n --config /var/opt/carbonblack/response/zypp.conf install -f -y kernel-default-devel=KERNELVERSION
service cbdaemon restart
Related Content
