Environment
- EDR Sensor: 7.0.1 Linux Sensor
- SUSE: 15.x
Symptoms
- Example error during install:
Module not found for 5.3.18-24.43-default
Running kernel unsupported, cannot load CarbonBlack kernel module!
Initializing BPF Program ...
modprobe: FATAL: Module kheaders not found in directory /lib/modules/5.3.18-24.43-default
chdir(/lib/modules/5.3.18-24.43-default/build): No such file or directory
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module)
Unable to initialize BPF program
Cause
- The kernel development package is not installed, and this creates a partial installation.
Resolution
Note that step 1 can be skipped and move onto installing the sensor, but we may have to come back to step 1 at some point during the workaround.
- Check if the kernel development package is installed and if not install it manually.
- Execute the command below to see if the kernel development package is installed
- There should be a kernel-devel and kernel-default-devel package that match the kernel-default one.
- If the kernel development package is not installed then install it manually. Note: the install of the kernel development package may fail if for example the system is unregistered and/or the repository is not configured. These sorts of issues must be resolved before the package can be installed.
-
# fullkver=$(zypper se -s kernel-default-devel | awk '{split($0,a,"|"); print a[4]}' | grep $(uname -r | awk '{gsub("-default", "");print}') | sed -e 's/^[ \t]*//' | tail -n 1)
# zypper -n --config /var/opt/carbonblack/response/zypp.conf install -f -y kernel-default-devel="$fullkver"
- Install the sensor:
- Ignore the "Running kernel unsupported, cannot load CarbonBlack kernel module!" message. This is due to CB-33242 which is fixed in Linux Sensor Version 7.0.2.
- If the install script gets stuck at "Starting daemon..." then ^C (CTRL + C) out. This is due to CB-33906 which is fixed in Linux Sensor Version 7.0.2.
- Check if the sensor failed due to missing kernel development package:
- Check the cbebpfdaemon log file /tmp/cbebpf_error.log for error messages that look like this indicating the kernel header package is not installed:
- If there is an error message then do one of the following to install the missing package:
- Install package by rebooting:
- A reboot will cause cbkernelupdate service to run and try to install the package.
- Install package by running cbkernelupdate service manually:
- Stop cbdaemon and cbebpfdaemon services
- Start the cbkernelupdate service
- Start cbdaemon service
- Install package manually as mentioned in the first step above (kernel-devel installation):
- Stop cbdaemon and cbebpfdaemon services.
- Following step 1 from above.
- Start cbdaemon service
- Go back to step 3 to check that the development package is now installed
- Check the status of services:
- Check cbkernelupdate service status:
- It is OK for it to say "active (exited)" or "inactive (dead)" since it only tries to install the package and exits.
- If there is a failure then it may be due to a failure to install the kernel package due to an unconfigured repository. Try installing it manually as in step 3.
- Check cbebpfdaemon service status:
- Check cbdaemon service status:
- Check the health of the sensor on the server:
- If the health is "50/100 Event Source Not Connected" then there is still a problem.
- Go back through steps to make sure nothing was missed. If nothing was missed, reach out to VMWare CB Support.
Related Content
