logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

Environment

  • Enterprise EDR: All Version
  • Carbon Black Cloud Sensor: All Supported Versions
  • Linux: All Supported Versions 

Question

Why are Kernel-Devel Headers required on some Linux Distros?

Answer

The new Linux sensors uses Berkeley Packet Filter "eBPF" technology to collect Enterprise EDR events and BPF requires Kernel-Devel Package to be installed.

Additional Notes

  • There are some Linux distributions that actually build their kernel in such a way that the headers are available through a special kernel module. In these cases, they don’t specifically have to install the Kernel-Devel package.
  • Centos/RHEL 7 uses our kernel module instead of BPF.
  • Kernel modules have the ability to bring down the machine, whereas BPF cannot, which is why CB has choses BPF for kernels that support it.
  • LiveQuery/LiveResponse do not require BPF and therefor do not require Kernel-Devel
  • Search endpoint page for sensor in bypass and verify Kernel Headers are installed for listed devices. 
  • sensorStates:"REMGR_INIT _ERROR"

     

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎07-25-2022
Views:
550
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.