EDR: Error in the cbebpf_error.log: "Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) Unable to initialize BPF program"
search cancel

EDR: Error in the cbebpf_error.log: "Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) Unable to initialize BPF program"

book

Article ID: 287270

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Following error seen in cbebpf_ereror.log of EDR Sensor: "Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) Unable to initialize BPF program"

Environment

  • EDR Sensor: 7.0.0 and Higher
  • RHEL: 7.8 and Higher
  • CentOS: 7.8 and Higher
  • SUSE Linux: All Supported Versions
  • Ubuntu Linux: All Supported Versions

Cause

  • Kernel_devel package missing
  • Incorrect kernel_devel package installed (does not match kernel package version)

Resolution

Install kernel_devel package that matches the version of the kernel installed on the endpoint:
  1. Check if kernel-default-devel package is installed. If it is installed then the packages will show up, and the cbkernelupdate service status will be in a good state. If the kernel-default-devel package is not installed then the packages will not show up, and the cbkernelupdate service status will be in an error state and the sensor will not work.
rpm -qa | grep kernel | grep devel
service cbkernelupdate status
 
  1. Manually install the kernel-default-devel package that matches the running kernel and restart the cbdaemon service:
zypper -n --config /var/opt/carbonblack/response/zypp.conf install -f -y kernel-default-devel=KERNELVERSION
service cbdaemon restart
Powered by Wolken Software