Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?
book
Article ID: 287460
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why are Kernel-Devel Headers required on some Linux Distros?
Environment
Enterprise EDR: All Version
Carbon Black Cloud Sensor: All Supported Versions
Linux: All Supported Versions
Resolution
The new Linux sensors uses Berkeley Packet Filter "eBPF" technology to collect Enterprise EDR events and BPF requires Kernel-Devel Package to be installed.
Additional Information
There are some Linux distributions that actually build their kernel in such a way that the headers are available through a special kernel module. In these cases, they don’t specifically have to install the Kernel-Devel package.
Centos/RHEL 7 uses our kernel module instead of BPF.
Kernel modules have the ability to bring down the machine, whereas BPF cannot, which is why CB has choses BPF for kernels that support it.
LiveQuery/LiveResponse do not require BPF and therefor do not require Kernel-Devel
Search endpoint page for sensor in bypass and verify Kernel Headers are installed for listed devices.