Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?
search cancel

Enterprise EDR: Why are Kernel-Devel Headers required on some Linux Distros?

book

Article ID: 287460

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Why are Kernel-Devel Headers required on some Linux Distros?

Environment

  • Enterprise EDR: All Version
  • Carbon Black Cloud Sensor: All Supported Versions
  • Linux: All Supported Versions 

Resolution

The new Linux sensors uses Berkeley Packet Filter "eBPF" technology to collect Enterprise EDR events and BPF requires Kernel-Devel Package to be installed.

Additional Information

  • There are some Linux distributions that actually build their kernel in such a way that the headers are available through a special kernel module. In these cases, they don’t specifically have to install the Kernel-Devel package.
  • Centos/RHEL 7 uses our kernel module instead of BPF.
  • Kernel modules have the ability to bring down the machine, whereas BPF cannot, which is why CB has choses BPF for kernels that support it.
  • LiveQuery/LiveResponse do not require BPF and therefor do not require Kernel-Devel
  • Search endpoint page for sensor in bypass and verify Kernel Headers are installed for listed devices. 
  • sensorStates:"REMGR_INIT _ERROR"

     
Powered by Wolken Software