EDR: Unloading the Linux Sensor Module Fails
search cancel

EDR: Unloading the Linux Sensor Module Fails

book

Article ID: 289549

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Message received when running `rmmod cbsensor` 
rmmod: ERROR: could not remove 'cbsensor': Device or resource busy

Environment

  • EDR Sensor: All Supported Versions
  • Linux: All Supported Versions

Cause

As of sensor 6.1.7, cbsensor requires that ​rmmod or similar calls that unload the cbsensor module be invoked twice to fully unload the module.

Resolution

  • Execute the command a second time after the error
    • Example
rmmod cbsensor

Additional Information

  • The cbsensor detects if system call or LSM hooks have been modified since cbsensor loaded.
  • If these hooks have been modified, then cbsensor refuses to unload to prevent a kernel crash and the EDR Sensor is not operational until the situation is resolved.
  • The first call to unload checks and restores the system call LSM hooks, if it is safe to do so, and returns error EBUSY while it restores these hooks.
  • The second call succeeds if system calls and LSM hooks have not been modified since cbsensor was first loaded.
Powered by Wolken Software