Issue
We are attempting to install our VMware Carbon Black Cloud sensor, but we are not sure if we are running a supported version of the Linux kernel, and we're not sure if the correct Linux kernel headers are installed.
Environment
VMware Carbon Black Cloud
Resolution
Prior to installing the sensor, the underlying BPF implementation requires the Linux 4.4 kernel headers for the active kernel to be installed. However, some lower kernels are still supported without BPF integration, for the full list, please review the following articles:
Endpoint Standard Linux Sensor Supported Distributions and Kernel Versions
Enterprise EDR Linux Sensor Supported Distributions and Kernel Versions
To check the running kernel version, run:
- $ uname -r
For CentOS, RHEL, Oracle RHCK or Amazon Linux:
- To check whether the kernel headers are installed (any user can run this):
- $ yum list kernel-devel-$(uname -r)
- To install the necessary kernel headers:
- $ sudo yum install -y kernel-devel-$(uname -r)
- When properly installed, the required kernel headers are located under:
- $ /usr/src/kernels/$(uname -r)/include/
For Oracle UEK:
- To check whether the kernel headers are installed (any user can run this):
- $ yum list kernel-uek-devel-$(uname -r)
- To install the necessary kernel headers:
- $ sudo yum install -y kernel-uek-devel-$(uname -r)
- When properly installed, the required kernel headers are located under:
- $ /usr/src/kernels/$(uname -r)/include/
For SUSE/OpenSUSE:
- To check whether the kernel headers are installed (any user can run this):
- $ zypper se -s kernel-default-devel | grep $(uname -r | sed “s/-default//”) $ zypper se -s kernel-devel | grep $(uname -r | sed “s/-default//”)
- The output should be like the following, where the i+ signifies that the package is installed. If the left-hand column is v or is blank, the package must be installed.
- $ i+ kernel-default-devel | package | 4.12.14-lp150.12.25.1 | x86_64 | openSUSE-Leap-15.0-Update
- To install the necessary kernel headers:
- $ zypper install --oldpackage kernel-default-devel=$(uname -r | sed “s/-default//”) $ zypper install --oldpackage kernel-devel=$(uname -r | sed “s/-default//”)
- When properly installed, the required kernel headers are located under:
- $ /usr/src/linux-$(uname -r) | sed “s/-default//”)/include/ | grep -f
For Debian:
- To check whether the kernel headers are installed (any user can run this):
- $ apt list linux-headers-$(uname -r)
- To install the necessary kernel headers:
- $ sudo apt install linux-headers-$(uname -r)
- When properly installed, the required kernel headers are located under:
- $ /usr/src/linux-headers-/$(uname -r)/include/
For Ubuntu:
- To check whether the kernel headers are installed (any user can run this):
- $ apt list linux-headers-$(uname -r)
- To install the necessary kernel headers:
- $ sudo apt install linux-headers-$(uname -r)
- When properly installed, the required kernel headers are located under:
- $ /usr/src/linux-headers-/$(uname -r)/include/
Post installation:
After the kernel headers are installed, the installation process should be the same as installing a standard Linux sensor. That is, the “cb-psc-sensor-rhel-*.tgz” tarball should be downloaded, extracted, and the “install.sh” script is run with the company registration code.
Additional Notes
- A successful install will appear as follows:
- $ sudo ./install.sh '<COMPANY-CODE>'
1 Starting install of cbagentd at Thu Oct 8 09:52:46 EDT 2020.
2 Unpacking blade kit: cb-psc-lq-0.8.5510-5510-blade.tar.gz
3 Installing LiveQuery Blade
4 Unpacking blade kit: cb-psc-th-0.8.5578-5578-blade.tar.gz
5 Installing ThreatHunter Blade
6 Distribution CentOS Linux with a kernel version 4.18.0-193.14.2.el8_2.x86_64 on x86_64 architecture is supported
7 Installing agent from /<Installation Directory>/cb-psc-sensor-2.10.0-349553.el8.x86_64.rpm
8 Created symlink /etc/systemd/system/multi-user.target.wants/cbagentd.service → /usr/lib/systemd/system/cbagentd.service.
9 Registering agent against Carbon Black Cloud.
10 Successfully registered agent against Carbon Black Cloud. Success: agent was successfully installed.