IBM Support

QRadar EDR: The EDR Linux agent fails to start on some endpoints due to an eBPF probe loading issue.

Troubleshooting


Problem

EDR linux agent 0.80.1, 0.81.0 and 0.82.0 fail to start on some endpoints due to eBPF probe loading issue.

Symptom


The log traces will show a long eBPF probe dump similar to following:
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: from 1992 to 1993: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=197,imm=0) R8=inv(id=0,umin_value=77826,umax_value=4295098342,var_off=(0x0; 0x1ffffffff)) R9=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R10=fp0,call_-1 fp-88=map_value fp-96=map_value fp-104=map_value fp-112=ctx
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1993: (bf) r9 = r0
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1994: (67) r9 <<= 32
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1995: (c7) r9 s>>= 32
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1996: (b7) r1 = 2
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1997: (6d) if r1 s> r9 goto pc-1526
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R1=inv2 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=197,imm=0) R8=inv(id=0,umin_value=77826,umax_value=4295098342,var_off=(0x0; 0x1ffffffff)) R9=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R10=fp0,call_-1 fp-88=map_value fp-96=map_value fp-104=map_value fp-112=ctx
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1998: (bf) r2 = r8
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1999: (07) r2 += -1
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2000: (57) r2 &= 131071
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2001: (79) r1 = *(u64 *)(r10 -88)
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2002: (0f) r1 += r2

Cause

This issue is caused by the Falco eBPF probe, which has a known issue affecting specific kernel versions (4.18 - 4.19).

Environment

  • QRadar EDR Linux Agent 0.80.1, 0.81.0 and 0.82.0
  • Issue is currently reported in Debian kernel 4.19.0-2, RHEL 8 kernel 4.18.0-553.16.1 and Oracle Linux 8 kernel 4.18.0-553.8.1

Diagnosing The Problem

Verify Kernel version using following command:
uname -a

 

Resolving The Problem

This issue is planned to be fixed in future releases. Temporary workaround is provided below:
  1. Install prerequisite packages as described in our installation document, making sure to distinguish them based on the distribution type.

    For DEB-based systems:
    sudo apt-get install --no-install-recommends curl dkms gcc linux-headers-$(uname -r) make
    
    For RPM-based systems:
    sudo yum install curl dkms gcc kernel-devel-$(uname -r) kernel-devel make
    • Important: Enable the Extra Packages for Enterprise Linux (EPEL) repository before you can install dkms. For more information about enabling the EPEL repository, see Extra Packages for Enterprise Linux (EPEL).
       
  2. Use the following command to force usage of Falco kernel module (skipping eBPF probe)
    sudo sh -c "echo FORCE_KMOD=1 >> /etc/reaqtahive.d/keeperx.env"
  3. Use the following command to load unsigned module ignoring kernel taint state:
    sudo sh -c "echo KMOD_IGNORE_TAINT=1 >> /etc/reaqtahive.d/keeperx.env"
    
    Note: This step is only required for version 0.80.1 and is not necessary for versions 0.81.0 or 0.82.0.
     
  4. Restart the agent service:
    1. sudo systemctl reset-failed keeperx
    2. sudo systemctl restart keeperx

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p000000PCPsAAO","label":"Support"},{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
08 December 2024

UID

ibm17148175