Troubleshooting
Problem
EDR linux agent 0.80.1, 0.81.0 and 0.82.0 fail to start on some endpoints due to eBPF probe loading issue.
Symptom
The log traces will show a long eBPF probe dump similar to following:
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: from 1992 to 1993: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=197,imm=0) R8=inv(id=0,umin_value=77826,umax_value=4295098342,var_off=(0x0; 0x1ffffffff)) R9=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R10=fp0,call_-1 fp-88=map_value fp-96=map_value fp-104=map_value fp-112=ctx
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1993: (bf) r9 = r0
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1994: (67) r9 <<= 32
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1995: (c7) r9 s>>= 32
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1996: (b7) r1 = 2
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1997: (6d) if r1 s> r9 goto pc-1526
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: R0=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R1=inv2 R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=197,imm=0) R8=inv(id=0,umin_value=77826,umax_value=4295098342,var_off=(0x0; 0x1ffffffff)) R9=inv(id=0,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) R10=fp0,call_-1 fp-88=map_value fp-96=map_value fp-104=map_value fp-112=ctx
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1998: (bf) r2 = r8
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 1999: (07) r2 += -1
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2000: (57) r2 &= 131071
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2001: (79) r1 = *(u64 *)(r10 -88)
Nov 07 01:02:26 debian10.localdomain keeperx[32961]: 2002: (0f) r1 += r2
Cause
This issue is caused by the Falco eBPF probe, which has a known issue affecting specific kernel versions (4.18 - 4.19).
Environment
- QRadar EDR Linux Agent 0.80.1, 0.81.0 and 0.82.0
- Issue is currently reported in Debian kernel 4.19.0-2, RHEL 8 kernel 4.18.0-553.16.1 and Oracle Linux 8 kernel 4.18.0-553.8.1
Diagnosing The Problem
Verify Kernel version using following command:
uname -a
Resolving The Problem
This issue is planned to be fixed in future releases. Temporary workaround is provided below:
- Install prerequisite packages as described in our installation document, making sure to distinguish them based on the distribution type.
For DEB-based systems:sudo apt-get install --no-install-recommends curl dkms gcc linux-headers-$(uname -r) make
sudo yum install curl dkms gcc kernel-devel-$(uname -r) kernel-devel make
- Important: Enable the Extra Packages for Enterprise Linux (EPEL) repository before you can install dkms. For more information about enabling the EPEL repository, see Extra Packages for Enterprise Linux (EPEL).
- Important: Enable the Extra Packages for Enterprise Linux (EPEL) repository before you can install dkms. For more information about enabling the EPEL repository, see Extra Packages for Enterprise Linux (EPEL).
-
Use the following command to force usage of Falco kernel module (skipping eBPF probe)
sudo sh -c "echo FORCE_KMOD=1 >> /etc/reaqtahive.d/keeperx.env"
-
Use the following command to load unsigned module ignoring kernel taint state:
sudo sh -c "echo KMOD_IGNORE_TAINT=1 >> /etc/reaqtahive.d/keeperx.env"
- Restart the agent service:
-
sudo systemctl reset-failed keeperx
-
sudo systemctl restart keeperx
-
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p000000PCPsAAO","label":"Support"},{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
08 December 2024
UID
ibm17148175