Depending on the Linux kernel version, the Carbon Black Cloud Linux sensor uses one of two mechanisms to monitor events.

  • On kernel versions less than 4.8 (for example, CentOS or RHEL 6.x or 7.x, SLE12SP3, or Ubuntu16), a kernel module is used.
  • On kernel versions equal to or greater than 4.8, the BPF feature is used.

In addition, different versions of the sensor may be required depending on the Linux kernel version. See Linux Operating Systems and Respective Sensors for reference.

Note:

You can check the kernel version by running the following command:

$ uname -r

Kernel Module-based Sensor

Secure Boot is not supported because the kernel module is not signed. Before installation, disable Secure Boot or sign the kernel module. Otherwise, an attempted installation will result in the sensor entering bypass mode immediately after installation.

BPF-based Sensor

For the sensor’s underlying BPF implementation to work, one or more of the following are required:

  • The Linux kernel includes BTF format metadata, which newer kernels provide, and the sensor version is 2.15.0 or later.
  • The Linux kernel has BPF features enabled.
  • The Linux kernel headers associated with the running kernel are preconfigured.
  • The Linux kernel headers associated with the running kernel were manually installed.

We highly recommend that you install the sensor to determine whether the sensor's prerequisites have been met. During installation, the sensor checks BPF functionality and displays an error message if BPF is not functional.

After the sensor is successfully installed, check whether the BPF requisites are still met by running the following command. 

$ /opt/carbonblack/psc/blades/E51C4A7E-2D41-4F57-99BC-6AA907CA3B40/bpf/event_collector -p

A Successfully initialized BPF Program message and an exit status of 0 indicates that the check was successful.

If the requirements are not met, you must go through relevant checks and remediation steps. See Check BPF-based Sensor Requirements and its associated topics.