| Carbon Black EDR 7.3.0 | 26 APRIL 2024| Build 7.3.0.92366 Check for additions and updates to these release notes. |
What's New
Carbon Black EDR Linux Sensor 7.3.0 is a Minor release that introduces:
-
Support of network isolation and isolation exclusions on operating systems that leverage the Extended Berkeley Packet Filter (eBPF)
-
Persistence of network isolation through the sensor losing connectivity with Carbon Black EDR Server
-
Support of Federal Information Processing Standards (FIPS) 140-2 enforcement
-
Bug fixes and other small enhancements
For more information, see What's New and Resolved Issues.
-
Network Isolation on eBPF-based OS
VMware Carbon Black EDR Linux Sensor 7.3.0 introduces support of the Isolate feature - the ability to isolate an endpoint from the network - on supported eBPF-based operating systems, which include Linux Kernel 4.4+:
-
RHEL/Oracle RHCK 7.0+
-
CentOS 8.0+
-
SUSE 12.0+
-
Ubuntu 18.04+
-
-
Network Isolation Exclusions on eBPF-based OS
VMware Carbon Black EDR Linux Sensor 7.3.0 introduces support of the Isolation Exclusions feature - the ability to enforce IP-based or URL-based exclusions to isolation state when an endpoint is isolated from the network - on supported eBPF-based operating systems, which include Linux Kernel 4.4+:
-
RHEL/Oracle RHCK 7.0+
-
CentOS 8.0+
-
SUSE 12.0+
-
Ubuntu 18.04+
-
-
FIPS 140-2 Support
The Federal Information Processing Standards (FIPS) Publication 140-2 is a U.S. government standard that defines the minimum security requirements of cryptographic modules used in information technology products. VMware Carbon Black EDR Linux Sensor 7.3.0 introduces the ability to run the sensor in FIPS 140-2 enabled mode on a FIPS-enabled endpoint to comply with FIPS 140-2 requirements.
Note:
FIPS 140-2 support has been validated on supported versions of RHEL, CentOS, and SUSE and on Ubuntu 18.04 and 20.04
FIPS 140-2 support has not been validated on supported versions of Oracle RHCK Linux or on Ubuntu 22.04. Ubuntu 22.04 has some known issues related to FIPS 140-2 support, which are unrelated to the EDR Linux Sensor.
However, Linux Sensor 7.3.0 may function properly on an Oracle RHCK Linux endpoint with FIPS 140-2 enabled.
For a list of FIPS-supported sensors, see Linux Operating Systems and Respective Sensors.
Enablement instructions:
To enable FIPS 140-2 on the sensor, confirm that FIPS 140-2 mode is enabled on the system. The sensor will automatically adopt the system-wide FIPS mode. There is no distinct sensor configuration to enable or disable FIPS.
Here is an example of how to enable FIPS 140-2 mode on a RHEL 8 or 9 system:
-
Login as root and run the following command:
fips-mode-setup -–check
The following message displays if FIPS mode is enabled:
FIPS mode is enabled.
-
If FIPS mode is not enabled, run the following command:
fips-mode-setup -–enable
-
Reboot
-
Rerun the following command:
fips-mode-setup -–check
-
Confirm the following message displays:
FIPS mode is enabled.
-
Sensor Operating Systems
Carbon Black EDR sensors operate with multiple operating systems. For the current list of supported operating systems, see Linux Operating Systems and Respective Sensors.
Documentation
This document provides information for users who are upgrading to Carbon Black EDR Linux Sensor 7.3.0 from previous versions and users who are new to Carbon Black EDR. This document supplements other arbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
Installation Instructions
Warning: EDR Linux Sensors versions 7.x do not support EL6 distros (RHEL/CentOS 6.x). Attempting to upgrade EL6 endpoints will result in a failed upgrade and the sensor will be offline.
To install the new sensor:
-
Set your yum repo appropriately: modify /etc/yum.repos.d/CarbonBlack.repo with the appropriate baseurl, if needed.
-
Baseurl= https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
-
-
Clear the yum cache.
-
yum clean all
-
-
Download the installer.
-
Substitute the cb-linux-sensor-installer name for cb-linux-sensor-installer-7.3.0.92366-1.noarch.
-
The <package local download directory> is a directory such as /tmp.
-
Run the following command to download the installer:
yum install --downloadonly --downloaddir=<package local download directory> <package>
-
-
Change your directory to the <package local download directory> from Step 3.
-
Run the following command to install the package:
-
rpm -i --force <package>
(current package to use: cb-linux-sensor-installer-7.3.0.92366-1.noarch)
-
-
Run the following command to make the new installation package available in the server console:
-
/usr/share/cb/cbcheck sensor-builds --update
-
Note: Within the Upgrade Policy section of Sensor Group settings, if the Automatically upgrade to the latest version setting is enabled for Linux sensors, the Linux sensors in that group will automatically upgrade to this new version.
The new sensor versions should now be available via the console. If the following warning occurs:
warning: /tmp/cb-linux-sensor-installer-7.3.0.92366-1.noarch: Header V4 RSA/SHA1 Signature, key ID 6ac57704: NOKEY
Refer to this Knowledge Base Article: How to provide public key for Linux sensor package.
For any other issues, see Contacting Support.
Resolved Issues
-
CB-38504, EA-22572: Network Isolation does not work on eBPF-based operating systems
Known Issues
-
CB-44065: Banned hash is still banned when BanningEnabled=false
When a hash is banned but the Carbon Black EDR Server configuration setting BanningEnabled=false (controlled via cb.conf file or the Process Banning setting in the Advanced section of Sensor Group settings), the hash is still banned and the associated process is still blocked/terminated on endpoints in that Sensor Group, when they should not be.
-
CB-30175: Custom TLS Certificate
Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.
-
CB-18158: Oracle UEK
Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.
-
CB-17033: Installation Directory
This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.
-
CB-6623: ICMP Traffic
ICMP traffic is still allowed when a sensor is isolated.
-
CB-37627: Downgrades from 7.2.0-lnx to 6.x.x-lnx
Downgrades from 7.x.x-lnx to 6.x.x-lnx will require manual deinstallation of 7.x.x-lnx and installation of 6.x.x-lnx due to extensive architectural changes introduced in 7.0.0-lnx.
-
CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x
Downgrades from 7.1.x-lnx on systems running with a kernel version greater than 4.x to any previous sensor version will require manual cleanup of sensor packages.
Contacting Support
Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
-
Web:User Exchange
-
Email: [email protected]
-
Phone: 877.248.9098
Reporting Problems
When contacting Broadcom Carbon Black Technical Support, provide the following required information:
-
Contact: Your name, company name, telephone number, and email address
-
Product version: Product name (VMware Carbon Black EDR server and sensor versions)
-
Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
-
Document version: For documentation issues, specify the version and/or date of the manual or document you are using
-
Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
-
Problem Severity: Critical, serious, minor, or enhancement request
Note: Before performing an upgrade, Carbon Black recommends you review related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.
