This section describes places how to verify a Linux sensor installation.
| Path | Description |
|---|---|
| /etc/init.d/cbdaemon |
Sensor daemon script |
| /usr/sbin/cbdaemon | Sensor daemon executable |
| /lib/modules/$(uname -r)/kernel/lib/cbsensor.ko | Sensor kernel module (6.1.x) |
| /opt/carbonblack/response/modules/cbsensor.ko | Sensor kernel module (6.2.x) |
| /etc/sysconfig/modules/cbsensor.modules | Kernel autostart file |
| /opt/cbsensor/sensordiag.sh | Sensor diagnostics file (6.1.x) |
| /opt/carbonblack/response/bin/sensordiag.sh | Sensor diagnostics file (6.2.x) |
| /opt/cbsensor/sensoruninstall.sh | Sensor uninstall file (6.1.x) |
| /opt/carbonblack/response/bin/sensoruninstall.sh | Sensor uninstall file (6.2.x) |
| /var/lib/cb/config.ini | Configuration file (6.1.x) |
| /var/opt/carbonblack/response/config.ini | Configuration file (6.2.x) |
| /var/lib/cb/sensorsettings.ini | Settings file (6.1.x) |
| /var/opt/carbonblack/response/sensorsettings.ini | Settings file (6.2.x) |
- To verify that the sensor daemon is running, issue the following command:
pidof cbdaemon
Exactly one PID should be returned.
- To verify that the sensor kernel module is running, issue this command:
If the sensor kernel module is running, the output should show one item.
lsmod | grep cbsensor
Note: Verification for RHEL8.x/SUSE/Ubuntu:
- A /usr/sbin/cb_ebpftool directory contains pertinent files.
- No /lib/modules/`uname -r`/kernel/lib/cbsensor.ko file exists because there is no kernel module.
- No /etc/init.d/cbdaemon exists; instead, there are /etc/systemd/system/ {cbdaemon.service,cbebpfdaemon.service,cbkernelupdate.service}
- No cbsensor module is loaded.
To check if the sensor is installed correctly, issue this command:
rpm -qa cbsensor
If the sensor is installed, a single line displays the version and build numbers. For example: cbsensor-v6.2.0.60603-1.x86_64
For RHEL8.x/SUSE/Ubuntu the kernel header package matching the running kernel must also be installed. The install will attempt to install this package if it is not already installed; however this can fail if, for example, the repository is not set up.
On RHEL 8.x, search for this with (rpm -qa | grep kernel-debug-devel).
On SUSE, search for the kernel header package with (rpm -qa | grep kernel-devel).
