https://github.com/osquery/osquery logo
Join Slack
Powered by
Linux <so.home.bogus.net> 3.10.0-1160.53.1.el7.x86...
# general
t
Linux so.home.bogus.net 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 135945 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
a
Just noticed the kernel version is here, sorry! Can you try the auto-generated package from the CI on my PR? https://github.com/osquery/osquery/pull/7378
linux_unsigned_release_rpm
Alternatively: you can disable BPF from your current installation
t
Heh. Well, I want to test eBPF on this kernel šŸ™‚ .
Unsure where I am to get the rpm?
a
You can find them in the following page, scrolling down: https://github.com/osquery/osquery/actions/runs/1814621224
If they are not visible, you probably have to log into your GitHub account
šŸ‘ 1
t
Ah duh. My mouse was captured in the hosted_runners.yml area of the page and didn't want to scroll down. I blame covid.
Same result; Feb 17 150128 so osqueryd: osqueryd started [version=5.2.2-4-g9f7dcb4ee] Feb 17 150130 so osqueryd: terminating with uncaught exception of type std:runtime error Failed to create the perf event array: Failed to create the map Feb 17 150132 so osqueryd: W0217 150132.013586 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 1 times Feb 17 150140 so osqueryd: terminating with uncaught exception of type std:runtime error Failed to create the perf event array: Failed to create the map Feb 17 150142 so osqueryd: W0217 150142.018976 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 2 times Feb 17 150151 so osqueryd: terminating with uncaught exception of type std:runtime error Failed to create the perf event array: Failed to create the map Feb 17 150154 so osqueryd: W0217 150154.022825 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 3 times Feb 17 150208 so osqueryd: terminating with uncaught exception of type std:runtime error Failed to create the perf event array: Failed to create the map Feb 17 150210 so osqueryd: W0217 150210.026259 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 4 times Feb 17 150231 so osqueryd: terminating with uncaught exception of type std:runtime error Failed to create the perf event array: Failed to create the map Feb 17 150234 so osqueryd: Too many worker restarts Feb 17 150234 so osqueryd: E0217 150234.030128 23935 shutdown.cpp:79] Too many worker restarts
šŸ˜•
a
Ok so this build should actually work there; is it being run as root?
There's also a chance that the memory settings are too high
t
I did a systemctl restart osqueryd (as root). I can increase the memory of the VM and see if that helps? 64G?
a
There's also a small note about VMware Fusion, if that's the hypervisor being used
t
Yeah, I have it running on hosts with newer kernels just fine. I am just interested in having it run on this 3.10 kernel as I have some prod hosts running that.
I am using proxmox here at home.
a
How are the following flags set? ā€¢ bpf_perf_event_array_exp ā€¢ bpf_buffer_storage_size
How many possible CPUs are reported?
Copy code
cat /sys/devices/system/cpu/possible
And, do they match the number of CPUs that are currently online?
Copy code
cat /sys/devices/system/cpu/online
t
cat /sys/devices/system/cpu/online 0-5 cat /sys/devices/system/cpu/possible 0-5
i've not made specific references to either bpf_perf_event_array_exp or bpf_buffer_storage_size in the flags file (on any of my hosts).
i.e. these options are not set and i presume defaults when --enable_bpf_events=true is passed
a
how much memory is available on the VM?
t
KiB Mem : 65807732 total, 44042236 free, 13285972 used, 8479524 buff/cache KiB Swap: 0 total, 0 free, 0 used. 51979476 avail Mem
a
uhm any chance it could be SELinux related?
t
Good question. This is SecurityOnion, so not a wild guess. I've temporarilty put it into Permissive mode.
I got the following now: Feb 17 154318 so osqueryd: osqueryd started [version=5.2.2-4-g9f7dcb4ee] Feb 17 154341 so kernel: Could not insert probe at sys_execveat+0: -2 But no shutdown message so far.
I also got these: Feb 17 154343 so osqueryd: I0217 154343.824308 17125 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration Feb 17 154343 so osqueryd: I0217 154343.827373 17125 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration Feb 17 154343 so osqueryd: I0217 154343.827664 17125 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
Yep. I can query the table via fleetdm.
"the table" == bpf_process_events
Thanks for your help! Wonder where I can find out how to have SELinux enabled as well as a functioning osqueryd+ebpf.
a
if you enable auditd (and disable the audit publisher in osquery)
it will log the errors in the auditd.log file under /var/log
the SELinux tools can then scan it to create the rules required to fix it
t
Works, thanks šŸ™‚
$ cat osqueryd_unconfined_service.te module osqueryd_unconfined_service 1.0; require { type unconfined_service_t; class bpf { map_create map_read map_write prog_load prog_run }; } #============= unconfined_service_t ============== allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };
appears to be enough šŸ™‚
43 Views
Open in Slack
PreviousNext
Powered by