SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Build failures on Fedora

Open alexhaydock opened this issue 3 years ago • 3 comments

Hi!

Thanks for making this available.

I'm trying to build this for Fedora but I'm hitting some roadblocks with the TextTransform aspects of the make process.

Build result from current master c3ba9694fe352a1253c4d3dfe1fa6e07ea181b94:

STEP 24/24: RUN make
[  1%] Building C object CMakeFiles/checkEBPFsizes.dir/checkEBPFsizes/checkEBPFsizes.c.o
[  2%] Linking C executable checkEBPFsizes
[  2%] Built target checkEBPFsizes
[  3%] Extracting sysmonmsgop.man.utf16
Parameter has too many values: !!version!internal
make[2]: *** [CMakeFiles/sysmonLogView.dir/build.make:102: sysmonmsgop.man.utf16] Error 255
make[1]: *** [CMakeFiles/Makefile2:156: CMakeFiles/sysmonLogView.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
Error: error building at STEP "RUN make": error while running runtime: exit status 2

I tracked down the line within CMakeLists.txt that relates to sysmonmsgop.man.utf16 and noticed it was updated recently by commit a7844a09aa624d34bd76c78da9b28ba270698583. With that in mind, I tried checking out and building the prior commit (c3ba9694fe352a1253c4d3dfe1fa6e07ea181b94) but that resulted in a different error:

STEP 25/25: RUN make
[  1%] Building C object CMakeFiles/checkEBPFsizes.dir/checkEBPFsizes/checkEBPFsizes.c.o
[  2%] Linking C executable checkEBPFsizes
[  2%] Built target checkEBPFsizes
[  3%] Extracting sysmonmsgop.man.utf16
/usr/lib/monodevelop/AddIns/MonoDevelop.TextTemplating/TextTransform.exe: /usr/lib/monodevelop/AddIns/MonoDevelop.TextTemplating/TextTransform.exe: cannot execute binary file
make[2]: *** [CMakeFiles/sysmonLogView.dir/build.make:102: sysmonmsgop.man.utf16] Error 126
make[1]: *** [CMakeFiles/Makefile2:156: CMakeFiles/sysmonLogView.dir/all] Error 2
make: *** [Makefile:91: all] Error 2
Error: error building at STEP "RUN make": error while running runtime: exit status 2

I'm no expert with either TextTransform or Mono so I'm not entirely sure what's going on here that I might be able to fix. If we take the error message at face value, there's too many values in the !!version!internal parameter being fed to TextTransform by this line maybe?:

https://github.com/Sysinternals/SysmonForLinux/blob/b3098b7123f845d7932b65d46907626db7b7033b/CMakeLists.txt#L398

For debug purposes, I've produced a Dockerfile which should reliably reproduce the issue when executed with docker build or podman build:

FROM registry.fedoraproject.org/fedora:35 as buildbin

# Prereqs
RUN dnf install -y clang cmake elfutils-libelf-devel g++ gcc git gtest-devel json-glib-devel libxml2-devel llvm mono-devel monodevelop-devel

# Clone SysinternalsEBPF source
RUN git clone https://github.com/Sysinternals/SysinternalsEBPF.git /tmp/SysinternalsEBPF
RUN mkdir /tmp/SysinternalsEBPF/build
WORKDIR /tmp/SysinternalsEBPF/build

# Checkout a consistent commit for reproducibility
RUN git checkout 26a5cef40713c29f2fdb16f43cc80afa3a15c402

# Build SysinternalsEBPF
RUN cmake ..
RUN make

# Install SysinternalsEBPF
RUN make install

# Clone SysmonForLinux source
RUN git clone --recurse-submodules https://github.com/Sysinternals/SysmonForLinux.git /tmp/SysmonForLinux
RUN mkdir /tmp/SysmonForLinux/build
WORKDIR /tmp/SysmonForLinux/build

# Checkout a consistent commit for reproducibility
RUN git checkout c3ba9694fe352a1253c4d3dfe1fa6e07ea181b94

# Build SysmonForLinux
RUN cmake ..
RUN make

alexhaydock avatar Feb 25 '22 16:02 alexhaydock

Thanks for reporting this. I've tagged it as a bug and it will be included in our backlog.

MarioHewardt avatar Mar 21 '22 15:03 MarioHewardt

Thanks for following up on this!

Just for clarity, although I'm interested in running Sysmon on Fedora generally, the main driving force behind this ticket is that I submitted an RFE to Red Hat requesting the possibility of including the Sysmon package in the official repos for RHEL 8 but one of the prerequisites to be considered for inclusion is that the package exist in Fedora. So I'm trying to do that work upstream first.

I know you produce your own packages for RHEL but for environments which have compliance requirements regarding third-party package sources, it would be highly useful for Sysmon to be a native Red Hat maintained package.

Inclusion into RHEL 9 may be a bit easier as the direct contribution path exists via CentOS Stream now so I will explore that too.

alexhaydock avatar May 13 '22 08:05 alexhaydock

Thanks for looking into getting Sysmon in the official RHEL 8 repos! There are a few other issues on the backlog I have to sort through first but will get back to this as soon as possible.

MarioHewardt avatar May 13 '22 15:05 MarioHewardt

I've made some changes in this part of the build (remove dependency on Mono and using a different transform). Can you try it and see if that fixed the issue you were encountering?

MarioHewardt avatar Mar 13 '23 15:03 MarioHewardt

Closing for now. Please reopen if the issue persists with the latest changes.

MarioHewardt avatar Mar 16 '23 20:03 MarioHewardt