sysmon.service won't start because of libbpf issue

[luffynextgen]

OS and Sysmon version Info

CentOS 8.2.2004 Kernel Version 4.18.0-193.19.1.el8_2.x86_64 sysmonforlinux-1.0.2-1.x86_64 packages-microsoft-prod-1.0.1.noarch

Error printed

When using sysmon -accepteula -i

• Job for sysmon.service failed because the control process exited with error code
• Details in service status:

The issue seems to come from sysinternalsEPBF. The package was downloaded from the yum repository.

Note

sysmonforlinux works well on CentOS 8.1.1911 (Core) with kernel 4.18.0-147.5.1.el8_1.x86_64 EDIT: I tried to restart the sysmon service on the server it was working, and now it won't restart:

   1. first the error I had was about  libsysinternalsEBPF.so that was not found, I had to recompile it to solve this issue
   2. Once the library was recompiled and found, now sysmon can't find sysinternalsEBPFrawSock.o program
   sysinternalsEBPFrawSock.o program is well located in  /opt/sysinternalsEBPF/ but sysmon can't find it:
   
   Apr 12 16:18:32 server01 sysmon[222692]: Using EBPF object: .//sysmonEBPFkern4.17-5.1.o
   Apr 12 16:18:34 server01 sysmon[222692]: ERROR: failed to locate program: /opt/sysinternalsEBPF/sysinternalsEBPFrawSock.o 'Invalid argument'
   Apr 12 16:18:34 server01 sysmon[222692]: ERROR: failed to enable raw socket capture
   Apr 12 16:18:34 server01 sysmon[222692]: Telemetry failed to start: Raw socket program could not be attached

[anforcer]

Almost samething with Debian OS - sysmon service doesnt start. My specification:

OS: Debian 10.12.0 Kernel: Linux 4.19.0-20-amd64 sysmonforlinux-1.0.2

sysmon service status error:

sysmon accepteula:

[luffynextgen]

On the CentOS server 8.1.1911 (Core) with kernel 4.18.0-147.5.1.el8_1.x86_64, I update sysmon to version 1.0.2-1 This updates give the same math issue as the one on the CentOS 8.2.2004 Server or by @anforcer with the Debian server.

Kind regards,

[BDH-Granicus]

FWIW I'm having same experiments with other OS - Fedora 34 worked no issues for me but RHEL8.4 and then an upgrade to RHEL8.5 encountered same problems (I tried an install of both sysmon and sysinternalsebpf 1.0.0-1 - different error but won't install) This is from the RHEL8.5 installing latest sysmon.

[raomin]

Hi @kesheldr, Sorry for the direct tagging... Can you provide some hints for solving this issue? Thanks in advance!

[MarioHewardt]

It looks like the verifier is having problems verifying the eBPF program. We'll add this to our backlog to look into.

[BDH-Granicus]

Thanks @MarioHewardt

[raomin]

Thanks for your support @MarioHewardt. Any plan on a release date for this?

[MarioHewardt]

Sorry for the delay. I'm working on some high priority release related work items at the moment. Once done, investigating these RHEL/CentOS issues will be up next.

[raomin]

Hello @MarioHewardt, this is still preventing us from deploying Sysmon on our linux servers. Would you have an idea on when we can expect a solution? Thanks!

[MarioHewardt]

I'm still working on some other work items. I will update everyone as soon as I know more. Thanks for the patience.

[MarioHewardt]

Closing as I've pushed a fix that should resolve the issue. If you encounter it again, please reopen. You may have to run getOffsets (https://github.com/Sysinternals/SysinternalsEBPF/tree/main/getOffsets) to get this to work on CentOS8.

Please note that you will have to build Sysmon until we get new packages out.