Problem with Endpoint Security Initiation

Patryk_Ostrowski · October 12, 2022, 8:24am

Hello, I'm trying to initialize Security Endpoint on a Linux Ubuntu 20.04.4 LTS. After that I had a 13 problems for example: "Configure File Events Failure enabling file events; current state is disabled". I tried to diagnose the problem and found:

./elastic-agent status

Status: DEGRADED
Message: app endpoint-security--8.4.2-8ff7857f: Protecting with policy {3de02602-0086-4935-99c7-13141468ea06}
Applications:
  * filebeat               (HEALTHY)
                           Running
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running
  * endpoint-security      (DEGRADED)
                           Protecting with policy {3de02602-0086-4935-99c7-13141468ea06}
  * metricbeat             (HEALTHY)
                           Running

./elastic-agent diagnostics

  *  name: endpoint-security      route_key: default
     error: Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory

Logs from: cat endpoint-000000.log | grep error

{"@timestamp":"2022-10-12T07:35:37.084461884Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":312,"name":"SystemLib.cpp"}}},"message":"SystemLib.cpp:312 Failed to stat device [/dev/loop3]","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:35:37.08508799Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":312,"name":"SystemLib.cpp"}}},"message":"SystemLib.cpp:312 Failed to stat device [/dev/loop3]","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:35:37.090775618Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":2876,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:2876 Failed to download artifact diagnostic-configuration-v1 - Invalid url","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:35:37.090803332Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":646,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:646 Artifact diagnostic-configuration-v1 download or verification failed","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:35:37.114191714Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":240,"name":"Tux_HostIsolation.cpp"}}},"message":"Tux_HostIsolation.cpp:240 Failed to mount bpf fs at /sys/fs/bpf: error 13","process":{"pid":1352223,"thread":{"id":1352235}}}
{"@timestamp":"2022-10-12T07:35:37.115493153Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":106,"name":"Internal.cpp"}}},"message":"Internal.cpp:106 sqlite3_prepare_v2 failed: rc=1, msg=SQL logic error","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:35:37.163894839Z","agent":{"id":"00000000-0000-0000-0000-000000000000","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":431,"name":"Comms.cpp"}}},"message":"Comms.cpp:431 No valid comms client configured","process":{"pid":1352223,"thread":{"id":1352223}}}
{"@timestamp":"2022-10-12T07:36:00.957014714Z","agent":{"id":"f1431890-4d3a-42dc-b8f1-44693292530a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":2138,"name":"Config.cpp"}}},"message":"Config.cpp:2138 Initial configuration application failed","process":{"pid":1352223,"thread":{"id":1352305}}}
{"@timestamp":"2022-10-12T07:36:00.957748606Z","agent":{"id":"f1431890-4d3a-42dc-b8f1-44693292530a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":288,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:288 Failed to apply new policy from Agent.","process":{"pid":1352223,"thread":{"id":1352305}}}
{"@timestamp":"2022-10-12T07:40:39.004336797Z","agent":{"id":"f1431890-4d3a-42dc-b8f1-44693292530a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":2145,"name":"Config.cpp"}}},"message":"Config.cpp:2145 Policy failed to apply and rollback is disabled","process":{"pid":1352223,"thread":{"id":1352232}}}
{"@timestamp":"2022-10-12T07:49:33.659408762Z","agent":{"id":"f1431890-4d3a-42dc-b8f1-44693292530a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":2145,"name":"Config.cpp"}}},"message":"Config.cpp:2145 Policy failed to apply and rollback is disabled","process":{"pid":1352223,"thread":{"id":1352305}}}
{"@timestamp":"2022-10-12T07:49:33.661166658Z","agent":{"id":"f1431890-4d3a-42dc-b8f1-44693292530a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":288,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:288 Failed to apply new policy from Agent.","process":{"pid":1352223,"thread":{"id":1352305}}}

Nick_Berlin · October 12, 2022, 1:20pm

Thanks for all the initial triage work. The line above notes that permission was denied when attempting to mount the bpf filesytem. I wonder if the system is in a restrictive lockdown posture.

What's the output of :

$ cat /sys/kernel/security/lockdown

We support up to the integrity restriction level. confidential disables insertion of kprobes, ebpf, etc.

If lockdown is not in integrity (or lesser) mode we will need to do more digging. In that case, the full endpoint logs could be helpful. Also, enabling debug logging and recapturing logs could also be helpful.

I'm happy to provide a private upload link over DM for log files.

Patryk_Ostrowski · October 13, 2022, 6:42am

Thanks for anserw.

cat /sys/kernel/security/lockdown 
cat: /sys/kernel/security/lockdown: No such file or directory

How can I attach log files?

Patryk_Ostrowski · October 18, 2022, 11:18am

Ok, I attached

Nick_Berlin · October 18, 2022, 9:20pm

I noticed the kernel version was 5.13.19-2-pve, are you attempting to install in proxmox container?
Can you access /sys/kernel/debug/tracing/kprobe_events ?

Patryk_Ostrowski · October 24, 2022, 1:04pm

Yes, it is proxmox lxc

Nick_Berlin · October 24, 2022, 2:05pm

Elastic Endpoint doesn't support installation from within a container. To have visibility into containers, Endpoint must be installed on the container host, i.e. the proxmox server. All containers running on the host will then be monitored.

We do support installing within VMs, though. If transitioning to a VM is not too heavy weight for your use case, Endpoint could be installed to monitor that single VM instance.

Patryk_Ostrowski · October 27, 2022, 12:50pm

@Nick_Berlin thanks for your anserw, and explanation

system · November 24, 2022, 12:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic-agent : endpoint-security.sock no such file or directory Beats elastic-agent	4	2338	January 19, 2022
Unable to run Endpoint 8.4 on a Ubuntu 20.04 host hardened with CIS Level 2 Endpoint Security	17	1631	February 6, 2023
[again] Endpoint security immediately degraded Endpoint Security	9	2086	December 27, 2022
Elastic agent 8.4.3 - No policy response available Elastic Agent	9	716	December 13, 2023
Elastic agent Unhealthy Endpoint Security fleet , elastic-agent	2	2693	September 9, 2022

Problem with Endpoint Security Initiation

Related Topics