IBM Support

QRadar EDR (formerly ReaQta): Keeperx.service error Main process exited, code=exited, status=4/NOPERMISSION with Linux Agent 0.60.0 when registering the endpoint

Troubleshooting


Problem

Linux Agent 0.60.0 version might return the error, "keeper.service: Main process exited, code=exited, status=4/NOPERMISSION" while registering the endpoint when the Linux system uses kernel modules instead of eBPF probe.  

Symptom

Agent registration is successful. However, the endpoint shows out an outdated version warning in the ReaQta endpoint dashboard
Keeperx.service not running and failing to start

Cause

When the agent is installed on a Linux system that uses kernel modules rather than an eBPF probe, it includes an unsigned Falco kernel module. If kernel module signing is set to recommended, the Falco kernel module does not load. In this case, you can force the module to load in this case.

Diagnosing The Problem

Check the journalctl logs by typing the command: journalctl -xef -u keeperx, and search for the following messages: 

keeperx-loader.sh[5247]: Trying kernel module driver
keeperx-loader.sh[5247]: Your current kernel configuration does not require to load properly signed modules.
keeperx-loader.sh[5247]: However, the kernel will switch into 'tainted' state when loading unsigned modules
keeperx.service: Main process exited, code=exited, status=4/NOPERMISSION
An ExecStart= process belonging to unit keeperx.service has exited.
The process' exit code is 'exited' and its exit status is 4.
keeperx.service: Failed with result 'exit-code'.

Resolving The Problem

To resolve the status=4/NOPERMISSION error, complete the following steps: 
 
  1. Edit the /etc/reaqtahive.d/keeperx.env file, and add the following line to the end of it:

    KMOD_IGNORE_TAINT=1
     
  2. Print the content of the keeperx.env file and make sure the line previously added is present there, by issuing the command:

    cat/etc/reaqtahive.d/keeperx.env

    image-20221129182227-1
  3. Reset any agent service errors by typing the following command:

    sudo systemctl reset-failed keeperx
     
  4. Restart the agent service by typing the following command:

    sudo systemctl restart keeper

Note: Forcing the module to load causes the kernel to mark itself as tainted. If this solution is not viable in your environment, do not follow these steps.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSZAA2","label":"Agent-\u003EInstallation-\u003ELinux"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
16 May 2023

UID

ibm16842417

Page Feedback