Error in opening device /dev/scap0

[lobsec]

Hi community. I've just installed sysdig on a fresh Almalinux 9.2 by using the rpm in the github repo. The installation process seems to be ok

# rpm -i sysdig-0.32.1-x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:sysdig-0.32.1-1                  ################################# [100%]
Creating symlink /var/lib/dkms/scap/5.0.1+driver/source -> /usr/src/scap-5.0.1+driver
Sign command: /lib/modules/5.14.0-284.18.1.el9_2.x86_64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub

Building module:
Cleaning build area...
make -j4 KERNELRELEASE=5.14.0-284.18.1.el9_2.x86_64 -C /lib/modules/5.14.0-284.18.1.el9_2.x86_64/build M=/var/lib/dkms/scap/5.0.1+driver/build....
Signing module /var/lib/dkms/scap/5.0.1+driver/build/scap.ko
Cleaning build area...

scap.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.14.0-284.18.1.el9_2.x86_64/extra/
Adding any weak-modules
depmod......

but if I try to run sysdig as root I receive the error message below.

error opening device /dev/scap0. Make sure you have root credentials and that the scap module is loaded: No such file or directory

If I try to run modprobe scap I receive an error messagge like

modprobe: ERROR: could not insert 'scap': Key was rejected by service

Here's my system information: Kernel: 5.14.0-284.18.1.el9_2.x86_64 Installed kernel packages:

kernel-modules-core-5.14.0-284.11.1.el9_2.x86_64
kernel-core-5.14.0-284.11.1.el9_2.x86_64
kernel-modules-5.14.0-284.11.1.el9_2.x86_64
kernel-5.14.0-284.11.1.el9_2.x86_64
kernel-modules-core-5.14.0-284.18.1.el9_2.x86_64
kernel-core-5.14.0-284.18.1.el9_2.x86_64
kernel-modules-5.14.0-284.18.1.el9_2.x86_64
kernel-tools-libs-5.14.0-284.18.1.el9_2.x86_64
kernel-tools-5.14.0-284.18.1.el9_2.x86_64
kernel-5.14.0-284.18.1.el9_2.x86_64
kernel-headers-5.14.0-284.18.1.el9_2.x86_64
kernel-devel-5.14.0-284.18.1.el9_2.x86_64
kernel-srpm-macros-1.0-12.el9.noarch
kernel-devel-matched-5.14.0-284.18.1.el9_2.x86_64

Thanks to anyone can help me.

[therealbobo]

Hi @lobsec! Probably it's a secure boot issue. You can try to do something like:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n xpad)

However, have you ever tried modern bpf (sysdig --modern-bpf)? It should work with out the kernel module! 😄

[lobsec]

Hi @therealbobo and thanks for your time. Yes, secure boot is enabled.

$ sudo mokutil --sb-state
SecureBoot enabled

I create the keys with

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Sysdig/"

and then I sign them with

$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n scap)
$ sudo mokutil --import MOK.der

After that I reboot and I enrolled the keys but nothing has changed.

[therealbobo]

Did you enrolled the mok? 🤔

[lobsec]

Yes I did. Tomorrow I'll try to disable secure boot feature and try again. If that doesn't work, maybe it's not compatible with Almalinux.

[therealbobo]

I'm pretty sure that it's compatible. I'll fire up a vm and give it a try! 😄

[lobsec]

I can confirm that is a secure boot related issue: I've tried to disable it, reboot and then it runs perfectly.

[therealbobo]

I close this but feel to reopen if anything new comes up! 😄

[lobsec]

Hi everyone, I finally found the solution on Almalinux 9.x with secure boot on.

1. Uninstall sysdig if already installed with sudo dnf remove sysdig
2. Install OpenSCAP if it is not installed with sudo dnf install openscap openscap-utils scap-security-guide
3. Install again sysdig with sudo dnf install sysdig
4. Import the mok file generated with sudo mokutil --import /var/lib/dkms/mok.pub (path of the MOK file will be shown during the sysdig installation
5. Reboot and enroll the key
6. Done