Sysmon does not work on EL9 with 6.6+ kernel from elrepo

[kevinsprague]

Describe the bug On RHEL/Alma 9 with an ELRepo kernel-ml kernel (6.8.8-1.el9.elrepo.x86_64 right now) I cannot run Sysmon for Linux.

To Reproduce

1. Use Alma (or RHEL) 9.x
2. Install the kernel-ml package from the elrepo repository
3. Install sysmon with DNF
4. Start sysmon with sysmon -i

Sysmon version 1.3.2 installed via DNF (per the installation instructions in INSTALL.md)

Distro/kernel version AlmaLinux 9, but the problem has also been seen on RHEL 9.

Kernels 6.8.8-1.el9.elrepo.x86_64 and 6.6.9-1.el9.elrepo.x86_64

Sysmon configuration

I did not specify a configuration, so I believe it is using the configuration found in /opt/sysmon/config.xml

<Sysmon schemaversion="4.22">
<EventFiltering>
</EventFiltering>
</Sysmon>

Logs

When I did sysmon -i I got this message.

Job for sysmon.service failed because the control process exited with error code. See "systemctl status sysmon.service" and "journalctl -xeu sysmon.service" for details.

Running systemctl status sysmon.service gave the following:

× sysmon.service - Sysmon event logger
     Loaded: loaded (/etc/systemd/system/sysmon.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Fri 2024-05-10 09:50:30 EDT; 5min ago
    Process: 3533 ExecStart=/opt/sysmon/sysmon -i /opt/sysmon/config.xml -service (code=exited, status=12)
        CPU: 545ms

May 10 09:50:30 localhost.localdomain sysmon[3584]: ; event->m_mtime.tv_nsec = BPF_CORE_READ((struct inode *)inode, i_mtime.tv_nsec);
May 10 09:50:30 localhost.localdomain sysmon[3584]: 617: (63) *(u32 *)(r8 +80) = r1       ; R1_w=scalar() R8=map_value(off=0,ks=4,vs=65512,imm=0)
May 10 09:50:30 localhost.localdomain sysmon[3584]: 618: <invalid CO-RE relocation>
May 10 09:50:30 localhost.localdomain sysmon[3584]: failed to resolve CO-RE relocation <byte_off> [541] struct inode.i_ctime.tv_sec (0:17:0 @ offset 120)
May 10 09:50:30 localhost.localdomain sysmon[3584]: processed 9930 insns (limit 1000000) max_states_per_insn 12 total_states 226 peak_states 152 mark_read 99
May 10 09:50:30 localhost.localdomain sysmon[3584]: -- END PROG LOAD LOG --
May 10 09:50:30 localhost.localdomain sysmon[3584]: libbpf: prog 'FileOpenRawExit': failed to load: -22
May 10 09:50:30 localhost.localdomain sysmon[3584]: libbpf: failed to load object './/sysmonEBPFkern5.6-_core.o'
May 10 09:50:30 localhost.localdomain sysmon[3584]: ERROR: failed to load prog: 'Invalid argument'
May 10 09:50:30 localhost.localdomain sysmon[3533]: Telemetry failed to start: eBPF object could not be loaded

Running journalctl -xeu sysmon.service provided the following: output.txt

Expected behavior I expected that sysmon would start and that systemctl status sysmon would show that it is running.

Additional context

• I did a quick check and sysmon works on a RHEL 8 VM with these kernels.
• I also had a VM with the kernel-lt package (6.1.88-1.el9.elrepo.x86_64) and sysmon works fine on that machine.

[MarioHewardt]

Hi @kevinsprague - Thanks for reporting this. It looks like in kernel 6.6+ they renamed the i_ctime field to __i_ctime. I've tagged this as a bug and put on the backlog.

[MarioHewardt]

The fix has been merged.