This document helps diagnose and resolve common issues with AegisBPF.
Run the health check command to identify issues:
sudo aegisbpf health
Optional environment verification:
scripts/verify_env.sh --strict
Smoke tests:
sudo scripts/smoke_enforce.sh
sudo scripts/smoke_audit_fallback.sh
Expected output for a healthy system:
euid: 0
cgroup_v2: ok
bpffs: ok
btf: ok
bpf_obj_path: /usr/lib/aegisbpf/aegis.bpf.o
bpf_lsm_enabled: yes
lsm_list: lockdown,capability,landlock,yama,bpf
kernel_config_bpf: y
kernel_config_bpf_syscall: y
kernel_config_bpf_jit: y
kernel_config_bpf_lsm: y
kernel_config_cgroups: y
kernel_config_cgroup_bpf: y
pins_present: deny_inode,deny_path,allow_cgroup,block_stats,agent_meta
layout_version: ok (1)
Symptom:
BPF LSM not enabled; falling back to tracepoint audit-only mode
Cause: The kernel was not booted with BPF LSM enabled.
Solution:
cat /sys/kernel/security/lsm
bpf to the kernel command line:
# Edit GRUB configuration
sudo vim /etc/default/grub
# Add bpf to GRUB_CMDLINE_LINUX
GRUB_CMDLINE_LINUX="lsm=lockdown,capability,landlock,yama,bpf"
# Update GRUB
sudo update-grub
# Reboot
sudo reboot
cat /sys/kernel/security/lsm | grep bpf
Symptom:
Failed to load BPF object: error: ...
Possible Causes:
# Check BTF availability
ls -la /sys/kernel/btf/vmlinux
If missing, your kernel doesn’t have BTF. Options:
# Check capabilities
capsh --print | grep -i bpf
Run as root or with required capabilities:
sudo setcap cap_sys_admin,cap_bpf,cap_perfmon+eip /usr/bin/aegisbpf
# Check if BPF object exists
ls -la /usr/lib/aegisbpf/aegis.bpf.o
# Set custom path if needed
export AEGIS_BPF_OBJ=/path/to/aegis.bpf.o
Symptom:
Ring buffer poll failed: error_code=-12
Cause: Usually memory-related (ENOMEM = 12).
Solution:
ulimit -l unlimited
[Service]
LimitMEMLOCK=infinity
echo "* - memlock unlimited" | sudo tee -a /etc/security/limits.conf
Symptom:
deny_inode_map not found
Cause: BPF maps not pinned or pins corrupted.
Solution:
sudo aegisbpf block clear
sudo rm -rf /sys/fs/bpf/aegis/
sudo aegisbpf run
mount | grep bpf
# Should show: bpf on /sys/fs/bpf type bpf
If not mounted:
sudo mount -t bpf bpf /sys/fs/bpf
Symptom:
layout_version: mismatch (found 0, expected 1)
Cause: Map structure changed between versions.
Solution:
Clear all pins and restart:
sudo aegisbpf block clear
sudo aegisbpf run
Symptom: Agent running but no events in logs.
Possible Causes:
# Check log configuration
sudo aegisbpf run --log=stdout # See events immediately
# List allowed cgroups
sudo aegisbpf allow list
# List deny rules
sudo aegisbpf block list
Symptom:
ringbuf_drops: 12345
Cause: Events generated faster than userspace can process.
Solutions:
sudo aegisbpf run --log-level=warn
sudo aegisbpf run --log=journald
sudo aegisbpf stats
Symptom:
Failed to apply seccomp filter: ...
Cause: Seccomp-BPF not available or already applied.
Solution:
grep SECCOMP /boot/config-$(uname -r)
sudo aegisbpf run # without --seccomp
Symptom:
Failed to apply policy: SHA256 mismatch
Cause: Policy file was modified after hash was computed.
Solution:
sha256sum /etc/aegisbpf/policy.conf
sudo aegisbpf policy apply /etc/aegisbpf/policy.conf \
--sha256 <new-hash>
Symptom: Deny rules configured but executions not blocked.
Checklist:
cat /sys/kernel/security/lsm | grep bpf
sudo aegisbpf run --enforce # not --audit
cat /proc/$(pgrep -f some_process)/cgroup
sudo aegisbpf allow list
sudo aegisbpf block list | grep /path/to/blocked
stat /path/to/blocked
sudo aegisbpf block list
Enable debug logging for detailed information:
sudo aegisbpf run --log-level=debug --log-format=json
Use bpftool for low-level debugging:
# List loaded BPF programs
sudo bpftool prog list
# Show BPF maps
sudo bpftool map list
# Dump map contents
sudo bpftool map dump pinned /sys/fs/bpf/aegis/deny_inode
# Trace BPF program execution
sudo bpftool prog tracelog
If issues persist:
sudo aegisbpf health > aegisbpf-health.txt 2>&1
uname -a >> aegisbpf-health.txt
cat /sys/kernel/security/lsm >> aegisbpf-health.txt
sudo dmesg | tail -100 >> aegisbpf-health.txt
Include: