-
-
Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Falcon package
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { stdenv, lib, pkgs, dpkg, | |
| openssl, libnl, zlib, | |
| fetchurl, autoPatchelfHook, buildFHSUserEnv, writeScript, ... }: | |
| let | |
| pname = "falcon-sensor"; | |
| version = "6.31.0-12803"; | |
| arch = "amd64"; | |
| src = /opt/CrowdStrike + "/ubuntu_${pname}_${version}_${arch}.deb"; | |
| falcon-sensor = stdenv.mkDerivation { | |
| inherit version arch src; | |
| name = pname; | |
| buildInputs = [ dpkg zlib autoPatchelfHook ]; | |
| sourceRoot = "."; | |
| unpackPhase = '' | |
| dpkg-deb -x $src . | |
| ''; | |
| installPhase = '' | |
| cp -r . $out | |
| ''; | |
| meta = with lib; { | |
| description = "Crowdstrike Falcon Sensor"; | |
| homepage = "https://www.crowdstrike.com/"; | |
| license = licenses.unfree; | |
| platforms = platforms.linux; | |
| maintainers = with maintainers; [ klden ]; | |
| }; | |
| }; | |
| in buildFHSUserEnv { | |
| name = "fs-bash"; | |
| targetPkgs = pkgs: [ libnl openssl zlib ]; | |
| extraInstallCommands = '' | |
| ln -s ${falcon-sensor}/* $out/ | |
| ''; | |
| runScript = "bash"; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { pkgs, ... }: | |
| let | |
| falcon = pkgs.callPackage ./falcon { }; | |
| startPreScript = pkgs.writeScript "init-falcon" '' | |
| #! ${pkgs.bash}/bin/sh | |
| /run/current-system/sw/bin/mkdir -p /opt/CrowdStrike | |
| ln -sf ${falcon}/opt/CrowdStrike/* /opt/CrowdStrike | |
| ${falcon}/bin/fs-bash -c "${falcon}/opt/CrowdStrike/falconctl -g --cid" | |
| ''; | |
| in { | |
| systemd.services.falcon-sensor = { | |
| enable = true; | |
| description = "CrowdStrike Falcon Sensor"; | |
| unitConfig.DefaultDependencies = false; | |
| after = [ "local-fs.target" ]; | |
| conflicts = [ "shutdown.target" ]; | |
| before = [ "sysinit.target" "shutdown.target" ]; | |
| serviceConfig = { | |
| ExecStartPre = "${startPreScript}"; | |
| ExecStart = "${falcon}/bin/fs-bash -c \"${falcon}/opt/CrowdStrike/falcond\""; | |
| Type = "forking"; | |
| PIDFile = "/run/falcond.pid"; | |
| Restart = "no"; | |
| TimeoutStopSec = "60s"; | |
| KillMode = "process"; | |
| }; | |
| wantedBy = [ "multi-user.target" ]; | |
| }; | |
| } |
I'm also seeing some worrying logs with:
λ sudo tail -f /var/log/falcon-sensor.log
Tue Jul 12 18:49:10 2022 Couldn't open file /proc/falcon_nf_netcontain/rules: ERRNO=2 () (398091) [324]
Tue Jul 12 18:49:10 2022 Failed to fetch rules from proc: STATUS=0xC0000034
(398091) [1298]
Tue Jul 12 18:49:10 2022 Failed to fetch network containment rules: STATUS=0xC0000034 (398091) [210]
Tue Jul 12 18:49:10 2022 Failed to refresh active rules from userspace (398091) [588]
Tue Jul 12 18:49:10 2022 Could not enumerate existing rules: STATUS=0xC0000034 (398091) [382]
Tue Jul 12 18:49:10 2022 NFI wasn't ready: STATUS=0xC0000034 (398091) [2101]
Tue Jul 12 18:49:10 2022 Failed to allow DNS; proceeding anyway: STATUS=0xC0000034 (398091) [437]
Tue Jul 12 18:49:25 2022 Unable to resolve address, getaddrinfo returned -2 (398091) [493]
Tue Jul 12 18:49:25 2022 Failed to setup socket! Returned STATUS=0xC0000001 (398091) [1739]
Hey @wpcarro , here's my log snippet from
> ls -la /var/log/falcon-sensor.log ~/projects/nixos-conf
.rw------- 0 root 7 Jun 02:00 /var/log/falcon-sensor.log(nothing in /var/log/falcon-sensor.log)
and
journalctl -lu falcon-sensor:
...
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud starts
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): Could not retrieve DisableProxy value: c0000XXX
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectWithProxy: Unable to get application proxy host from CsConfig: c0000XXX
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: Unable to connect to ts01-b.cloudsink.net:38864 via Application Proxy: c0000225
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): trying to connect to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): Connected directly to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ValidateCertificate: Certificate verified!
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket connected successfully to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): sock/ssl/proxy cnctd ok. First send to cloud.
Jul 12 20:45:43 x1e3 falcon-sensor[1080]: CrowdStrike(4): CLOUDPROTO_ESTABLISHED. AgentId unchanged
Jul 12 20:45:43 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud successful.
Jul 12 20:54:54 x1e3 falcon-sensor[1080]: CrowdStrike(4): calling SSL_shutdown
Jul 12 20:54:54 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket Disconnected from Cloud.
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud starts
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): Could not retrieve DisableProxy value: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectWithProxy: Unable to get application proxy host from CsConfig: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: Unable to connect to ts01-b.cloudsink.net:38864 via Application Proxy: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): trying to connect to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): Connected directly to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ValidateCertificate: Certificate verified!
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket connected successfully to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): sock/ssl/proxy cnctd ok. First send to cloud.
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): CLOUDPROTO_ESTABLISHED. AgentId unchanged
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud successful.
Couldn't open file /proc/falcon_nf_netcontain/rules
I don't have this file on my system. Are you using the same falcon-sensor version?
Are you using the same falcon-sensor version?
I'm using Crowdstrike_falcon-sensor_6.35.0-13207_amd64.deb
Maybe my /var/log/falcon-sensor.log is populated because I'm passing -s -f --trace=debug as a flag (in addition to the flags you defined).
My journalctl -lu falcon-sensor appears more or less similar to yours, and I think my unit is stable (it's been running for O(hours) at the time of me writing this). I'll need to check with the security team to make sure it's working as they intend.
I'm less concerned (but still ~curious) why my logs are complaining about /var/log/falconctl.log:
Unable to open falconctl log file /var/log/falconctl.log
Looks like -g and -s are mutually exclusive, I got the following error:
Jul 13 00:26:31 x1e3 systemd[1]: Starting CrowdStrike Falcon Sensor...
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: ERROR: -g and -s and -d are mutually exclusive
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: Usage: falconctl -g GET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: falconctl -s [ -f ] SET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: falconctl -d [ -f ] DEL_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where GET_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --rfm-state for indicating whether the sensor is in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --rfm-reason to determine reason for sensor running in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --feature to determine the configured sensor feature flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --metadata-query to determine the configured sensor cloud provider metadata query flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --version for version of sensor currently running |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --message-log for logging messages to disk |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --provisioning-token for Provisioning Token |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --systags for system tags currently applied to a running sensor }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where SET_OPTIONS := { --cid="{<uuid string>}" |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --apd=true | --apd=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --aph=<app proxy host name> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --app=<app proxy port> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --trace=[none|err|warn|info|debug] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --feature=[none,[enableLog[,disableLogBuffer[,disableOsfm[,emulateUpdate]]]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --metadata-query=[[dis|en]able|[dis|en]ableAWS[,[dis|en]ableAzure[,[dis|en]ableGCP]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --update SIGHUP the sensor for immediate trace/feature update |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --message-log=true | --message-log=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --billing=[default|metered] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --tags=<comma separated list of tags for sensor grouping> (allowed characters: all alphanumerics, '/', '-', '_', and ',') |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --provisioning-token=<provisioning token value> }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where DEL_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: --provisioning-token for Provisioning Token }Also I tried adding --trace=debug (falconctl -g --trace=debug --cid), but couldn't get any logs populated in /var/log/falcon-sensor.log.
Finally, when I try to delete the log file and restart the service, the file gets recreated with no content in it 🤔 .
-g should get the value (if it's set at all). -s -f --trace=debug should set it. You can try the following experiment
$ find /nix/store -name 'falconctl' 2>/dev/null
# grab the store path
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace # get it => nothing
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -s -f --trace=debug # set it
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace # get it => something
trace=debug.
I know CrowdStrike's unit definition has -g --cid in the pre-start section, but I imagine that's intended to just be an assertion that the CID is set. I changed mine to just ensure the CID is set:
${env}/bin/setup -c "${crowdstrike}/opt/CrowdStrike/falconctl -s -f --trace=debug --cid=some-secret-value
That makes sense. I wasn't aware about all the possible flags they offered and just used the default values from their unit service. 👍 I hope you were able to make it work on your end!
I should hear back from the security team today 🤞
Thanks again for posting yours as a reference
Hey, I'm a bit new to nixos and i'm not quite sure where i'd put these files or how to invoke them. Do i reference them via environment.systemPackages or by just referencing it directly with an include? Do i need to run nix build? I'm just at a bit of a loss and would appreciate any help.
Hey! The files should be placed where your nix configuration is located. If you are using flake, you should be able to just import ./falcon.nix (here's how i imported in the past: https://github.com/klDen/nixos-conf/blob/5dca471ef23f9867cfe709d10f4c14321ef766ea/flake.nix#L120).
falcon.nix
falcon/default.nix
Afterward you should be able to follow the commands in https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1?permalink_comment_id=4191680#gistcomment-4191680.
I'm not using crowdstrike anymore so it may not work with the latest versions :/
This seems to work great with the latest version 7. Thank you so much!
Glad it worked well for you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for sharing this. I'm running
journalctl -lu falcon-sensorand seeing:Do you have the same logs?