Skip to content

Instantly share code, notes, and snippets.

@klDen
Forked from ravloony/falcon-default.nix
Last active April 5, 2024 17:06
Show Gist options
  • Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Falcon package
{ stdenv, lib, pkgs, dpkg,
openssl, libnl, zlib,
fetchurl, autoPatchelfHook, buildFHSUserEnv, writeScript, ... }:
let
pname = "falcon-sensor";
version = "6.31.0-12803";
arch = "amd64";
src = /opt/CrowdStrike + "/ubuntu_${pname}_${version}_${arch}.deb";
falcon-sensor = stdenv.mkDerivation {
inherit version arch src;
name = pname;
buildInputs = [ dpkg zlib autoPatchelfHook ];
sourceRoot = ".";
unpackPhase = ''
dpkg-deb -x $src .
'';
installPhase = ''
cp -r . $out
'';
meta = with lib; {
description = "Crowdstrike Falcon Sensor";
homepage = "https://www.crowdstrike.com/";
license = licenses.unfree;
platforms = platforms.linux;
maintainers = with maintainers; [ klden ];
};
};
in buildFHSUserEnv {
name = "fs-bash";
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
{ pkgs, ... }:
let
falcon = pkgs.callPackage ./falcon { };
startPreScript = pkgs.writeScript "init-falcon" ''
#! ${pkgs.bash}/bin/sh
/run/current-system/sw/bin/mkdir -p /opt/CrowdStrike
ln -sf ${falcon}/opt/CrowdStrike/* /opt/CrowdStrike
${falcon}/bin/fs-bash -c "${falcon}/opt/CrowdStrike/falconctl -g --cid"
'';
in {
systemd.services.falcon-sensor = {
enable = true;
description = "CrowdStrike Falcon Sensor";
unitConfig.DefaultDependencies = false;
after = [ "local-fs.target" ];
conflicts = [ "shutdown.target" ];
before = [ "sysinit.target" "shutdown.target" ];
serviceConfig = {
ExecStartPre = "${startPreScript}";
ExecStart = "${falcon}/bin/fs-bash -c \"${falcon}/opt/CrowdStrike/falcond\"";
Type = "forking";
PIDFile = "/run/falcond.pid";
Restart = "no";
TimeoutStopSec = "60s";
KillMode = "process";
};
wantedBy = [ "multi-user.target" ];
};
}
@klDen
Copy link
Author

klDen commented Jul 13, 2022

Looks like -g and -s are mutually exclusive, I got the following error:

Jul 13 00:26:31 x1e3 systemd[1]: Starting CrowdStrike Falcon Sensor...
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: ERROR: -g and -s and -d are mutually exclusive
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: Usage: falconctl -g GET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:        falconctl -s [ -f ] SET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:        falconctl -d [ -f ] DEL_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where GET_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --rfm-state for indicating whether the sensor is in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --rfm-reason to determine reason for sensor running in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --feature to determine the configured sensor feature flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --metadata-query to determine the configured sensor cloud provider metadata query flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --version for version of sensor currently running |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --message-log for logging messages to disk |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token for Provisioning Token |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --systags for system tags currently applied to a running sensor }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where SET_OPTIONS := { --cid="{<uuid string>}" |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd=true | --apd=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph=<app proxy host name> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app=<app proxy port> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace=[none|err|warn|info|debug] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --feature=[none,[enableLog[,disableLogBuffer[,disableOsfm[,emulateUpdate]]]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --metadata-query=[[dis|en]able|[dis|en]ableAWS[,[dis|en]ableAzure[,[dis|en]ableGCP]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --update SIGHUP the sensor for immediate trace/feature update |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --message-log=true | --message-log=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing=[default|metered] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags=<comma separated list of tags for sensor grouping> (allowed characters: all alphanumerics, '/', '-', '_', and ',') |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token=<provisioning token value> }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where DEL_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token for Provisioning Token }

Also I tried adding --trace=debug (falconctl -g --trace=debug --cid), but couldn't get any logs populated in /var/log/falcon-sensor.log.
Finally, when I try to delete the log file and restart the service, the file gets recreated with no content in it 🤔 .

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

-g should get the value (if it's set at all). -s -f --trace=debug should set it. You can try the following experiment

$ find /nix/store -name 'falconctl' 2>/dev/null
# grab the store path
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace          # get it => nothing
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -s -f --trace=debug # set it
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace          # get it => something
trace=debug.

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

I know CrowdStrike's unit definition has -g --cid in the pre-start section, but I imagine that's intended to just be an assertion that the CID is set. I changed mine to just ensure the CID is set:

${env}/bin/setup -c "${crowdstrike}/opt/CrowdStrike/falconctl -s -f --trace=debug --cid=some-secret-value

@klDen
Copy link
Author

klDen commented Jul 13, 2022

That makes sense. I wasn't aware about all the possible flags they offered and just used the default values from their unit service. 👍 I hope you were able to make it work on your end!

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

I should hear back from the security team today 🤞

Thanks again for posting yours as a reference

@daniel-brenot
Copy link

Hey, I'm a bit new to nixos and i'm not quite sure where i'd put these files or how to invoke them. Do i reference them via environment.systemPackages or by just referencing it directly with an include? Do i need to run nix build? I'm just at a bit of a loss and would appreciate any help.

@klDen
Copy link
Author

klDen commented Apr 4, 2024

Hey! The files should be placed where your nix configuration is located. If you are using flake, you should be able to just import ./falcon.nix (here's how i imported in the past: https://github.com/klDen/nixos-conf/blob/5dca471ef23f9867cfe709d10f4c14321ef766ea/flake.nix#L120).

falcon.nix
falcon/default.nix

Afterward you should be able to follow the commands in https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1?permalink_comment_id=4191680#gistcomment-4191680.

I'm not using crowdstrike anymore so it may not work with the latest versions :/

@daniel-brenot
Copy link

This seems to work great with the latest version 7. Thank you so much!

@klDen
Copy link
Author

klDen commented Apr 5, 2024

Glad it worked well for you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment