-
-
Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
| { stdenv, lib, pkgs, dpkg, | |
| openssl, libnl, zlib, | |
| fetchurl, autoPatchelfHook, buildFHSUserEnv, writeScript, ... }: | |
| let | |
| pname = "falcon-sensor"; | |
| version = "6.31.0-12803"; | |
| arch = "amd64"; | |
| src = /opt/CrowdStrike + "/ubuntu_${pname}_${version}_${arch}.deb"; | |
| falcon-sensor = stdenv.mkDerivation { | |
| inherit version arch src; | |
| name = pname; | |
| buildInputs = [ dpkg zlib autoPatchelfHook ]; | |
| sourceRoot = "."; | |
| unpackPhase = '' | |
| dpkg-deb -x $src . | |
| ''; | |
| installPhase = '' | |
| cp -r . $out | |
| ''; | |
| meta = with lib; { | |
| description = "Crowdstrike Falcon Sensor"; | |
| homepage = "https://www.crowdstrike.com/"; | |
| license = licenses.unfree; | |
| platforms = platforms.linux; | |
| maintainers = with maintainers; [ klden ]; | |
| }; | |
| }; | |
| in buildFHSUserEnv { | |
| name = "fs-bash"; | |
| targetPkgs = pkgs: [ libnl openssl zlib ]; | |
| extraInstallCommands = '' | |
| ln -s ${falcon-sensor}/* $out/ | |
| ''; | |
| runScript = "bash"; | |
| } |
| { pkgs, ... }: | |
| let | |
| falcon = pkgs.callPackage ./falcon { }; | |
| startPreScript = pkgs.writeScript "init-falcon" '' | |
| #! ${pkgs.bash}/bin/sh | |
| /run/current-system/sw/bin/mkdir -p /opt/CrowdStrike | |
| ln -sf ${falcon}/opt/CrowdStrike/* /opt/CrowdStrike | |
| ${falcon}/bin/fs-bash -c "${falcon}/opt/CrowdStrike/falconctl -g --cid" | |
| ''; | |
| in { | |
| systemd.services.falcon-sensor = { | |
| enable = true; | |
| description = "CrowdStrike Falcon Sensor"; | |
| unitConfig.DefaultDependencies = false; | |
| after = [ "local-fs.target" ]; | |
| conflicts = [ "shutdown.target" ]; | |
| before = [ "sysinit.target" "shutdown.target" ]; | |
| serviceConfig = { | |
| ExecStartPre = "${startPreScript}"; | |
| ExecStart = "${falcon}/bin/fs-bash -c \"${falcon}/opt/CrowdStrike/falcond\""; | |
| Type = "forking"; | |
| PIDFile = "/run/falcond.pid"; | |
| Restart = "no"; | |
| TimeoutStopSec = "60s"; | |
| KillMode = "process"; | |
| }; | |
| wantedBy = [ "multi-user.target" ]; | |
| }; | |
| } |
I know CrowdStrike's unit definition has -g --cid in the pre-start section, but I imagine that's intended to just be an assertion that the CID is set. I changed mine to just ensure the CID is set:
${env}/bin/setup -c "${crowdstrike}/opt/CrowdStrike/falconctl -s -f --trace=debug --cid=some-secret-value
That makes sense. I wasn't aware about all the possible flags they offered and just used the default values from their unit service. 👍 I hope you were able to make it work on your end!
I should hear back from the security team today 🤞
Thanks again for posting yours as a reference
Hey, I'm a bit new to nixos and i'm not quite sure where i'd put these files or how to invoke them. Do i reference them via environment.systemPackages or by just referencing it directly with an include? Do i need to run nix build? I'm just at a bit of a loss and would appreciate any help.
Hey! The files should be placed where your nix configuration is located. If you are using flake, you should be able to just import ./falcon.nix (here's how i imported in the past: https://github.com/klDen/nixos-conf/blob/5dca471ef23f9867cfe709d10f4c14321ef766ea/flake.nix#L120).
falcon.nix
falcon/default.nix
Afterward you should be able to follow the commands in https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1?permalink_comment_id=4191680#gistcomment-4191680.
I'm not using crowdstrike anymore so it may not work with the latest versions :/
This seems to work great with the latest version 7. Thank you so much!
Glad it worked well for you!
-gshould get the value (if it's set at all).-s -f --trace=debugshould set it. You can try the following experiment