-
-
Save ravloony/2f5682fad481168dfb5778e911f47bee to your computer and use it in GitHub Desktop.
{ stdenv, dpkg, fetchurl, openssl, libnl, buildFHSUserEnv,... }: | |
stdenv.mkDerivation { | |
name = "falcon-sensor"; | |
version = "4.18.0-6402"; | |
arch = "amd64"; | |
src = fetchurl { | |
url = "https://storage.googleapis.com/company-tools/falcon-sensor/falcon-sensor_4.18.0-6402_amd64.deb"; | |
sha512 = "dc41cfe0232124480abdcf456df9a3bd6cab62716bc5beea089fbf99ac2e29bf1e1a44676591a71eeb35afe7f25e495b53ede007cfc15dcbf47df7ec0a016098"; | |
}; | |
buildInputs = [ dpkg ]; | |
sourceRoot = "."; | |
unpackCmd = '' | |
dpkg-deb -x "$src" . | |
''; | |
installPhase = '' | |
cp -r ./ $out/ | |
realpath $out | |
''; | |
meta = with stdenv.lib; { | |
description = "Crowdstrike Falcon Sensor"; | |
homepage = "https://www.crowdstrike.com/"; | |
license = licenses.unfree; | |
platforms = platforms.linux; | |
maintainers = with maintainers; [ ravloony ]; | |
}; | |
} |
{ pkgs, ... }: | |
let | |
falcon = pkgs.callPackage ./falcon { }; | |
falcon-env = pkgs.buildFHSUserEnv { | |
name = "falcon-sensor"; | |
targetPkgs = pkgs: [ pkgs.libnl pkgs.openssl ]; | |
runScript = "bash"; | |
}; | |
script = pkgs.writeScript "init-falcon" '' | |
#! ${pkgs.bash}/bin/sh | |
${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falconctl -g --cid | |
''; | |
in | |
{ | |
systemd.services.falcon-sensor = { | |
enable = true; | |
description = "CrowdStrike Falcon Sensor"; | |
after = [ "local-fs.target" ]; | |
conflicts = [ "shutdown.target" ]; | |
before = [ "shutdown.target" ]; | |
serviceConfig = { | |
ExecStartPre = "${script}"; | |
ExecStart = "${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falcond"; | |
Type = "forking"; | |
PIDFile = "/var/run/falcond.pid"; | |
Restart = "no"; | |
}; | |
wantedBy = [ "multi-user.target" ]; | |
}; | |
} |
Any chance you can submit it to NUR?
@joehealy I successfully run this using those templates. Small modifications I did were
- "falcon-sensor" -> "falcon-sensor -c" (since falcon-sensor is bash starting env
- I changed PIDFile to /run/falcond.pid
- not sure if needed, but on start I copy files into /opt/CrowdStrike
- on start you need to create /opt/CrowdStrike, it requires that directory for falconctl -s command (it puts config there)
- I have added autoPatchElf hook into package building
Any reason not to package this up as a module for NixOS? I need to run CrowdStrike for work, and I'd like to be using NixOS...
@spinus can you post a gist of your configuration?
Would be interested to see your modifications as well @spinus !
Here's a working setup with @spinus modifications: https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1
@klDen thanks for sharing.
https://gist.github.com/spinus/be0ca03def0c856ada86b16d1727d09d that's one I use. Very similar to yours.
@wpcarro FYI
I had to fiddle with this a bit, this is my config:
https://gitlab.com/JanKaifer/nixos/-/tree/main/modules/falcon-sensor
https://gitlab.com/JanKaifer/nixos/-/blob/82d9d9d7d7172679d0f476fda0bab20a712b15c8/modules/falcon-sensor/readme.md
I found out that crowdstrike will /still/ run in reduced functionality mode (essentially doing nothing) because it asserts that the kernel you're running matches a whitelist of kernels that they support
IOW - we're switching off of NixOS to Debian per security team's recommendations
@jankaifer ripped your configs, thanks, though added a CID in init script: https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L25.
If someone is trying to use any of the shared gist after NixOS release 23.05 you will experience problems, there is a backward incompatible change to buildFHSUserEnv
, its now called buildFHSEnv
(nix) and uses FlatPak’s Bubblewrap sandboxing tool.
The PID written in /run/falcond.pid
will now be the PID from the namespace CrowdStrike is running in rather than the host PID.
To have the host PID written, you need to set unsharePid = false;
in buildFHSEnv
.
Example:
...
buildFHSEnv {
name = "fs-bash";
unsharePid = false;
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
@thall Thanks for sharing! Though for me it still does not start, not sure why:
Jul 21 16:00:26 <redacted-host-name> falcon-sensor[1219494]: Running /opt/CrowdStrike/falcon-sensor-bpf
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: No traceLevel set via falconctl defaulting to none
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: LogLevelUpdate: none = trace level 0.
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Error loading config 1: c0000001
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Initilize Configuration failed. c0000001
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: falcon-sensor[1219494] exited with status 1
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: exiting
Jul 21 16:00:26 <redacted-host-name> systemd[1]: falcon-sensor.service: Deactivated successfully.
References:
- https://github.com/ivankovnatsky/nixos-config/blob/main/overlays/falcon-sensor.nix#L45
- https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L7
But, yeah, probably since they don't support NixOS, not sure if that is worth it.
Did you ever succeed with this?