Falcon package

falcon-default.nix

{ stdenv, dpkg, fetchurl, openssl, libnl, buildFHSUserEnv,... }:

stdenv.mkDerivation {
  name = "falcon-sensor";
  version = "4.18.0-6402";
  arch = "amd64";
  src = fetchurl {
    url = "https://storage.googleapis.com/company-tools/falcon-sensor/falcon-sensor_4.18.0-6402_amd64.deb";
    sha512 = "dc41cfe0232124480abdcf456df9a3bd6cab62716bc5beea089fbf99ac2e29bf1e1a44676591a71eeb35afe7f25e495b53ede007cfc15dcbf47df7ec0a016098";
  };

  buildInputs = [ dpkg ];

  sourceRoot = ".";

  unpackCmd = ''
      dpkg-deb -x "$src" .
  '';

  installPhase = ''
      cp -r ./ $out/
      realpath $out
  '';

  meta = with stdenv.lib; {
    description = "Crowdstrike Falcon Sensor";
    homepage    = "https://www.crowdstrike.com/";
    license     = licenses.unfree;
    platforms   = platforms.linux;
    maintainers = with maintainers; [ ravloony ];
  };
}

falcon.nix

{  pkgs, ... }:
let
  falcon = pkgs.callPackage ./falcon { };

  falcon-env = pkgs.buildFHSUserEnv {
    name = "falcon-sensor";
    targetPkgs = pkgs: [ pkgs.libnl pkgs.openssl ];
    runScript = "bash";
  };

  script = pkgs.writeScript "init-falcon" ''
    #! ${pkgs.bash}/bin/sh
    ${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falconctl -g --cid
  '';

    in
  {
    systemd.services.falcon-sensor = {
      enable = true;
      description = "CrowdStrike Falcon Sensor";
      after = [ "local-fs.target" ];
      conflicts = [ "shutdown.target" ];
      before = [ "shutdown.target" ];
      serviceConfig = {
        ExecStartPre = "${script}";
        ExecStart = "${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falcond";
        Type = "forking";
        PIDFile = "/var/run/falcond.pid";
        Restart = "no";
      };
      wantedBy = [ "multi-user.target" ];
    };
  }

IOW - we're switching off of NixOS to Debian per security team's recommendations

@jankaifer ripped your configs, thanks, though added a CID in init script: https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L25.

If someone is trying to use any of the shared gist after NixOS release 23.05 you will experience problems, there is a backward incompatible change to buildFHSUserEnv, its now called buildFHSEnv (nix) and uses FlatPak’s Bubblewrap sandboxing tool.
The PID written in /run/falcond.pid will now be the PID from the namespace CrowdStrike is running in rather than the host PID.

To have the host PID written, you need to set unsharePid = false; in buildFHSEnv.

Example:

...
buildFHSEnv {
  name = "fs-bash";
  unsharePid = false;
  targetPkgs = pkgs: [ libnl openssl zlib ];

  extraInstallCommands = ''
    ln -s ${falcon-sensor}/* $out/
  '';

  runScript = "bash";
}

@thall Thanks for sharing! Though for me it still does not start, not sure why:

Jul 21 16:00:26 <redacted-host-name> falcon-sensor[1219494]: Running /opt/CrowdStrike/falcon-sensor-bpf
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: No traceLevel set via falconctl defaulting to none
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: LogLevelUpdate: none = trace level 0.
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Error loading config  1: c0000001
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Initilize Configuration failed. c0000001
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: falcon-sensor[1219494] exited with status 1
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: exiting
Jul 21 16:00:26 <redacted-host-name> systemd[1]: falcon-sensor.service: Deactivated successfully.

References:

• https://github.com/ivankovnatsky/nixos-config/blob/main/overlays/falcon-sensor.nix#L45
• https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L7

But, yeah, probably since they don't support NixOS, not sure if that is worth it.

anyone got falcon-sensor running? None of the above make it work for me