-
-
Save ravloony/2f5682fad481168dfb5778e911f47bee to your computer and use it in GitHub Desktop.
| { stdenv, dpkg, fetchurl, openssl, libnl, buildFHSUserEnv,... }: | |
| stdenv.mkDerivation { | |
| name = "falcon-sensor"; | |
| version = "4.18.0-6402"; | |
| arch = "amd64"; | |
| src = fetchurl { | |
| url = "https://storage.googleapis.com/company-tools/falcon-sensor/falcon-sensor_4.18.0-6402_amd64.deb"; | |
| sha512 = "dc41cfe0232124480abdcf456df9a3bd6cab62716bc5beea089fbf99ac2e29bf1e1a44676591a71eeb35afe7f25e495b53ede007cfc15dcbf47df7ec0a016098"; | |
| }; | |
| buildInputs = [ dpkg ]; | |
| sourceRoot = "."; | |
| unpackCmd = '' | |
| dpkg-deb -x "$src" . | |
| ''; | |
| installPhase = '' | |
| cp -r ./ $out/ | |
| realpath $out | |
| ''; | |
| meta = with stdenv.lib; { | |
| description = "Crowdstrike Falcon Sensor"; | |
| homepage = "https://www.crowdstrike.com/"; | |
| license = licenses.unfree; | |
| platforms = platforms.linux; | |
| maintainers = with maintainers; [ ravloony ]; | |
| }; | |
| } |
| { pkgs, ... }: | |
| let | |
| falcon = pkgs.callPackage ./falcon { }; | |
| falcon-env = pkgs.buildFHSUserEnv { | |
| name = "falcon-sensor"; | |
| targetPkgs = pkgs: [ pkgs.libnl pkgs.openssl ]; | |
| runScript = "bash"; | |
| }; | |
| script = pkgs.writeScript "init-falcon" '' | |
| #! ${pkgs.bash}/bin/sh | |
| ${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falconctl -g --cid | |
| ''; | |
| in | |
| { | |
| systemd.services.falcon-sensor = { | |
| enable = true; | |
| description = "CrowdStrike Falcon Sensor"; | |
| after = [ "local-fs.target" ]; | |
| conflicts = [ "shutdown.target" ]; | |
| before = [ "shutdown.target" ]; | |
| serviceConfig = { | |
| ExecStartPre = "${script}"; | |
| ExecStart = "${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falcond"; | |
| Type = "forking"; | |
| PIDFile = "/var/run/falcond.pid"; | |
| Restart = "no"; | |
| }; | |
| wantedBy = [ "multi-user.target" ]; | |
| }; | |
| } |
Would be interested to see your modifications as well @spinus !
Here's a working setup with @spinus modifications: https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1
@klDen thanks for sharing.
https://gist.github.com/spinus/be0ca03def0c856ada86b16d1727d09d that's one I use. Very similar to yours.
@wpcarro FYI
I had to fiddle with this a bit, this is my config:
https://gitlab.com/JanKaifer/nixos/-/tree/main/modules/falcon-sensor
https://gitlab.com/JanKaifer/nixos/-/blob/82d9d9d7d7172679d0f476fda0bab20a712b15c8/modules/falcon-sensor/readme.md
I found out that crowdstrike will /still/ run in reduced functionality mode (essentially doing nothing) because it asserts that the kernel you're running matches a whitelist of kernels that they support
IOW - we're switching off of NixOS to Debian per security team's recommendations
@jankaifer ripped your configs, thanks, though added a CID in init script: https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L25.
If someone is trying to use any of the shared gist after NixOS release 23.05 you will experience problems, there is a backward incompatible change to buildFHSUserEnv, its now called buildFHSEnv (nix) and uses FlatPak’s Bubblewrap sandboxing tool.
The PID written in /run/falcond.pid will now be the PID from the namespace CrowdStrike is running in rather than the host PID.
To have the host PID written, you need to set unsharePid = false; in buildFHSEnv.
Example:
...
buildFHSEnv {
name = "fs-bash";
unsharePid = false;
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
@thall Thanks for sharing! Though for me it still does not start, not sure why:
Jul 21 16:00:26 <redacted-host-name> falcon-sensor[1219494]: Running /opt/CrowdStrike/falcon-sensor-bpf
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: No traceLevel set via falconctl defaulting to none
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: LogLevelUpdate: none = trace level 0.
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Error loading config 1: c0000001
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Initilize Configuration failed. c0000001
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: falcon-sensor[1219494] exited with status 1
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: exiting
Jul 21 16:00:26 <redacted-host-name> systemd[1]: falcon-sensor.service: Deactivated successfully.
References:
- https://github.com/ivankovnatsky/nixos-config/blob/main/overlays/falcon-sensor.nix#L45
- https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L7
But, yeah, probably since they don't support NixOS, not sure if that is worth it.
anyone got falcon-sensor running? None of the above make it work for me
@spinus can you post a gist of your configuration?