Skip to content

Instantly share code, notes, and snippets.

@klDen

klDen/falcon-default.nix

Forked from ravloony/falcon-default.nix
Last active April 5, 2024 17:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Save klDen/c90d9798828e31fecbb603f85e27f4f1 to your computer and use it in GitHub Desktop.
Download ZIP
Falcon package
Raw
falcon-default.nix
{ stdenv, lib, pkgs, dpkg,
openssl, libnl, zlib,
fetchurl, autoPatchelfHook, buildFHSUserEnv, writeScript, ... }:
let
pname = "falcon-sensor";
version = "6.31.0-12803";
arch = "amd64";
src = /opt/CrowdStrike + "/ubuntu_${pname}_${version}_${arch}.deb";
falcon-sensor = stdenv.mkDerivation {
inherit version arch src;
name = pname;
buildInputs = [ dpkg zlib autoPatchelfHook ];
sourceRoot = ".";
unpackPhase = ''
dpkg-deb -x $src .
'';
installPhase = ''
cp -r . $out
'';
meta = with lib; {
description = "Crowdstrike Falcon Sensor";
homepage = "https://www.crowdstrike.com/";
license = licenses.unfree;
platforms = platforms.linux;
maintainers = with maintainers; [ klden ];
};
};
in buildFHSUserEnv {
name = "fs-bash";
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
Raw
falcon.nix
{ pkgs, ... }:
let
falcon = pkgs.callPackage ./falcon { };
startPreScript = pkgs.writeScript "init-falcon" ''
#! ${pkgs.bash}/bin/sh
/run/current-system/sw/bin/mkdir -p /opt/CrowdStrike
ln -sf ${falcon}/opt/CrowdStrike/* /opt/CrowdStrike
${falcon}/bin/fs-bash -c "${falcon}/opt/CrowdStrike/falconctl -g --cid"
'';
in {
systemd.services.falcon-sensor = {
enable = true;
description = "CrowdStrike Falcon Sensor";
unitConfig.DefaultDependencies = false;
after = [ "local-fs.target" ];
conflicts = [ "shutdown.target" ];
before = [ "sysinit.target" "shutdown.target" ];
serviceConfig = {
ExecStartPre = "${startPreScript}";
ExecStart = "${falcon}/bin/fs-bash -c \"${falcon}/opt/CrowdStrike/falcond\"";
Type = "forking";
PIDFile = "/run/falcond.pid";
Restart = "no";
TimeoutStopSec = "60s";
KillMode = "process";
};
wantedBy = [ "multi-user.target" ];
};
}
@klDen
Copy link
Author

klDen commented Jun 7, 2022
edited 

# First put deb package to /opt/CrowdStrike dir
sudo mkdir /opt/CrowdStrike
sudo mv ~/Downloads/ubuntu_falcon-sensor_6.31.0-12803_amd64.deb /opt/CrowdStrike

...
# install falcon-sensor derivation e.g. nixos-rebuild or flake
...

# activate your CID if needed
sudo `find /nix/store -name "falconctl" 2>/dev/null`  -f -s --cid='YOUR_CID'

# restart service
sudo systemctl restart falcon-sensor
sudo systemctl status falcon-sensor # service should be active and running

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

Thanks for sharing this. I'm running journalctl -lu falcon-sensor and seeing:

Unable to open falconctl log file /var/log/falconctl.log

Do you have the same logs?

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

I'm also seeing some worrying logs with:

λ sudo tail -f /var/log/falcon-sensor.log 
Tue Jul 12 18:49:10 2022 Couldn't open file /proc/falcon_nf_netcontain/rules: ERRNO=2 ()        (398091) [324]
Tue Jul 12 18:49:10 2022 Failed to fetch rules from proc: STATUS=0xC0000034
        (398091) [1298]
Tue Jul 12 18:49:10 2022 Failed to fetch network containment rules: STATUS=0xC0000034   (398091) [210]
Tue Jul 12 18:49:10 2022 Failed to refresh active rules from userspace  (398091) [588]
Tue Jul 12 18:49:10 2022 Could not enumerate existing rules: STATUS=0xC0000034  (398091) [382]
Tue Jul 12 18:49:10 2022 NFI wasn't ready: STATUS=0xC0000034    (398091) [2101]
Tue Jul 12 18:49:10 2022 Failed to allow DNS; proceeding anyway: STATUS=0xC0000034      (398091) [437]
Tue Jul 12 18:49:25 2022 Unable to resolve address, getaddrinfo returned -2     (398091) [493]
Tue Jul 12 18:49:25 2022 Failed to setup socket! Returned STATUS=0xC0000001     (398091) [1739]

@klDen
Copy link
Author

klDen commented Jul 13, 2022
edited

Hey @wpcarro , here's my log snippet from

> ls -la /var/log/falcon-sensor.log                                                                                                                                                                                                                             ~/projects/nixos-conf
.rw------- 0 root  7 Jun 02:00 /var/log/falcon-sensor.log

(nothing in /var/log/falcon-sensor.log)

and

journalctl -lu falcon-sensor:

...
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud starts
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): Could not retrieve DisableProxy value: c0000XXX
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectWithProxy: Unable to get application proxy host from CsConfig: c0000XXX
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: Unable to connect to ts01-b.cloudsink.net:38864 via Application Proxy: c0000225
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): trying to connect to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): Connected directly to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): ValidateCertificate: Certificate verified!
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket connected successfully to ts01-b.cloudsink.net:443
Jul 12 20:45:42 x1e3 falcon-sensor[1080]: CrowdStrike(4): sock/ssl/proxy cnctd ok. First send to cloud.
Jul 12 20:45:43 x1e3 falcon-sensor[1080]: CrowdStrike(4): CLOUDPROTO_ESTABLISHED. AgentId unchanged
Jul 12 20:45:43 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud successful.
Jul 12 20:54:54 x1e3 falcon-sensor[1080]: CrowdStrike(4): calling SSL_shutdown
Jul 12 20:54:54 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket Disconnected from Cloud.
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud starts
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): Could not retrieve DisableProxy value: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectWithProxy: Unable to get application proxy host from CsConfig: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SslConnect: Unable to connect to ts01-b.cloudsink.net:38864 via Application Proxy: c0000XXX
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): trying to connect to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): Connected directly to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ValidateCertificate: Certificate verified!
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): SSLSocket connected successfully to ts01-b.cloudsink.net:443
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): sock/ssl/proxy cnctd ok. First send to cloud.
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): CLOUDPROTO_ESTABLISHED. AgentId unchanged
Jul 12 20:55:26 x1e3 falcon-sensor[1080]: CrowdStrike(4): ConnectToCloud successful.

@klDen
Copy link
Author

klDen commented Jul 13, 2022
edited

Couldn't open file /proc/falcon_nf_netcontain/rules

I don't have this file on my system. Are you using the same falcon-sensor version?

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

Are you using the same falcon-sensor version?

I'm using Crowdstrike_falcon-sensor_6.35.0-13207_amd64.deb

Maybe my /var/log/falcon-sensor.log is populated because I'm passing -s -f --trace=debug as a flag (in addition to the flags you defined).

My journalctl -lu falcon-sensor appears more or less similar to yours, and I think my unit is stable (it's been running for O(hours) at the time of me writing this). I'll need to check with the security team to make sure it's working as they intend.

I'm less concerned (but still ~curious) why my logs are complaining about /var/log/falconctl.log:

Unable to open falconctl log file /var/log/falconctl.log

@klDen
Copy link
Author

klDen commented Jul 13, 2022
edited

Looks like -g and -s are mutually exclusive, I got the following error:

Jul 13 00:26:31 x1e3 systemd[1]: Starting CrowdStrike Falcon Sensor...
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: ERROR: -g and -s and -d are mutually exclusive
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: Usage: falconctl -g GET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:        falconctl -s [ -f ] SET_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:        falconctl -d [ -f ] DEL_OPTIONS
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where GET_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --rfm-state for indicating whether the sensor is in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --rfm-reason to determine reason for sensor running in Reduced Functionality Mode |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --feature to determine the configured sensor feature flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --metadata-query to determine the configured sensor cloud provider metadata query flags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --version for version of sensor currently running |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --message-log for logging messages to disk |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token for Provisioning Token |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --systags for system tags currently applied to a running sensor }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where SET_OPTIONS := { --cid="{<uuid string>}" |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd=true | --apd=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph=<app proxy host name> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app=<app proxy port> |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace=[none|err|warn|info|debug] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --feature=[none,[enableLog[,disableLogBuffer[,disableOsfm[,emulateUpdate]]]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --metadata-query=[[dis|en]able|[dis|en]ableAWS[,[dis|en]ableAzure[,[dis|en]ableGCP]]] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --update SIGHUP the sensor for immediate trace/feature update |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --message-log=true | --message-log=false |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing=[default|metered] |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags=<comma separated list of tags for sensor grouping> (allowed characters: all alphanumerics, '/', '-', '_', and ',') |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token=<provisioning token value> }
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]: where DEL_OPTIONS := { --cid for CustomerId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aid for AgentId |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --apd for App Proxy Disable |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --aph for App Proxy Host |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --app for App Proxy Port |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --trace for determining the configured trace level |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --billing to configure the sensor billing type |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --tags for sensor grouping tags |
Jul 13 00:26:31 x1e3 gwmgd09hfqmsm6hb84habwbm7khd1pql-init-falcon[659350]:                        --provisioning-token for Provisioning Token }

Also I tried adding --trace=debug (falconctl -g --trace=debug --cid), but couldn't get any logs populated in /var/log/falcon-sensor.log.
Finally, when I try to delete the log file and restart the service, the file gets recreated with no content in it 🤔 .

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

-g should get the value (if it's set at all). -s -f --trace=debug should set it. You can try the following experiment

$ find /nix/store -name 'falconctl' 2>/dev/null
# grab the store path
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace          # get it => nothing
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -s -f --trace=debug # set it
$ /nix/store/abc123-blah/opt/CrowdStrike/falconctl -g --trace          # get it => something
trace=debug.

@wpcarro
Copy link

wpcarro commented Jul 13, 2022
edited

I know CrowdStrike's unit definition has -g --cid in the pre-start section, but I imagine that's intended to just be an assertion that the CID is set. I changed mine to just ensure the CID is set:

${env}/bin/setup -c "${crowdstrike}/opt/CrowdStrike/falconctl -s -f --trace=debug --cid=some-secret-value

@klDen
Copy link
Author

klDen commented Jul 13, 2022

That makes sense. I wasn't aware about all the possible flags they offered and just used the default values from their unit service. 👍 I hope you were able to make it work on your end!

@wpcarro
Copy link

wpcarro commented Jul 13, 2022

I should hear back from the security team today 🤞

Thanks again for posting yours as a reference

@daniel-brenot
Copy link

Hey, I'm a bit new to nixos and i'm not quite sure where i'd put these files or how to invoke them. Do i reference them via environment.systemPackages or by just referencing it directly with an include? Do i need to run nix build? I'm just at a bit of a loss and would appreciate any help.

@klDen
Copy link
Author

klDen commented Apr 4, 2024
edited

Hey! The files should be placed where your nix configuration is located. If you are using flake, you should be able to just import ./falcon.nix (here's how i imported in the past: https://github.com/klDen/nixos-conf/blob/5dca471ef23f9867cfe709d10f4c14321ef766ea/flake.nix#L120).

falcon.nix
falcon/default.nix

Afterward you should be able to follow the commands in https://gist.github.com/klDen/c90d9798828e31fecbb603f85e27f4f1?permalink_comment_id=4191680#gistcomment-4191680.

I'm not using crowdstrike anymore so it may not work with the latest versions :/

@daniel-brenot
Copy link

This seems to work great with the latest version 7. Thank you so much!

@klDen
Copy link
Author

klDen commented Apr 5, 2024

Glad it worked well for you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment