Last active
November 21, 2024 01:55
-
-
Save ravloony/2f5682fad481168dfb5778e911f47bee to your computer and use it in GitHub Desktop.
Falcon package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { stdenv, dpkg, fetchurl, openssl, libnl, buildFHSUserEnv,... }: | |
| stdenv.mkDerivation { | |
| name = "falcon-sensor"; | |
| version = "4.18.0-6402"; | |
| arch = "amd64"; | |
| src = fetchurl { | |
| url = "https://storage.googleapis.com/company-tools/falcon-sensor/falcon-sensor_4.18.0-6402_amd64.deb"; | |
| sha512 = "dc41cfe0232124480abdcf456df9a3bd6cab62716bc5beea089fbf99ac2e29bf1e1a44676591a71eeb35afe7f25e495b53ede007cfc15dcbf47df7ec0a016098"; | |
| }; | |
| buildInputs = [ dpkg ]; | |
| sourceRoot = "."; | |
| unpackCmd = '' | |
| dpkg-deb -x "$src" . | |
| ''; | |
| installPhase = '' | |
| cp -r ./ $out/ | |
| realpath $out | |
| ''; | |
| meta = with stdenv.lib; { | |
| description = "Crowdstrike Falcon Sensor"; | |
| homepage = "https://www.crowdstrike.com/"; | |
| license = licenses.unfree; | |
| platforms = platforms.linux; | |
| maintainers = with maintainers; [ ravloony ]; | |
| }; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { pkgs, ... }: | |
| let | |
| falcon = pkgs.callPackage ./falcon { }; | |
| falcon-env = pkgs.buildFHSUserEnv { | |
| name = "falcon-sensor"; | |
| targetPkgs = pkgs: [ pkgs.libnl pkgs.openssl ]; | |
| runScript = "bash"; | |
| }; | |
| script = pkgs.writeScript "init-falcon" '' | |
| #! ${pkgs.bash}/bin/sh | |
| ${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falconctl -g --cid | |
| ''; | |
| in | |
| { | |
| systemd.services.falcon-sensor = { | |
| enable = true; | |
| description = "CrowdStrike Falcon Sensor"; | |
| after = [ "local-fs.target" ]; | |
| conflicts = [ "shutdown.target" ]; | |
| before = [ "shutdown.target" ]; | |
| serviceConfig = { | |
| ExecStartPre = "${script}"; | |
| ExecStart = "${falcon-env}/bin/falcon-sensor ${falcon}/opt/CrowdStrike/falcond"; | |
| Type = "forking"; | |
| PIDFile = "/var/run/falcond.pid"; | |
| Restart = "no"; | |
| }; | |
| wantedBy = [ "multi-user.target" ]; | |
| }; | |
| } |
@jankaifer ripped your configs, thanks, though added a CID in init script: https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L25.
If someone is trying to use any of the shared gist after NixOS release 23.05 you will experience problems, there is a backward incompatible change to buildFHSUserEnv, its now called buildFHSEnv (nix) and uses FlatPak’s Bubblewrap sandboxing tool.
The PID written in /run/falcond.pid will now be the PID from the namespace CrowdStrike is running in rather than the host PID.
To have the host PID written, you need to set unsharePid = false; in buildFHSEnv.
Example:
...
buildFHSEnv {
name = "fs-bash";
unsharePid = false;
targetPkgs = pkgs: [ libnl openssl zlib ];
extraInstallCommands = ''
ln -s ${falcon-sensor}/* $out/
'';
runScript = "bash";
}
@thall Thanks for sharing! Though for me it still does not start, not sure why:
Jul 21 16:00:26 <redacted-host-name> falcon-sensor[1219494]: Running /opt/CrowdStrike/falcon-sensor-bpf
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: No traceLevel set via falconctl defaulting to none
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: LogLevelUpdate: none = trace level 0.
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Error loading config 1: c0000001
Jul 21 16:00:26 <redacted-host-name> falcon-sensor-bpf[1219494]: CrowdStrike(11): Initilize Configuration failed. c0000001
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: falcon-sensor[1219494] exited with status 1
Jul 21 16:00:26 <redacted-host-name> falcond[1219493]: exiting
Jul 21 16:00:26 <redacted-host-name> systemd[1]: falcon-sensor.service: Deactivated successfully.
References:
- https://github.com/ivankovnatsky/nixos-config/blob/main/overlays/falcon-sensor.nix#L45
- https://github.com/ivankovnatsky/nixos-config/blob/main/modules/falcon-sensor.nix#L7
But, yeah, probably since they don't support NixOS, not sure if that is worth it.
anyone got falcon-sensor running? None of the above make it work for me
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
IOW - we're switching off of NixOS to Debian per security team's recommendations