Closed jstraw closed 3 years ago
104ru
commented
3 years ago Hi @jstraw. The first case you describe should never happen if you are deploying CrowdStrike using the module and could only occur if it has been installed manually and not configured. Second and third cases are being handled properly by the existing regex. Could you confirm that it is how you got this error, by installing CrowdStrike manually and then running puppet with this module included?
jstraw
commented
3 years ago That would explain it, my internal test system doesn't have the RPM available to it (doing acceptance tests with a docker image locally, so I was uploading the RPM and installing it before running puppet to confirm it would configure properly.
On Thu, Jul 8, 2021 at 1:34 PM Ruthenium @.***> wrote:
Hi @jstraw https://github.com/jstraw. The first case you describe should never happen if you are deploying CrowdStrike using the module and could only occur if it has been installed manually and not configured. Second and third cases are being handled properly by the existing regex. Could you confirm that it is how you got this error, by installing CrowdStrike manually and then running puppet with this module included?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/104ru/crowdstrike/issues/3#issuecomment-876656607, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG245MYKJ7Q6I2UDH34TIDTWXVSRANCNFSM5ABAYV6Q .
104ru
commented
3 years ago Thank you for confirming, @jstraw, I still think that your use case should be supported and I will update the module in a day or two after some internal testing. Appreciate your input!
I believe that this works better, but I'm really quite poor at regex and am not sure hhow to get tests working for this.
aid(?: is |=")(?<agent_id>[a-f0-9]*|not set)"?,\sapd(?:=|\sis\s)(?<proxy_disable>not\sset|TRUE|FALSE),\saph(?:=|\sis\s)(?<proxy_host>not\sset|[^,]+),\sapp(?:=|\sis\s)(?<proxy_port>not\sset|[^,]+),\srfm-state=(?<reduced_functionality_mode>true|false),\srfm-reason=(?<reduced_functionality_reason>[^,]+),\scode=0x[A-F0-9]+,\sversion\s=\s(?<version>[\d\.]+)(?:Sensor\sgrouping\s)?tags(?:=|\sare\s)(?<tags>.*),\s*Here are 3 test cases from my environment (with the aid/cid replaced): aid is not set, apd is not set, aph is not set, app is not set, rfm-state=true, rfm-reason=Unspecified, code=0xC0000001, version = 5.34.9918.0Sensor grouping tags are not set, aid="ffffffffffffffffffffffffffffffff", apd is not set, aph is not set, app is not set, rfm-state=false, rfm-reason=None, code=0x0, version = 6.22.11906.0Sensor grouping tags are not set, aid="eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", apd is not set, aph is not set, app is not set, rfm-state=false, rfm-reason=None, code=0x0, version = 6.24.12104.0tags=SensorGroupingTags/LogRelay,
The first run works ok (as falconctl doesn't exist) and it will properly run, it then fails to run the facter on second run and errors out on falconctl to install the cid because facter didn't produce facts.