Resource exec 'register-crowdstrike' error output command without switch -f and not idempotent

[anissmajlovic]

Hello

I found an error when CS want to register using this resource below:

  exec { 'register-crowdstrike':
    path    => '/usr/bin:/usr/sbin:/opt/CrowdStrike',
    command => "falconctl -s${cmd_cid}${cmd_proxy}${cmd_tags}",
    require => Package['falcon-sensor'],
    notify  => Service['falcon-sensor'],
  }

With output:

/opt/CrowdStrike/falconctl -s --cid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --apd=FALSE --aph=xxx.xxx.xxx.xxx --app=8080

CID is set, but -f was not specified ERROR: failed to process the option --cid Usage: falconctl -g GET_OPTIONS falconctl -s [ -f ] SET_OPTIONS falconctl -d [ -f ] DEL_OPTIONS where GET_OPTIONS := { --cid for CustomerId | --aid for AgentId | --apd for App Proxy Disable | --aph for App Proxy Host | --app for App Proxy Port | --rfm-state for indicating whether the sensor is in Reduced Functionality Mode | --rfm-reason to determine reason for sensor running in Reduced Functionality Mode | --trace for determining the configured trace level | --feature to determine the configured sensor feature flags | --version for version of sensor currently running | --message-log for logging messages to disk | --billing to configure the sensor billing type | --tags for sensor grouping tags | --provisioning-token for Provisioning Token | --systags for system tags currently applied to a running sensor } where SETOPTIONS := { --cid="{}" | --apd=true | --apd=false | --aph= | --app= | --trace=[none|err|warn|info|debug] | --feature=[none,[enableLog[,disableLogBuffer[,disableOsfm[,emulateUpdate]]]]] | --update SIGHUP the sensor for immediate trace/feature update | --message-log=true | --message-log=false | --billing=[default|metered] | --tags= (allowed characters: all alphanumerics, '/', '-', '', and ',') | --provisioning-token= } where DEL_OPTIONS := { --cid for CustomerId | --aid for AgentId | --apd for App Proxy Disable | --aph for App Proxy Host | --app for App Proxy Port | --trace for determining the configured trace level | --billing to configure the sensor billing type | --tags for sensor grouping tags | --provisioning-token for Provisioning Token }

If I add a switch -f then is working:

  exec { 'register-crowdstrike':
    path    => '/usr/bin:/usr/sbin:/opt/CrowdStrike',
    command => "falconctl -sf${cmd_cid}${cmd_proxy}${cmd_tags}", # AS: added -f
    require => Package['falcon-sensor'],
    notify  => Service['falcon-sensor'],
  }

Then I also found that the same resource exec is not idempotent, basically, it run on every puppet agent -t so I added unless:

  exec { 'register-crowdstrike':
    path    => '/usr/bin:/usr/sbin:/opt/CrowdStrike',
    command => "falconctl -sf${cmd_cid}${cmd_proxy}${cmd_tags}", # AS: added -f
    unless  => "netstat -tapn|egrep '${proxy_host}:${proxy_port} .+ESTABLISHED .+falcon-sensor'", # AS: added whole line
    require => Package['falcon-sensor'],
    notify  => Service['falcon-sensor'],
  }

Is there a better way to fix? For example, I am not sure what is a switch -f (maybe force) and why is not idempotent.

Thank you in advance.

Kind regards

[104ru]

Please make sure you have the falcon_sensor fact deployed on the affected machine (/opt/puppetlabs/puppet/cache/lib/facter/falcon_sensor.rb) and if it is, please provide facter output (facter -jp falcon_sensor) as well as the output of falconctl: /opt/CrowdStrike/falconctl -g --aid --apd --aph --app --rfm-state --rfm-reason --version --tags. Thanks.

[anissmajlovic]

Hi

You gave me an idea with your comment what was problem. Problem was that when I created another module Crowdstrike for Windows I used the same file name falcon_sensor.rb and with that there was a conflict where facts for Linux didn't work anymore.

Now everything is working fine.

Thank you for your quick reply.