Using the API method downloads the wrong sensor version on Centos 7

[clean-energyXOR]

While using Centos 7 and the API default method, the role downloads the sensor for Centos 8. Thus the package has dependency issues with the host and falcon-sensor will not install.

Expected

falcon-sensor-6.14.0-11110.el7.x86_64

Issue

falcon-sensor-6.14.0-11110.el8.x86_64 is downloaded

TASK [falcon : CrowdStrike Falcon | Install Falcon Sensor .rpm Package (Linux) name={{ non_win_pkg }}, state=present] ***************************************************************************************************************************************************************************************************************************************************************************************************************************
fatal: [10.60.70.54]: FAILED! => {"changed": false, "changes": {"installed": ["/opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm"]}, "msg": "Error: Package: falcon-sensor-6.14.0-11110.el8.x86_64 (/falcon-sensor-6.14.0-11110.el8.x86_64)\n           Requires: openssl-libs >= 1:1.1\n           Installed: 1:openssl-libs-1.0.2k-19.el7.x86_64 (installed)\n               openssl-libs = 1:1.0.2k-19.el7\n           Available: 1:openssl-libs-1.0.2k-21.el7_9.i686 (updates)\n               openssl-libs = 1:1.0.2k-21.el7_9\n", "rc": 1, "results": ["Loaded plugins: fastestmirror\nExamining /opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm: falcon-sensor-6.14.0-11110.el8.x86_64\nMarking /opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm to be installed\nResolving Dependencies\n--> Running transaction check\n---> Package falcon-sensor.x86_64 0:6.14.0-11110.el8 will be installed\n--> Processing Dependency: openssl-libs >= 1:1.1 for package: falcon-sensor-6.14.0-11110.el8.x86_64\nDetermining fastest mirrors\n * base: mirror.vtti.vt.edu\n * extras: repos-va.psychz.net\n * updates: linux.cc.lehigh.edu\n--> Finished Dependency Resolution\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[shawndwells]

+1, able to replicate. The API calls pull the latest sensor for RHEL or CentOS, always downloading the CentOS/RHEL8 RPM

[shawndwells]

Believe this is from https://github.com/CrowdStrike/ansible_collection_falcon/blob/master/roles/falcon_installation/tasks/api.yml#L34#L39

[redhatrises]

There is an known limitation where the os_version is not filterable from the API at this point in time... it's very unfortunate.

[shawndwells]

OK. What is the CrowdStrike feature request URL so that others can +1 fixing this limitation?

[dhoeric]

+1, looking for support on os_version filtering. That would be helpful to filter between amazon linux 1 & 2.

[jasonlanpher]

The ability to fix this should be pretty simple. If there is an api limitation then instead of filtering all the results of packages to download simply return them all and based upon the ansible fact: "ansible_distribution_major_version": "7" you could chose the correct version then to subsequently pull down perhaps by sha256 hash if you have no other way to target the package by version.

[shawndwells]

+1, looking for support on os_version filtering. That would be helpful to filter between amazon linux 1 & 2.

That should be possible now.

We get into trouble when trying to find the falcon sensor RPM for a given Linux minor releases. Rough analogy being the CrowdStrike API can pull down the sensor for rhel7:latest but not rhel7:1 or rhel7:2.

Docs for the Sensor download API are at https://falcon.crowdstrike.com/support/documentation/109/sensor-download-apis. There might be some way we haven't figured out, and help is /very/ appreciated!

[shawndwells]

The ability to fix this should be pretty simple. If there is an api limitation then instead of filtering all the results of packages to download simply return them all and based upon the ansible fact: "ansible_distribution_major_version": "7" you could chose the correct version then to subsequently pull down perhaps by sha256 hash if you have no other way to target the package by version.

Still recalling either @redhatrises or @isimluk had implemented something very similar in another project. Could be totally making that up though... =/

[jagibson]

Here's what happens on Amazon Linux 1:

fatal: [amazonlinux]: FAILED! => {"changed": false, "changes": {"installed": ["/tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm"]}, "msg": "Error: Package: falcon-sensor-6.26.0-12304.amzn2.x86_64 (/falcon-sensor-6.26.0-12304.amzn2.x86_64)\n Requires: systemd\n", "rc": 1, "results": ["Loaded plugins: priorities, update-motd, upgrade-helper\nExamining /tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm: falcon-sensor-6.26.0-12304.amzn2.x86_64\nMarking /tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm to be installed\nResolving Dependencies\n--> Running transaction check\n---> Package falcon-sensor.x86_64 0:6.26.0-12304.amzn2 will be installed\n--> Processing Dependency: systemd for package: falcon-sensor-6.26.0-12304.amzn2.x86_64\n--> Finished Dependency Resolution\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}

[jagibson]

If you try running the API for os_version you'll get,

[ { "code": 400, "message": "Failed to parse filter expression. [os_version is an unknown property]" } ],

I've filed a support ticket with crowdstrike about this. We'll see how it goes.

[grumpy-penguin]

Whilst the API may not yet allow filtering based on os_version, it is possible to filter the output returned. For example:

- name: CrowdStrike Falcon | Get list of installers
  uri:
    url: "https://{{ falcon_api_url }}/sensors/combined/installers/v1?filter=platform%3A%22{{ falcon_os_family }}*%22%2Bos%3A%22{{ falcon_target_os }}%22&=&sort=version.desc"
    method: GET
    return_content: true
    headers:
      authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}"
  register: falcon_api_installer_list

- name: CrowdStrike Falcon | Filter to installers for OS major version
  set_fact:
    falcon_api_sha_hash: "{{ falcon_api_installer_list.json.resources | selectattr('os_version', 'equalto', ansible_distribution_major_version ) }}"

- name: CrowdStrike Falcon | Download Latest Sensor Installation Package
  get_url:
    url: "https://{{ falcon_api_url }}/sensors/entities/download-installer/v1?id={{ falcon_api_sha_hash[0].sha256 }}"
    dest: "{{ falcon_install_tmp_dir }}"
    checksum: "sha256:{{ falcon_api_sha_hash[0].sha256 }}"
    headers:
      authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}"
  register: falcon_sensor_download

This would work for EL7, EL8 and Amzn2, but Amzn1 seems to return either N/A or 201x for the ansible_distribution_major_version. It fails therefore without some additional work to set an accurate fact for Amzn1.

During my testing for Ubuntu Focal and Bionic, my trial expired for Falcon sensor, which prevented me from testing these dsitributions.

[shawndwells]

@grumpy-penguin thanks for this! Would you be open to submitting a pull request?

Regarding AM1.... IMHO we should get a solution that works for most people now. Future incremental improvements can address fringe cases.

[grumpy-penguin]

Thanks - I've added the pull request #53

[redhatrises]

53 has been merged. Keeping this open until os_version is supported in the api.