Closed clean-energyXOR closed 2 years ago
+1, able to replicate. The API calls pull the latest sensor for RHEL or CentOS, always downloading the CentOS/RHEL8 RPM
There is an known limitation where the os_version
is not filterable from the API at this point in time... it's very unfortunate.
OK. What is the CrowdStrike feature request URL so that others can +1 fixing this limitation?
+1, looking for support on os_version filtering. That would be helpful to filter between amazon linux 1 & 2.
The ability to fix this should be pretty simple. If there is an api limitation then instead of filtering all the results of packages to download simply return them all and based upon the ansible fact: "ansible_distribution_major_version": "7" you could chose the correct version then to subsequently pull down perhaps by sha256 hash if you have no other way to target the package by version.
+1, looking for support on os_version filtering. That would be helpful to filter between amazon linux 1 & 2.
That should be possible now.
We get into trouble when trying to find the falcon sensor RPM for a given Linux minor releases. Rough analogy being the CrowdStrike API can pull down the sensor for rhel7:latest
but not rhel7:1
or rhel7:2
.
Docs for the Sensor download API are at https://falcon.crowdstrike.com/support/documentation/109/sensor-download-apis. There might be some way we haven't figured out, and help is /very/ appreciated!
The ability to fix this should be pretty simple. If there is an api limitation then instead of filtering all the results of packages to download simply return them all and based upon the ansible fact: "ansible_distribution_major_version": "7" you could chose the correct version then to subsequently pull down perhaps by sha256 hash if you have no other way to target the package by version.
Still recalling either @redhatrises or @isimluk had implemented something very similar in another project. Could be totally making that up though... =/
Here's what happens on Amazon Linux 1:
fatal: [amazonlinux]: FAILED! => {"changed": false, "changes": {"installed": ["/tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm"]}, "msg": "Error: Package: falcon-sensor-6.26.0-12304.amzn2.x86_64 (/falcon-sensor-6.26.0-12304.amzn2.x86_64)\n Requires: systemd\n", "rc": 1, "results": ["Loaded plugins: priorities, update-motd, upgrade-helper\nExamining /tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm: falcon-sensor-6.26.0-12304.amzn2.x86_64\nMarking /tmp/falcon-sensor-6.26.0-12304.amzn2.x86_64.rpm to be installed\nResolving Dependencies\n--> Running transaction check\n---> Package falcon-sensor.x86_64 0:6.26.0-12304.amzn2 will be installed\n--> Processing Dependency: systemd for package: falcon-sensor-6.26.0-12304.amzn2.x86_64\n--> Finished Dependency Resolution\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}
If you try running the API for os_version you'll get,
[ { "code": 400, "message": "Failed to parse filter expression. [os_version is an unknown property]" } ],
I've filed a support ticket with crowdstrike about this. We'll see how it goes.
Whilst the API may not yet allow filtering based on os_version, it is possible to filter the output returned. For example:
- name: CrowdStrike Falcon | Get list of installers
uri:
url: "https://{{ falcon_api_url }}/sensors/combined/installers/v1?filter=platform%3A%22{{ falcon_os_family }}*%22%2Bos%3A%22{{ falcon_target_os }}%22&=&sort=version.desc"
method: GET
return_content: true
headers:
authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}"
register: falcon_api_installer_list
- name: CrowdStrike Falcon | Filter to installers for OS major version
set_fact:
falcon_api_sha_hash: "{{ falcon_api_installer_list.json.resources | selectattr('os_version', 'equalto', ansible_distribution_major_version ) }}"
- name: CrowdStrike Falcon | Download Latest Sensor Installation Package
get_url:
url: "https://{{ falcon_api_url }}/sensors/entities/download-installer/v1?id={{ falcon_api_sha_hash[0].sha256 }}"
dest: "{{ falcon_install_tmp_dir }}"
checksum: "sha256:{{ falcon_api_sha_hash[0].sha256 }}"
headers:
authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}"
register: falcon_sensor_download
This would work for EL7, EL8 and Amzn2, but Amzn1 seems to return either N/A or 201x for the ansible_distribution_major_version. It fails therefore without some additional work to set an accurate fact for Amzn1.
During my testing for Ubuntu Focal and Bionic, my trial expired for Falcon sensor, which prevented me from testing these dsitributions.
@grumpy-penguin thanks for this! Would you be open to submitting a pull request?
Regarding AM1.... IMHO we should get a solution that works for most people now. Future incremental improvements can address fringe cases.
Thanks - I've added the pull request #53
While using Centos 7 and the API default method, the role downloads the sensor for Centos 8. Thus the package has dependency issues with the host and falcon-sensor will not install.
Expected
falcon-sensor-6.14.0-11110.el7.x86_64
Issue
falcon-sensor-6.14.0-11110.el8.x86_64 is downloaded