Unable to install CrowdStrike on Ubuntu 22.04 using Ansible roles

[Sabrthor]

I am using Azure DevOps Release Pipeline to automate the process of rolling out CrowdStrike across our organization, I am currently running a POC and have provisioned 3 Azure VMs:- 2 Windows machines (one Domain joined and another in WorkGroup) and a Linux (Ubuntu 22.04). I am using a self-hosted agent which has Ansible installed and the ADO Pipeline agent configured.

root@pmtsharedansible01:# ansible --version
ansible [core 2.12.10]
  config file = /etc/ansible/ansible.cfg 
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Mar 13 2023, 10:26:41) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

CrowdStrike installs fine on the Windows Azure VMs (both domain-joined and WorkGroup), however, it complains during setup of Linux Azure VM.

2023-03-28T08:54:33.9289799Z fatal: [CSTRIKE3]: FAILED! => {"reason": "couldn't resolve module/action 'crowdstrike.falcon.falconctl'. This often indicates a misspelling, missing collection, or incorrect module path.\n\nThe error appears to be in '/etc/ansible/roles/crowdstrike.falcon.falcon_configure/tasks/configure.yml': line 5, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n  block:\n    - name: CrowdStrike Falcon | Configure Falcon Sensor Options (Linux)\n      ^ here\n"}

The directory for the ansible roles:

root@pmtsharedansible01:/etc/ansible/roles# pwd
/etc/ansible/roles
root@pmtsharedansible01:/etc/ansible/roles# ls -l
total 16
drwxr-xr-x  8 root root 4096 Mar 21 15:14 crowdstrike.falcon.falcon_configure
drwxr-xr-x  8 root root 4096 Mar 21 15:14 crowdstrike.falcon.falcon_install
drwxr-xr-x  8 root root 4096 Mar 21 15:14 crowdstrike.falcon.falcon_uninstall
drwxr-xr-x 10 root root 4096 Mar 10 12:19 newrelic.newrelic-infra
root@pmtsharedansible01:/etc/ansible/roles# tree crowdstrike.falcon.falcon_*
crowdstrike.falcon.falcon_configure
├── README.md
├── defaults
│   └── main.yml
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── tasks
│   ├── configure.yml
│   ├── main.yml
│   ├── remove_aid.yml
│   └── win_configure.yml
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml
crowdstrike.falcon.falcon_install
├── README.md
├── defaults
│   └── main.yml
├── files
│   └── falcon-sensor.gpg
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── tasks
│   ├── api.yml
│   ├── auth.yml
│   ├── file.yml
│   ├── install.yml
│   ├── main.yml
│   ├── preinstall.yml
│   ├── url.yml
│   ├── win_api.yml
│   ├── win_auth.yml
│   └── win_install.yml
└── vars
    └── main.yml
crowdstrike.falcon.falcon_uninstall
├── README.md
├── defaults
│   └── main.yml
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── tasks
│   ├── main.yml
│   ├── uninstall.yml
│   └── win_uninstall.yml
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml

18 directories, 37 files

Any idea how do I fix this?

---

Edit1:

When I pull this file up: /etc/ansible/roles/crowdstrike.falcon.falcon_configure/tasks/configure.yml , it reads:

---
- name: Linux Block
  when: ansible_facts['distribution'] != "MacOSX"
  block:
    - name: CrowdStrike Falcon | Configure Falcon Sensor Options (Linux)
      crowdstrike.falcon.falconctl:
        cid: "{{ falcon_cid if (falcon_cid != None) else omit }}"
        provisioning_token: "{{ falcon_provisioning_token if (falcon_provisioning_token != None) else omit }}"
        apd: "{{ falcon_apd if (falcon_apd != None) else omit }}"
        aph: "{{ falcon_aph if (falcon_aph != None) else omit }}"
        app: "{{ falcon_app if (falcon_app != None) else omit }}"
        trace: "{{ falcon_trace if (falcon_trace != None) else omit }}"
        feature: "{{ falcon_feature if (falcon_feature != None) else omit }}"
        message_log: "{{ falcon_message_log if (falcon_message_log != None) else omit }}"
        billing: "{{ falcon_billing if (falcon_billing != None) else omit }}"
        tags: "{{ falcon_tags if (falcon_tags != None) else omit }}"
        backend: "{{ falcon_backend if (falcon_backend != None) else omit }}"
        state: "{{ 'present' if falcon_option_set else 'absent' }}"
      register: falconctl_result

    - name: CrowdStrike Falcon | Register Falcon Sensor Options
      crowdstrike.falcon.falconctl_info:
      register: info

    - name: CrowdStrike Falcon | Restart Falcon Sensor on Changes
      ansible.builtin.service:
        name: falcon-sensor
        state: "{{ falcon_service_state | default('restarted') }}"
        enabled: yes
      when:
        - info.falconctl_info.cid
        - falconctl_result.changed
      become: yes
      # noqa args[module]

Module Path:

root@pmtsharedansible01:~/crowdstrike/plugins/modules# pwd
/root/crowdstrike/plugins/modules
root@pmtsharedansible01:~/crowdstrike/plugins/modules# ls -al
total 28
drwxr-xr-x 2 root root  4096 Mar 21 15:14 .
drwxr-xr-x 4 root root  4096 Mar 21 15:14 ..
-rw-r--r-- 1 root root 12875 Mar 21 15:14 falconctl.py
-rw-r--r-- 1 root root  3763 Mar 21 15:14 falconctl_info.py

I have a feeling this has got something to do with the Linux Block in configure.yml and the falconctl.py script. Strangely, the Windows machines never complained.

[carlosmmatos]

@Sabrthor That is correct. In linux, we created a falconctl module to handle the configuration of the sensor via the falconctl cli tool when the sensor is installed. You would need to import the collection to pull down all the dependencies relevant to the collection (includes plugins).

[Sabrthor]

@carlosmmatos Thank you for pointing to the right direction. I copied the files to ansible_collections directory and this seems to have fixed the issue.

[carlosmmatos]

Awesome! Thanks for letting us know!