RHEL9 - No Falcon Sensor was found!

[TyraelTLK]

Hi, is there an issue on the CrowdStrike cloud regarding the RHEL9 packages? Today we are not able to install CrowdStrike on RHEL9 machines:

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Build API Sensor Query] **********************************************************************ok: [] => {"ansible_facts": {"falcon_os_query": "os:\"RHEL\"+os_version:\"*9*\"+os_version:!~\"arm64\"+os_version:!~\"zLinux\""}, "changed": false}

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Get list of filtered Falcon sensors] *********************************************************ok: [] => {"changed": false, "connection": "close", "content": "{\n \"meta\": {\n  \"query_time\": 0.081804689,\n  \"powered_by\": \"binserv\",\n  \"trace_id\": \"\"\n },\n \"errors\": [],\n \"resources\": []\n}", "content_length": "159", "content_type": "application/json", "cookies": {}, "cookies_string": "", "date": "Wed, 07 Jun 2023 09:56:12 GMT", "elapsed": 0, "json": {"errors": [], "meta": {"powered_by": "binserv", "query_time": 0.081804689, "trace_id": ""}, "resources": []}, "msg": "OK (159 bytes)", "redirected": false, "server": "nginx", "status": 200, "strict_transport_security": "max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains", "url": "https://api.us-2.crowdstrike.com/sensors/combined/installers/v1?filter=os%3A%22RHEL%22%2Bos_version%3A%22%2A9%2A%22%2Bos_version%3A%21~%22arm64%22%2Bos_version%3A%21~%22zLinux%22", "x_cs_region": "us-2", "x_cs_traceid": "", "x_ratelimit_limit": "6000", "x_ratelimit_remaining": "5977"}

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Validate Sensor request] *********************************************************************fatal: []: FAILED! => {"changed": false, "msg": "No Falcon Sensor was found! If passing in falcon_sensor_version, ensure it is correct!"}

[carlosmmatos]

Looking into it right now

[carlosmmatos]

Looks like your falcon_os_query is wrong. Should be like this:

- {"falcon_os_query": "os:\"RHEL\"+os_version...}
+ {"falcon_os_query": "os:\"*RHEL*\"+os_version...}, "changed": false}

This was fixed as of version 3.2.19 in #233 .Are you using an older version than that?

[carlosmmatos]

This also ran fine in our latest CI job for RHEL 9: https://github.com/CrowdStrike/ansible_collection_falcon/actions/runs/5200829132/jobs/9380106643#step:8:505

If you can't see that (not sure if you need permissions to view actions output), our job returns the following:

ok: [rhel-9-falcon_install] => {"ansible_facts": {"falcon_os_query": "os:\"*RHEL*\"+os_version:\"*9*\"+os_version:!~\"arm64\"+os_version:!~\"zLinux\""}, "changed": false}

[TyraelTLK]

No, 3.2.28 and the latest. we still had in the code the manual override for https://github.com/CrowdStrike/ansible_collection_falcon/issues/226

falcon_target_os: "RHEL"

It worked fine till yesterday. Now I removed it and I'm running it again. I'll let you know

[carlosmmatos]

Here is probably what happened. The latest output from the API for the os value shows:

"os": "RHEL/Oracle",

It's very likely that Oracle v9 support was just added. This is why a using the wildcard approach works because we account for the weird naming convention engineering has adopted for this field 🤷🏼‍♂️

[TyraelTLK]

Yeah, I think you are right. Thank you, you can close this as invalid ;)