CrowdStrike / ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
https://galaxy.ansible.com/ui/repo/published/crowdstrike/falcon/
GNU General Public License v3.0
97 stars 60 forks source link

Feature Suggestion: Sensor builds and kernel lookups #454

Closed tlourey closed 6 months ago

tlourey commented 8 months ago

Hi, Id like to suggest we create new modules for Sensor build and sensor kernel lookups.

While more relevant to Linux than Windows it would good to be able to use Ansible to determine the latest build for a particular linux kernel then install that.

The functions exist in FalconPy under queryCombinedSensorUpdateKernels and queryCombinedSensorUpdateBuilds

Note: It does require the API user have the read sensor update policy permission

carlosmmatos commented 8 months ago

Hi @tlourey - thanks for opening up a request. Just so I can understand the request a little better outside of what we already have, you are just looking for a way to determine the latest sensors available by a linux kernel correct? If so, I don't see any issue with adding this module. For context, we used to do this and use it in our roles, but then with eBPF becoming more standardized, we decided it wasn't needed to validate a particular version against a linux OS kernel. So we ended up removing it from the falcon_install role.

That being said, the nice thing about modules is that they can be used independent of our built-in roles, so I see no reason not to add this one.

In terms of the Sensor Builds query, not sure the major use case for this. Can you elaborate a little more on how you use this endpoint?

tlourey commented 8 months ago

Hi @carlosmmatos, I agree with your eBPF and the RFM options but I got here because I was trying to make sure I had a way to deploy the most compatible sensor for a Linux machine possible, even if it was a little behind, for a brand new VM (without baking it in via any method). I was happy with some method to just do the lookup from the KB article, but this method seemed beeter.

I got to sensor builds part of the idea because, while this started from a fresh Linux install playbook, I thought I should include sensor builds to cover the same thinking for fresh windows VM's as well (even if it was PowerShell, DSC or Ansible itself that did the install).

The goal in both cases was to have ansible to determine the most compatible and supported version of a sensor given a particular OS and/or Kernel and perhaps even a patching level in Windows for example, and install that. The idea being you had no reduced functionally in any sense when deploying a fresh sensor on say a fresh VM you just provisioned. Hope that helps!