search

CrowdStrike / ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
https://galaxy.ansible.com/ui/repo/published/crowdstrike/falcon/
GNU General Public License v3.0
95 stars 57 forks source link

falcon_install role does not configure CID #471

Closed TinLe closed 5 months ago

TinLe commented 6 months ago

After successfully running playbook using falcon_install role, I had expected it to also configure the sensor with everything it needed -- as I've already provided client_id and secrets. The README.md mentioned that using api will cause it to retrieve the CID from api server. So I assumed that the role will also configure that when installing the sensor.

https://github.com/CrowdStrike/ansible_collection_falcon/blob/main/roles/falcon_install/README.md?plain=1#L30

It turns out not to be true. The sensor was failing to start.

# systemctl status falcon-sensor
● falcon-sensor.service - CrowdStrike Falcon Sensor
     Loaded: loaded (/lib/systemd/system/falcon-sensor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2024-03-18 03:14:16 UTC; 10min ago
    Process: 92838 ExecStartPre=/opt/CrowdStrike/falconctl -g --cid (code=exited, status=1/FAILURE)

Mar 18 03:14:16 v02 systemd[1]: Starting CrowdStrike Falcon Sensor...
Mar 18 03:14:16 v02 falconctl[92838]: CID is not set. Use falconctl to set the CID
Mar 18 03:14:16 v02 falconctl[92838]: ERROR: failed to process the option --cid
Mar 18 03:14:16 v02 falconctl[92838]: Run 'falconctl -h' OR 'falconctl --help' for usage help
Mar 18 03:14:16 v02 systemd[1]: falcon-sensor.service: Control process exited, code=exited, status=1/FAILURE
Mar 18 03:14:16 v02 systemd[1]: falcon-sensor.service: Failed with result 'exit-code'.
Mar 18 03:14:16 v02 systemd[1]: Failed to start CrowdStrike Falcon Sensor.

Adding a call to falcon_configure role after successful install with the CID will then make things work.

So the bug is either falcon_install is not setting the CID as expteced and mentioned in documentation. Or the documentation need to be updated to say that you must call falcon_configure after install to configure the sensors.

Note that defaults/main.yml mentioned that falcon_cid is only valid for Windows.

https://github.com/CrowdStrike/ansible_collection_falcon/blob/main/roles/falcon_install/defaults/main.yml#L69

carlosmmatos commented 5 months ago

@TinLe - Appreciate the comment. Yes, we try to give an example of what this looks like here: https://github.com/CrowdStrike/ansible_collection_falcon?tab=readme-ov-file#example-using-the-built-in-roles-to-install-falcon

But I agree, we can update the falcon_install documentation to be more specific of how this works for Linux/Mac and Windows.

TinLe commented 5 months ago

@TinLe - Appreciate the comment. Yes, we try to give an example of what this looks like here: https://github.com/CrowdStrike/ansible_collection_falcon?tab=readme-ov-file#example-using-the-built-in-roles-to-install-falcon

But I agree, we can update the falcon_install documentation to be more specific of how this works for Linux/Mac and Windows.

My expectation of the falcon_install role is that:

Otherwise, do not start the service automatically after install if it's going to be broken anyway and will not run.

Looking into the falcon_install tasks, I see that it does get the CID from api server already, and that falcon_configure will actually call falcon_install if the CID was not given as a var. Then falcon_install might as well set the CID after installing, before starting the service.

I think adding a boolean falcon_start_service var to falcon_install to determine whether the service should be started or not would be useful. Set it by default to false and let the user of the role decide.

carlosmmatos commented 5 months ago

@TinLe The role itself does not automatically start the service after installing the sensor. The sensor package itself is doing that (not ansible). The CID in the install role is really for Windows systems only, this is just an artifact of what the old collection used to be.

So basically, for linux, this is how it works:

Hope this explains better what is happening. Also, feel free to create your own roles or playbooks as well since as of V4, we really started focusing more on building out modules, dynamic inventories, and EDA plugins. The roles are just their as a nice to have right now, not sure if we will keep them or drop them in the future in lieu of playbook examples using the modules. Or we might decide to re-do the roles... stay tuned ;)

TinLe commented 5 months ago

@carlosmmatos Thank you for the background history. Yes, maintaining legacy code can be... challenging.

I agree that it's the sensor package that set itself up to autostart. However, my expectation is that the role should override that by default. Hence the suggestion of falcon_service_start flag, with the default of false. The service requires a valid CID and will not start without one, so IMHO, it's broken and should not even get started at all.

The example show that you must run falcon_configure after installing. Since it is a required step, then falcon_install should disable/stop the service from starting. I do not look forward to having many instances with broken service installed.

A use case is where I might stage the install on many instances, but don't want it running yet till some time later when I can configure them.

I don't want to have a customized version of the role, that becomes a maintenance nightmare.