CrowdStrike / ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
https://galaxy.ansible.com/ui/repo/published/crowdstrike/falcon/
GNU General Public License v3.0
97 stars 60 forks source link

[falcon_install] Add ability to change permissions of the downloaded Falcon Sensor Installer #481

Closed dhoppe closed 6 months ago

dhoppe commented 6 months ago

I use an Ansible playbook to create a golden image for AWS using the roles falcon_install, falcon_configure and falcon_uninstall.

When I run the Ansible playbook, I get the following error message:

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Copy Sensor Installation Package to remote host (non-windows)] *******************************************************
fatal: [i-0da31599f96a90199_asg-metadefender-image-ubuntu22-mdtest-202404050828]: FAILED! =>
  msg: 'an error occurred while trying to read the file ''/var/tmp/falcon-sensor_7.13.0-16604_amd64.deb'': [Errno 13] Permission denied: b''/var/tmp/falcon-sensor_7.13.0-16604_amd64.deb''. [Errno 13] Permission denied: b''/var/tmp/falcon-sensor_7.13.0-16604_amd64.deb'''

The reason for this error message is a global umask 0077 on the Ansible control node. After downloading the Falcon Sensor Installer via API, the file has the following permissions:

-rw------- 1 root root 58047924 Apr  5 08:40 /var/tmp/falcon-sensor_7.13.0-16604_amd64.deb

Although the Ansible playbook is executed with become: true, the Ansible task cannot access the file to copy it to the target host.

I could probably work around the problem by replacing the roles with the appropriate modules, but it would be more convenient to run an optional task between Download Falcon Sensor Installation Package (local) and Copy Sensor Installation Package to remote host (non-windows) that changes the permissions of the file.

https://github.com/CrowdStrike/ansible_collection_falcon/blob/main/roles/falcon_install/tasks/api.yml#L63-L71 https://github.com/CrowdStrike/ansible_collection_falcon/blob/main/roles/falcon_install/tasks/api.yml#L63-L71

Something like:

- name: CrowdStrike Falcon | Permissions of Falcon Sensor Installation Package (local)
  ansible.builtin.file:
    path: "{{ falcon_sensor_download.path }}"
    mode: "{{ falcon_api_sensor_download_mode }}"
  when: falcon_api_sensor_download_mode != ""
carlosmmatos commented 6 months ago

@dhoppe Thanks for opening up these issues!

Let me take a look at this today along with the other issues you opened up.

carlosmmatos commented 6 months ago

Okay.. so I think this should be handled by the sensor_download instead of adding it as a task. This makes sense in and outside of the role. I'll get a PR started for that.

dhoppe commented 6 months ago

Okay.. so I think this should be handled by the sensor_download instead of adding it as a task. This makes sense in and outside of the role. I'll get a PR started for that.

@carlosmmatos I had the same thought and it would be the much smarter approach, but I was looking for a quick fix because I am not that good at writing Python. 😉