carlosmmatos
commented
1 month ago @drjeep thanks for opening up an issue and asking a question. The short answer is - yes, the main operation uses localhost to download the sensor. This is because we use FalconPy SDK for our Modules/Plugins so we keep that dependency to one host. Otherwise, you would have to ensure the FalconPy python package is installed on all your endpoints. Also CrowdStrike does not have a package repository - but this doesn't mean that you can't create your own (see below ideas).
A couple of things that may help based on your output - since downloading the sensors seems to be rather quick and without knowing your Ansible environment:
- Consider increasing the number of forks
By default I think Ansible uses 5 forks - which means this is how many open hosts connections it can make. Try setting this to something higher in your
ansible.cfg:
[defaults]
forks = 25- Consider other native Ansible features that may improve performance such as ssh pipelining. In my experience - using ssh pipelining generally speeds up the overall time by about 20-30%. Come to think of it, I should probably be using this in my ci/cd pipelines 🤦🏼♂️ ..
[ssh_connection]
pipelining = trueYou could create your own package repository using our modules.
Example: Query and Download installers to a directory
crowdstrike-repo.yml
---
- name: Creates a CrowdStrike package repository
hosts: localhost
connection: local
gather_facts: no
vars:
falcon_client_id: "{{ lookup('env', 'FALCON_CLIENT_ID') }}"
falcon_client_secret: "{{ lookup('env', 'FALCON_CLIENT_SECRET') }}"
filter_os: '*RHEL*'
filter_os_version: '*8*'
filter_os_arch: x86_64
installer_dest: /some/path/to/store/installers
tasks:
- name: CrowdStrike Falcon | Authenticate to CrowdStrike API
crowdstrike.falcon.auth:
client_id: "{{ falcon_client_id }}"
client_secret: "{{ falcon_client_secret }}"
register: falcon
- name: Get list of installers to download
crowdstrike.falcon.sensor_download_info:
auth: "{{ falcon.auth }}"
filter: "os:'{{ filter_os }}'+os_version:'{{ filter_os_version }}'+architectures:'{{ filter_os_arch }}'"
sort: "version|desc"
register: falcon_api_installer_list
- name: Download installers to repo destination
crowdstrike.falcon.sensor_download:
auth: "{{ falcon.auth }}"
hash: "{{ item.sha256 }}"
dest: "{{ installer_dest }}"
loop: "{{ falcon_api_installer_list.installers }}"
How you decide to make this available to your hosts is up to you 😉
Remember that you have options in the falcon_install role outside of using the API.
drjeep
I've been tasked with installing Falcon sensor on all our Linux servers, however it takes ages to install and in some cases times out altogether.
The issue appears to be the
Copy Sensor Installation Package to remote host (non-windows)step belowDoes it really download the install package to the ansible client and then copy it to each server? Is there a reason it cannot just download the installation package directly on the remote server or provide a
dnfrepository for Redhat based distros?Admittedly I'm a Crowdstrike newbie so maybe I'm missing something, but would appreciate some guidance on a more efficient way to install the agent on multiple (50+) servers.