search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
369 stars 70 forks source link

[ BUG ] `Add-FalconSensorTag` and `Remove-FalconSensorTag` not working on Linux hosts #421

Open bbivmb opened 2 months ago

bbivmb commented 2 months ago

PSFalcon: version 2.27 PSVersion: 5.1.19041.4780 OS: LNX RHEL 8.x Host already has SensorTags configured Enabled RTR with custom scripts and run.

When I try to REMOVE a SensorTag with Remove-FalconSensorTag it fails with below output:

PS C:\> Remove-FalconSensorTag -Id $device -Tag "SensorGroupingTags/testpsfalcon"

cid              : ***
device_id        : ***
tags             : /bin/bash: -c: line 4: syntax error near unexpected token `$'do\r''
                   /bin/bash: -c: line 4: `  do'

offline_queued   : False
session_id       : ***
cloud_request_id : ***
status           :

When I try to ADD a SensorTag with Add-FalconSensorTag it fails with following output:

PS C:\> Add-FalconSensorTag -Id $device -Tag "SensorGroupingTags/testpsfalcon"

cid              : ***
device_id        : ***
tags             : /opt/CrowdStrike/falconctl: unrecognized option '--tags'
                   Run 'falconctl -h' OR 'falconctl --help' for usage help
                   Sensor grouping tags are already set, but -f was not specified
                   ERROR: failed to process the option --tags
                   Run 'falconctl -h' OR 'falconctl --help' for usage help

offline_queued   : False
session_id       : ***
cloud_request_id : ***
status           :
bk-cs commented 2 months ago

Thanks for the report! I can confirm the same behavior in my test environment.

It seems like something with the command line syntax for the falconctl command is being mangled while being passed to the RTR session. I'm investigating and will respond when I'm able to figure it out.

bk-cs commented 2 months ago

I believe I've narrowed this issue down to the transmission of the scripts used to manipulate FalconSensorTags through Real-time Response. I made some changes to those scripts, and also some optimizations to the Add-FalconSensorTag, Set-FalconSensorTag and Remove-FalconSensorTag commands.

Can you please follow the steps mentioned below and let me know if this resolves your issue? Once you update the public\psf-sensors.ps1, script\add_sensortag.sh, script\add_sensortag.zsh, script\remove_sensortag.ps1, script\remove_sensortag.sh, and script\remove_sensortag.zsh, you must restart PowerShell and re-import PSFalcon.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.zsh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.zsh)
bbivmb commented 2 months ago

Thank you for feedback.

SensorTag is still not added/removed. Please find outputs below. I also attached commands run by RTR as found in RTR Audit (screenshots)

add-sensortag remove-sensortag

Add-FalconSensorTag -Id $device -Tag $tag

FIRST RUN:

cid : device_id : tags : tag1,tag2,tag3 offline_queued : False session_id : cloud_request_id : status : sed: -e expression #1, char 58: unknown option to `s'

CONSECUTIVE RUNS:

query_time powered_by trace_id
0.06867246 csam ***

Remove-FalconSensorTag -Id $device -Tag $tag

query_time powered_by trace_id
0.068985217 csam ***

bk-cs commented 2 months ago

Your new issue looks to be a problem specific to sed installed in your version of Linux. I'll have to investigate other version compatible ways to parse the falconctl output.

bk-cs commented 2 months ago

You can take the add_sensortag.sh script (with the sed portion removed) and save it as a custom script that you use with runscript instead of using Add-SensorTag:

/opt/CrowdStrike/falconctl -s -f --tags="$1" && /opt/CrowdStrike/falconctl -g --tags

Which you'd run like this in the console:

runscript -CloudFile="my_script" -CommandLine='"tag1,tag2,tag3"'

Or like this with PSFalcon (replace the backslashes with ``` characters):

Invoke-FalconRtr -Command runscript -Argument '-CloudFile="my_script" -CommandLine=\\\"tag1,tag2,tag3"\\\ -HostId <id>
bbivmb commented 2 months ago

I confirm the following works:

  1. Create RTR custom script: /opt/CrowdStrike/falconctl -s -f --tags="$1" && /opt/CrowdStrike/falconctl -g --tags

  2. Run psfalcon command: Invoke-FalconRtr -Command runscript -Argument '-CloudFile="AddSensortagCustom" -CommandLine=```"psfalcontest1,psfalcontest2,psfalcontest3"```' -HostId ***

    Output: aid : session_id : offline_queued : False cloud_request_id : *** complete : True stdout : tags=psfalcontest1,psfalcontest2,psfalcontest3.
    stderr :

    RTR Audit log entry: image

    Result: image

59e5aaf4 commented 2 months ago

I managed to sort that one out by converting \r\n to \n in add_sensortag.sh. It's pretty tricky, as the \r are only there in the powershell-packaged version of psfalcon, they're not on github. My error messages were exactly the same as yours and initially I thought about all sorts of shell-specific bugs like bashisms, or curious behaviors, but no, looking at telemetry data showed a lot of \000d intermixed everywhere. Overwriting the file in (Get-Module PSFalcon).Path ( C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.7\script ) without newlines ( vim set ff=unix ) fixed this.

Before : image After : image

59e5aaf4 commented 2 months ago

I believe I've narrowed this issue down to the transmission of the scripts used to manipulate FalconSensorTags through Real-time Response. I made some changes to those scripts, and also some optimizations to the Add-FalconSensorTag, Set-FalconSensorTag and Remove-FalconSensorTag commands.

Can you please follow the steps mentioned below and let me know if this resolves your issue? Once you update the public\psf-sensors.ps1, script\add_sensortag.sh, script\add_sensortag.zsh, script\remove_sensortag.ps1, script\remove_sensortag.sh, and script\remove_sensortag.zsh, you must restart PowerShell and re-import PSFalcon.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.zsh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.zsh)

Ha nice one, but if powershell transparently adds CRLF line endings when parsing text you're in for a good debug time :P

59e5aaf4 commented 2 months ago

Last comment, if falconctl had native options ( hello, "Source/Libraries/SimpleStore/Linux/simplestore.cpp" ) to just add/remove/purge the tags without having users rely on wrapper scripts that would be great. Ideally, the sorted(unique_set(oldlist + newtags)) should happen inside falconctl and not with wrapper scripts which have to rely on some *sh from some UNIX system, plus sed plus xargs plus trplus sort plus printf :P But heh, it is what it is dot jpeg :D

bk-cs commented 2 months ago

I managed to sort that one out by converting \r\n to \n in add_sensortag.sh. It's pretty tricky, as the \r are only there in the powershell-packaged version of psfalcon, they're not on github. My error messages were exactly the same as yours and initially I thought about all sorts of shell-specific bugs like bashisms, or curious behaviors, but no, looking at telemetry data showed a lot of \000d intermixed everywhere. Overwriting the file in (Get-Module PSFalcon).Path ( C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.7\script ) without newlines ( vim set ff=unix ) fixed this.

Thank you! I figured it was something to do with the formatting (which is why I latched on to the single line replacement script) but wasn't able to narrow down the exact cause.

I might be able to do some RegEx replacement when loading the script from disk before sending it to Real-time Response to replace any \r characters, which should help with anything introduced by the PowerShell Gallery...

bk-cs commented 2 months ago

Last comment, if falconctl had native options ( hello, "Source/Libraries/SimpleStore/Linux/simplestore.cpp" ) to just add/remove/purge the tags without having users rely on wrapper scripts that would be great. Ideally, the sorted(unique_set(oldlist + newtags)) should happen inside falconctl and not with wrapper scripts which have to rely on some *sh from some UNIX system, plus sed plus xargs plus trplus sort plus printf :P But heh, it is what it is dot jpeg :D

Unfortunately I don't make those calls... 😄

I can shift the text manipulation from happening in the SensorTag script to happening in the PSFalcon code to produce the output. That will remove the need to use sed. You're full of great ideas 😉