Hi @frealgagu, I Haven't ever used falcon-sensor, and even less on Arch or derivatives. Is it still working on Arch? Should falcon-kernel-check be adjusted, to add the linux version and distro used? I'm forced to use it...
I'm asking because it's supposed to be tightly related to linux (kernel).
Is current Arch still able to use falcon-sensor? The installer provided by the company I work for comes with a deb package 7.11.0-16404 and a bunch rpm packages with the same version.
Looking at falcon-kernel-check16404 the latest linux version supported seems to be:
6.2.0-1021-gcp #23~22.04.1-Ubuntu SMP Sat Jan 20 00:57:09 UTC 2024\n
I don't see any linux version available that old, :( Current linux-lts I see is 6.6.30, way more recent than 6.2.0, and besides the checker might match for the whole string. The non ubuntu strings are even older... And this deb package is way newer than the one specified in the out of date flag.
There are some executables:
falcon-sensor16404
falcon-sensor-bpf16404
Though there are as well linux modules compressed on:
KernelModuleArchive16404
For example:
ubuntu22 6.2.0-26-generic@#26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC
And it seems the linux version check is performed in both executables:
% grep -r falcon-kernel-check pkg/falcon-sensor/
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor16404: binary file matches
pkg/falcon-sensor/opt/CrowdStrike/falcon-kernel-check16404:2:# @file falcon-kernel-check
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor-bpf16404: binary file matches
So it seems this newer falcon-sensor doesn't support even the older linux version supported by Arch, not even linux-lts. Starting for the fact the linux version checker should then need to be modified.
Is that what is been done by current users? Modifying the checker, so some code is actually tried by linux (perhaps some eBPF one)? Weird that the AUR package doesn't include any modification to the linux version checker...
Many thanks !
Pinned Comments
sipak commented on 2024-12-04 08:32 (UTC) (edited on 2024-12-04 08:36 (UTC) by sipak)
The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.
By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/
frealgagu commented on 2023-02-02 00:17 (UTC)
@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/
If you need the binary you need to have a valid license and download the package from the portal using your credentials.
Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.
https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.
You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)