crowdstrike / cloud-azure Goto Github PK

The instructions for setting up the Azure Virtual Machine Application to deploy the CS Sensor on Linux [🔗link] mentions:

Make sure to keep some iteration of mv CrowdStrike-Falcon-Linux-Installer falcon-linux-install.sh in --install-command. Otherwise, the application will fail to install.

In this case, the --package-file-name parameter is not included in the example, and the file is downloaded as falcon-linux-install.sh.

The current code example causes the installation to fail and therefore should be updated with either

1. removing mv CrowdStrike-Falcon-Linux-Installer falcon-linux-install.sh && from the install-command, or
2. adding --package-file-name CrowdStrike-Falcon-Linux-Installer to the gallery-app version creation command

Using the current code example, installaton fails:

Error output in /var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/CrowdStrike-Falcon-Linux-Installer/{version}:

$ cat ./stderr
mv: cannot stat 'CrowdStrike-Falcon-Linux-Installer': No such file or directory

After removing from the install-command, the output to stdout is:

$ cat ./stdout
Check if Falcon Sensor is running ...[ Not present ]  
Falcon Sensor Install  ... [ Ok ]  
Falcon Sensor Register ... [ Ok ]  
Falcon Sensor Restart  ... [ Ok ]  
Falcon Sensor installed successfully.

I'm having trouble with the uninstall command of the Azure VM application removing Crowdstrike against a Windows Server 2019 VM. The install works as expected. Below can be seen in VmAppExt_*.log:

`Info 2023/03/01 19:20:49 Calling command 'powershell.exe -Command .\falcon_windows_install.ps1 -Uninstall 1' for application CrowdStrike-Falcon-Windows-Installer, version 1.0.4
Info 2023/03/01 19:20:50 command: powershell.exe -Command .\falcon_windows_install.ps1 -Uninstall 1
Info 2023/03/01 19:20:50 stdout:

Info 2023/03/01 19:20:50 stderr:
.\falcon_windows_install.ps1 : The term '.\falcon_windows_install.ps1' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1

• .\falcon_windows_install.ps1 -Uninstall 1

•   + CategoryInfo          : ObjectNotFound: (.\falcon_windows_install.ps1:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
  

`

After the uninstall operation is initiated from the console, log above can be seen. Additionally, the following folder is removed: C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\CrowdStrike-Falcon-Windows-Installer

It almost seems like the script is being removed as part of the Azure uninstall job before the script is called -- thus Crowdstrike fails to be removed as the script can't be found.

When the script is copied to the VM and run interactively on an elevated powershell session, Crowdstrike is uninstalled as expected.

vm-extensions bootstrap script does not work and points to a deprecated script in the Cloud-AWS repository

I'm needing the falcon sensor installation to run every time a new virtual machine is spun up within Azure. I need this to be done with automation and not manually. How do I do this?

In the VM run command examples, update to include docs around:

• Ensuring TLSv2 is set prior to running falcon-scripts
• Show examples on using --ids to target multiple systems at once

@redhatrises | @ffalor

master branch is no longer the standard in git repos. We should be consistent and rename to main.

Hello,

I have attempted to deploy your running powershell script in my terraform vm extension module. I examined the powershell script and could not find any reference to passing installation tokens?

Is this possible?

It appears that the linux bash scripts have this option but not powershell?

maybe I am missing something?

The arm template commandtoexecute should be moved to protectedSettings since it has the clientid and clientsecret. If it isn't in protectedSettings, it is logged in cleartext on the vm the CSE runs on.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#extension-schema

Same thing applies to your cli example. https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#azure-cli Has a protectedsettings example

Based on internal requests, consider adding examples for using Azure DSC to deploy our sensor

Description of your question
This has surfaced when we noticed a certain individual has not return his/her work laptop to the company after they left.

As he/she was using an old account, login to windows would still work as the machine was at home and not contacted the corp network.

We would like to leverage the API connection between Crowdstrike and Azure Sentinel to allow an analytic rule to be in place for when an account is disabled in Azure Sentinel (through Audit Logs) that if the machine remains online within CrowdStrike, that it flags in Azure Sentinel and creates an Alert/Incident.

The analytic rule currently stands at below without using any connection to the CrowdStrike Services

let watchlist = _GetWatchlist("keyStakeholders");
AuditLogs
| where OperationName == "Disable account"
| extend accountDisabled = tostring(TargetResources[0].userPrincipalName)
| where (accountDisabled has_any(watchlist))

We currently already have an API connection that provides other information from CrowdStrike to Sentinel.

Environment (please complete the following information):

CrowdStrike
Azure Sentinel

Can you please add a working example of using terraform to deploy the falcon sensor on windows VMs in Azure?

.\falcon_windows_install.ps1 -Uninstall $true

This parameter does not exist in the script

When I run the following command I am getting an error:

az vm extension set
--resource-group PALANI_DEV2_RG
--vm-name testvm2
--name customScript
--publisher Microsoft.Azure.Extensions
--protected-settings '{"fileUris": ["https://raw.githubusercontent.com/crowdstrike/falcon-scripts/main/bash/install/falcon-linux-install.sh"],"commandToExecute": "export FALCON_CLIENT_ID=123 && export FALCON_CLIENT_SECRET=abc && /bin/bash falcon-linux-install.sh"}'

Output:
(VMExtensionProvisioningError) VM has reported a failure when processing extension 'customScript'. Error message: "Enable failed: failed to execute command: command terminated with exit status=100
[stdout]
Falcon Sensor Install ...
[stderr]
E: Invalid archive member header
E: Could not read meta data from /tmp/tmp.DC8beNp6oV/falcon-sensor.deb
E: The package lists or status file could not be parsed or opened.
"

More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot
Code: VMExtensionProvisioningError
Message: VM has reported a failure when processing extension 'customScript'. Error message: "Enable failed: failed to execute command: command terminated with exit status=100
[stdout]
Falcon Sensor Install ...
[stderr]
E: Invalid archive member header
E: Could not read meta data from /tmp/tmp.DC8beNp6oV/falcon-sensor.deb
E: The package lists or status file could not be parsed or opened.
"

More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot