Crowdstrike Supported Kernels

~ aardvark ~ Leave a comment

The problem:

Photo by Viktor Jakovlev on Unsplash

When you patch from a public repository you can put on a new kernel which the falcon sensors are not tested for and therefore can cause issues like crashing. How can you find the latest supported kernel you are allowed to put on.

Summarise Program Using falconpy

The output looks like this:

Distro Kernel
rhel8 4.18.0-553.8.1.el8_10.x86_64
rhel9 5.14.0-427.26.1.el9_4.x86_64

#!/usr/bin/env python3
from falconpy import SensorUpdatePolicy
import os, sys
from pkg_resources import parse_version
def sort_versions(release_list):
    v1 = parse_version(release_list[0])
    while True:
        sorted = False
        for i in  range(1, len(release_list) ):
            v2 = parse_version(release_list[i])
            if v1 > v2:
                next
            else: 
                sorted = True
                hold = release_list[0]
                release_list[0] = release_list[i]
                release_list[i] = hold
                v1 = parse_version(release_list[0])
        if sorted == False:
            break
    return release_list[0]

falcon = SensorUpdatePolicy(
    client_id=os.getenv("FALCONPY_CLIENT_ID"),
    client_secret=os.getenv("FALCONPY_CLIENT_SECRET"),
    base_url="eu1",
    debug=True,
)
searchstr = "" # not used
print(f'Distro Kernel')
for distrostr in  [ 'rhel8', 'rhel9' ]:
  myfilter = "architecture:'x86_64'+distro:'" + distrostr + "'+release:*'*" + searchstr + "*'"
  response = falcon.query_combined_kernels(filter=myfilter,limit=500)["body"]["resources"]
  supported_releases = []
  for r in response:
    supported_releases.append(r["release"])
  print(f'{distrostr} kernel-{sort_versions(supported_releases)}')
sys.exit()

Patching Buddy Using Falconpy

The Output looks like this:

Latest Available kernel: 5.14.0-427.28.1.el9_4.x86_64
Current kernel 5.14.0-427.26.1.el9_4.x86_64 *supported
The lastest available kernel 5.14.0-427.28.1.el9_4.x86_64 is NOT supported
Latest Crowdstrike Supported Kernel: 5.14.0-427.26.1.el9_4.x86_64
Kernel is latest for Crowdstrike

#!/usr/bin/env python3
from falconpy import SensorUpdatePolicy
import os,sys,platform,subprocess
from pkg_resources import parse_version
current_kernel=platform.release()
# Any new_kernel available
cmd = ['/bin/dnf', 'list', 'available', 'kernel', '-q']
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
o, e = proc.communicate()
output=o.decode('ascii').split()
if output == []:
    new_kernel=current_kernel
else:
    new_kernel=output[3] + output[2].replace('kernel','')
print(f'Latest Available kernel: {new_kernel}')
# might/should need these later
#print('Error: '  + e.decode('ascii'))
#print('code: ' + str(proc.returncode))


s=current_kernel.split(".")
searchstr=(".".join(s[:3]))
falcon = SensorUpdatePolicy( client_id=os.getenv("FALCONPY_CLIENT_ID"),
                client_secret=os.getenv("FALCONPY_CLIENT_SECRET"),
                base_url="eu1",debug=True)
# some examples:
# Query devices by filter, sorted by hostname in ascending order
#response = falcon.query_rules(limit=100,q="vuh")
#response = falcon.query_combined_kernels(filter="release:'5.4.228-131.415.amzn2.x86_64'")
#host_ids = hosts.query_devices_by_filter(filter="hostname:*'*cool*'")["body"]["resources"]
myfilter="architecture:'x86_64'+release:*'*"  + searchstr + "*'"
response = falcon.query_combined_kernels(filter=myfilter)["body"]["resources"]

supported_releases=[]
for r in response:
  supported_releases.append(r['release'])

# Is current_kernel supported
if current_kernel in supported_releases:
    supported="*supported"
else:
    supported="*NOT supported"
    print('The current kernel is supported')
print(f'Current kernel {current_kernel} {supported}')

s=new_kernel.split(".")
searchstr=(".".join(s[:3]))
falcon = SensorUpdatePolicy( client_id=os.getenv("FALCONPY_CLIENT_ID"),
                client_secret=os.getenv("FALCONPY_CLIENT_SECRET"),
                base_url="eu1",debug=True)
myfilter="architecture:'x86_64'+release:*'*"  + searchstr + "*'"
response = falcon.query_combined_kernels(filter=myfilter)["body"]["resources"]
supported_releases=[]
for r in response:
  supported_releases.append(r['release'])

# Is new__kernel supported
if new_kernel in supported_releases:
    print('The new kernel is supported')
else:
    print(f'The lastest available kernel {new_kernel} is NOT supported')
    #print(f'These are available: {supported_releases}')

# given an array of Linux kernels get the latest
def get_latest(release_list):
    v1 = parse_version(release_list[0])
    while True:
        sorted = False
        for i in  range(1, len(release_list) ):
            v2 = parse_version(release_list[i])
            if v1 > v2:
                next
            else:
                sorted = True
                hold = release_list[0]
                release_list[0] = release_list[i]
                release_list[i] = hold
                v1 = parse_version(release_list[0])
        if sorted == False:
            break
    return release_list[0]

latest_supported_kernel=get_latest(supported_releases)
print (f'Latest Crowdstrike Supported Kernel: {latest_supported_kernel}')
if parse_version(current_kernel) == parse_version(latest_supported_kernel):
    print(f'Kernel is latest for Crowdstrike')
if parse_version(current_kernel) < parse_version(latest_supported_kernel):
    print(f'dnf install kernel-{latest_supported_kernel}')
sys.exit()