security

Deploying Crowdstrike Falcon-sensor using Ansible and Puppet

~ aardvark ~ Leave a comment
Photo by Eric Masur on Unsplash

Crowdstrike just monitors everything on your machine. For the devops/sysadmin it’s merely deploying a package on Linux.

First with Puppet

Download and install the module (I’m using free puppet with foreman):

puppet module install crowdstrike-falcon --version 0.7.1

Create a class to wrap it :

cd /etc/puppetlabs/code/environments/common/module
sudo dnf install pdk
pdk new class uhfalcon

Head for the manifest/init.pp :

class uhfalcon {
  class { 'falcon':
    client_id      => Sensitive('***************'),
    client_secret  => Sensitive('****************'),
    cid            => '**********************-80',
    falcon_cloud   => 'api.eu-1.crowdstrike.com',
    tags           => [ 'puppet' ],
    tag_membership => 'inclusive',
  }
}

The client_id and secret and customer id is all provided got from your account login. This can now be used to pull down the latest package for your version of Linux.

The api privileges/roles/scope was :

Installation Tokens
Sensor Download
Sensor update policies
Sensor Visibility Exclusions

Well that was easy. I don’t think we need concern ourselves too much with nuances when installing the sensors.

You can remove it on Linux just be removing the package

class uhfalcon {
  package { 'falcon-sensor':
    ensure => 'purged',
  }
}

Installing by Ansible

So puppet requires a puppet server and setting up. Ansible is much easier than that. If you have ssh access to your servers and can sudo, you are ready to go.

Download the crowdstike.falcon collection:

   ansible-galaxy  collection install crowdstrike.falcon

Create a file or “playbook” named say falcon-sensor.yaml :

---
- hosts: staging
  vars:
    falcon_client_id:  *****************************
    falcon_client_secret: ****************************
  roles:
  - role: crowdstrike.falcon.falcon_install
    vars:
      falcon_api_enable_no_log: false
      falcon_install_method: api
      falcon_cloud: api.eu-1.crowdstrike.com 
  - role: crowdstrike.falcon.falcon_configure
    vars:
      # falcon_cid is autodetected using falcon_client_id|secret vars
      falcon_tags: 'staging'
...

So I defined in /etc/ansible/hosts my list of hosts :

[staging]
v-l-uat01
v-l-uat02

And run the playbook :

ansible-playbook falcon-sensor.yaml -K

To remove it would be this simple playbook :

---
- hosts: all
  roles:
  - role: crowdstrike.falcon.falcon_uninstall
...

Summary

It was relatively pain free in both ansible and puppet HOWEVER ansible allowed me to make tags to categorise the hosts but failed to deploy to Rocky 9 (on the very latest kernel). Whereas puppet wasn’t as easy to configure but would install on all platforms.