Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Kernel: Enable CONFIG_DEBUG_INFO_BTF (Needed for Crowdstrike agent)

Featured Replies

Hey guys,

 

I'm looking into installing and creating a plugin eventually for Crowdstrike agent for UnRAID. Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do.

 

Currently the Crowdstrike agent does not run even in "user mode" which would bring good enough security checks. Upon investigation I noticed that only CONFIG_DEBUG_INFO_BTF=y is not enabled in /usr/src/linux-5.19.17-Unraid/.config.

All the rest are already enabled in UnRAID. From their documentation:

User mode of the sensor requires custom kernels to have a version of 5.8 or later and these kernel config options:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_DEBUG_INFO_BTF=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_JIT=y

 

Thank you!

Edited by Mihai

  • Mihai changed the title to Kernel: Enable CONFIG_DEBUG_INFO_BTF (Needed for Crowdstrike agent)
11 hours ago, Mihai said:

Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do.

Thank you for the request, can you give me a resource to the documentation? Is this the CrowdStrike Falcon Agent?

Please make sure that you check their EULA and if creating a third party plugin doesn't violate their EULA first.

 

I may be wrong about that but I remember seeing a Docker container for the Agent somewhere.

 

11 hours ago, Mihai said:

CONFIG_DEBUG_INFO_BTF=y

I'm not super on the fence for that because IIRC this can have some performance downsides but I will look into that and also how much the Kernel will grow in terms of size.

However it should not harm anything on Unraid but I will take first a look at it.

 

I hope it's enough for you that I look into it early next week.

  • Author

Wow, thanks for the fast response!

 

Of course, I will check their EULA, but looking at the Archlinux falcon-sensor package it seems they're only prohibiting people to distribute the package themselves, so most probably it will be a plugin which requires manually downloading the package and then sharing it.

In terms of documentation, unfortunately it's behind a paywall, so for customers only :( but I assume I would be able to share some snippets via PM if you need them, just please let me know.

 

I think you're talking about the "crowdsec" container, which is a different product, and open source, but that's more as a WAF as far as i understand, but I'm also planning to try it out in the near future. 

 

In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them.

 

It's definitely no rush from my side, please take your time and I understand you have other priorities. It's just something nice to have.. in these days of increasing cyberattacks.

 

Thank you!

On 4/1/2023 at 6:29 PM, Mihai said:

Wow, thanks for the fast response!

Please always quote me or at least mention me because otherwise I will miss your response and I've only seen by accident that you've answered.

 

On 4/1/2023 at 6:29 PM, Mihai said:

In terms of documentation, unfortunately it's behind a paywall, so for customers only :( but I assume I would be able to share some snippets via PM if you need them, just please let me know.

This is tough... I would really recommend that you check their EULA because otherwise you are on thin ice...

 

On 4/1/2023 at 6:29 PM, Mihai said:

I think you're talking about the "crowdsec" container

Definitely not... :D

 

On 4/1/2023 at 6:29 PM, Mihai said:

In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them.

I know, Debian also has them enabled but the main difference is that these Distros are in most cases used for Desktop usage and not in the case like for Unraid as a Server OS. I completely get your point and what you are trying to accomplish but I'm not entirely sure if the antivirus should run on the server itself because Unraid is not a general purpose server.

Is there maybe a Docker container for this application out there?

  • 2 months later...
  • Author

@ich777 that container would probably run, but will be mostly useless because of the missing `CONFIG_DEBUG_INFO_BTF` kernel option.

Unfortunately it's written in such a way that if it doesn't have the necessary environment, it simply refuses to work. It behaves a bit different than traditional AVs, and it won't actually scan files all the time (which can kill the CPU), but more of a behavioral checks, for example if specific files are being copied or even suspicious network traffic.

  • 1 year later...

I would like this option enabled as well. There are other things that rely on it, especially ebpf related stuff. Docker containers use the host kernel so using a Docker won't work.

Edited by bobbintb

I've been heavily delving into ebpf the last few months so I just wanted to add a bit more info. Unraid does have ebpf enabled in the kernel, but this option is needed for bpf CO:RE, which is pretty much what everything is written for now. If a bpf program doesn't use CO:RE, then it must be compiled for a specific kernel version, and recompiled if the kernel makes changes to structure layouts, which is a real pain to manage. So pretty much anything with ebpf will use CO:RE nowadays to avoid this. Basically, even though Unraid has all the bpf flags enabled in the kernel, it doesn't really matter as long as this one is still disabled. There's a lot of interesting and useful things ebpf can more easily bring to Unraid with this option.

Edited by bobbintb

  • 1 year later...

@ich777 I don't want to be a bother but I was hoping to get some further input on this regarding my last comment, now that I realize I never tagged anyone so it probably never got seen. This is what the config currently has is regards to BPF:

CONFIG_BPF=y

CONFIG_HAVE_EBPF_JIT=y

CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y

# BPF subsystem

CONFIG_BPF_SYSCALL=y

CONFIG_BPF_JIT=y

CONFIG_BPF_JIT_ALWAYS_ON=y

CONFIG_BPF_JIT_DEFAULT_ON=y

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

# CONFIG_BPF_PRELOAD is not set

# end of BPF subsystem

CONFIG_CGROUP_BPF=y

CONFIG_IPV6_SEG6_BPF=y

CONFIG_NETFILTER_BPF_LINK=y

CONFIG_NETFILTER_XT_MATCH_BPF=m

CONFIG_NET_CLS_BPF=m

CONFIG_NET_ACT_BPF=m

# CONFIG_BPF_STREAM_PARSER is not set

CONFIG_LWTUNNEL_BPF=y

# HID-BPF support

# CONFIG_HID_BPF is not set

# end of HID-BPF support

CONFIG_BPF_EVENTS=y

# CONFIG_BPF_KPROBE_OVERRIDE is not set

# CONFIG_TEST_BPF is not set

Again, without CONFIG_DEBUG_INFO_BTF enabled, these configuration options are all essentially useless because without CONFIG_DEBUG_INFO_BTF, anything that uses eBPF (including those in docker containers) would have to be compiled against the specific kernel version that unRaid uses, which also changes frequently. Everything eBPF uses CO:RE now, which makes it kernel agnostic, and CONFIG_DEBUG_INFO_BTF is a hard requirement for that.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.