March 31, 20233 yr Hey guys, I'm looking into installing and creating a plugin eventually for Crowdstrike agent for UnRAID. Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do. Currently the Crowdstrike agent does not run even in "user mode" which would bring good enough security checks. Upon investigation I noticed that only CONFIG_DEBUG_INFO_BTF=y is not enabled in /usr/src/linux-5.19.17-Unraid/.config. All the rest are already enabled in UnRAID. From their documentation: User mode of the sensor requires custom kernels to have a version of 5.8 or later and these kernel config options: CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_DEBUG_INFO_BTF=y CONFIG_BPF_EVENTS=y CONFIG_BPF_JIT=y Thank you! Edited March 31, 20233 yr by Mihai
April 1, 20233 yr 11 hours ago, Mihai said: Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do. Thank you for the request, can you give me a resource to the documentation? Is this the CrowdStrike Falcon Agent? Please make sure that you check their EULA and if creating a third party plugin doesn't violate their EULA first. I may be wrong about that but I remember seeing a Docker container for the Agent somewhere. 11 hours ago, Mihai said: CONFIG_DEBUG_INFO_BTF=y I'm not super on the fence for that because IIRC this can have some performance downsides but I will look into that and also how much the Kernel will grow in terms of size. However it should not harm anything on Unraid but I will take first a look at it. I hope it's enough for you that I look into it early next week.
April 1, 20233 yr Author Wow, thanks for the fast response! Of course, I will check their EULA, but looking at the Archlinux falcon-sensor package it seems they're only prohibiting people to distribute the package themselves, so most probably it will be a plugin which requires manually downloading the package and then sharing it. In terms of documentation, unfortunately it's behind a paywall, so for customers only but I assume I would be able to share some snippets via PM if you need them, just please let me know. I think you're talking about the "crowdsec" container, which is a different product, and open source, but that's more as a WAF as far as i understand, but I'm also planning to try it out in the near future. In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them. It's definitely no rush from my side, please take your time and I understand you have other priorities. It's just something nice to have.. in these days of increasing cyberattacks. Thank you!
April 5, 20233 yr On 4/1/2023 at 6:29 PM, Mihai said: Wow, thanks for the fast response! Please always quote me or at least mention me because otherwise I will miss your response and I've only seen by accident that you've answered. On 4/1/2023 at 6:29 PM, Mihai said: In terms of documentation, unfortunately it's behind a paywall, so for customers only but I assume I would be able to share some snippets via PM if you need them, just please let me know. This is tough... I would really recommend that you check their EULA because otherwise you are on thin ice... On 4/1/2023 at 6:29 PM, Mihai said: I think you're talking about the "crowdsec" container Definitely not... On 4/1/2023 at 6:29 PM, Mihai said: In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them. I know, Debian also has them enabled but the main difference is that these Distros are in most cases used for Desktop usage and not in the case like for Unraid as a Server OS. I completely get your point and what you are trying to accomplish but I'm not entirely sure if the antivirus should run on the server itself because Unraid is not a general purpose server. Is there maybe a Docker container for this application out there?
April 5, 20233 yr On 4/1/2023 at 1:38 AM, ich777 said: I may be wrong about that but I remember seeing a Docker container for the Agent somewhere. https://hub.docker.com/r/kyokuheki/falcon-sensor This what you are thinking of?
April 6, 20233 yr 7 hours ago, Yankton said: https://hub.docker.com/r/kyokuheki/falcon-sensor This what you are thinking of? Exactly, wouldn't this work on Unraid if you mount for example the /mnt directory to it?
June 15, 20233 yr Author @ich777 that container would probably run, but will be mostly useless because of the missing `CONFIG_DEBUG_INFO_BTF` kernel option. Unfortunately it's written in such a way that if it doesn't have the necessary environment, it simply refuses to work. It behaves a bit different than traditional AVs, and it won't actually scan files all the time (which can kill the CPU), but more of a behavioral checks, for example if specific files are being copied or even suspicious network traffic.
February 24, 20251 yr I would like this option enabled as well. There are other things that rely on it, especially ebpf related stuff. Docker containers use the host kernel so using a Docker won't work. Edited February 25, 20251 yr by bobbintb
February 26, 20251 yr I've been heavily delving into ebpf the last few months so I just wanted to add a bit more info. Unraid does have ebpf enabled in the kernel, but this option is needed for bpf CO:RE, which is pretty much what everything is written for now. If a bpf program doesn't use CO:RE, then it must be compiled for a specific kernel version, and recompiled if the kernel makes changes to structure layouts, which is a real pain to manage. So pretty much anything with ebpf will use CO:RE nowadays to avoid this. Basically, even though Unraid has all the bpf flags enabled in the kernel, it doesn't really matter as long as this one is still disabled. There's a lot of interesting and useful things ebpf can more easily bring to Unraid with this option. Edited May 20May 20 by bobbintb
May 22May 22 @ich777 I don't want to be a bother but I was hoping to get some further input on this regarding my last comment, now that I realize I never tagged anyone so it probably never got seen. This is what the config currently has is regards to BPF:CONFIG_BPF=yCONFIG_HAVE_EBPF_JIT=yCONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y# BPF subsystemCONFIG_BPF_SYSCALL=yCONFIG_BPF_JIT=yCONFIG_BPF_JIT_ALWAYS_ON=yCONFIG_BPF_JIT_DEFAULT_ON=yCONFIG_BPF_UNPRIV_DEFAULT_OFF=y# CONFIG_BPF_PRELOAD is not set# end of BPF subsystemCONFIG_CGROUP_BPF=yCONFIG_IPV6_SEG6_BPF=yCONFIG_NETFILTER_BPF_LINK=yCONFIG_NETFILTER_XT_MATCH_BPF=mCONFIG_NET_CLS_BPF=mCONFIG_NET_ACT_BPF=m# CONFIG_BPF_STREAM_PARSER is not setCONFIG_LWTUNNEL_BPF=y# HID-BPF support# CONFIG_HID_BPF is not set# end of HID-BPF supportCONFIG_BPF_EVENTS=y# CONFIG_BPF_KPROBE_OVERRIDE is not set# CONFIG_TEST_BPF is not setAgain, without CONFIG_DEBUG_INFO_BTF enabled, these configuration options are all essentially useless because without CONFIG_DEBUG_INFO_BTF, anything that uses eBPF (including those in docker containers) would have to be compiled against the specific kernel version that unRaid uses, which also changes frequently. Everything eBPF uses CO:RE now, which makes it kernel agnostic, and CONFIG_DEBUG_INFO_BTF is a hard requirement for that.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.