Mihai Posted March 31, 2023 Share Posted March 31, 2023 (edited) Hey guys, I'm looking into installing and creating a plugin eventually for Crowdstrike agent for UnRAID. Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do. Currently the Crowdstrike agent does not run even in "user mode" which would bring good enough security checks. Upon investigation I noticed that only CONFIG_DEBUG_INFO_BTF=y is not enabled in /usr/src/linux-5.19.17-Unraid/.config. All the rest are already enabled in UnRAID. From their documentation: User mode of the sensor requires custom kernels to have a version of 5.8 or later and these kernel config options: CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_DEBUG_INFO_BTF=y CONFIG_BPF_EVENTS=y CONFIG_BPF_JIT=y Thank you! Edited March 31, 2023 by Mihai Quote Link to comment
ich777 Posted April 1, 2023 Share Posted April 1, 2023 11 hours ago, Mihai said: Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do. Thank you for the request, can you give me a resource to the documentation? Is this the CrowdStrike Falcon Agent? Please make sure that you check their EULA and if creating a third party plugin doesn't violate their EULA first. I may be wrong about that but I remember seeing a Docker container for the Agent somewhere. 11 hours ago, Mihai said: CONFIG_DEBUG_INFO_BTF=y I'm not super on the fence for that because IIRC this can have some performance downsides but I will look into that and also how much the Kernel will grow in terms of size. However it should not harm anything on Unraid but I will take first a look at it. I hope it's enough for you that I look into it early next week. Quote Link to comment
Mihai Posted April 1, 2023 Author Share Posted April 1, 2023 Wow, thanks for the fast response! Of course, I will check their EULA, but looking at the Archlinux falcon-sensor package it seems they're only prohibiting people to distribute the package themselves, so most probably it will be a plugin which requires manually downloading the package and then sharing it. In terms of documentation, unfortunately it's behind a paywall, so for customers only but I assume I would be able to share some snippets via PM if you need them, just please let me know. I think you're talking about the "crowdsec" container, which is a different product, and open source, but that's more as a WAF as far as i understand, but I'm also planning to try it out in the near future. In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them. It's definitely no rush from my side, please take your time and I understand you have other priorities. It's just something nice to have.. in these days of increasing cyberattacks. Thank you! Quote Link to comment
ich777 Posted April 5, 2023 Share Posted April 5, 2023 On 4/1/2023 at 6:29 PM, Mihai said: Wow, thanks for the fast response! Please always quote me or at least mention me because otherwise I will miss your response and I've only seen by accident that you've answered. On 4/1/2023 at 6:29 PM, Mihai said: In terms of documentation, unfortunately it's behind a paywall, so for customers only but I assume I would be able to share some snippets via PM if you need them, just please let me know. This is tough... I would really recommend that you check their EULA because otherwise you are on thin ice... On 4/1/2023 at 6:29 PM, Mihai said: I think you're talking about the "crowdsec" container Definitely not... On 4/1/2023 at 6:29 PM, Mihai said: In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them. I know, Debian also has them enabled but the main difference is that these Distros are in most cases used for Desktop usage and not in the case like for Unraid as a Server OS. I completely get your point and what you are trying to accomplish but I'm not entirely sure if the antivirus should run on the server itself because Unraid is not a general purpose server. Is there maybe a Docker container for this application out there? Quote Link to comment
Yankton Posted April 5, 2023 Share Posted April 5, 2023 On 4/1/2023 at 1:38 AM, ich777 said: I may be wrong about that but I remember seeing a Docker container for the Agent somewhere. https://hub.docker.com/r/kyokuheki/falcon-sensor This what you are thinking of? Quote Link to comment
ich777 Posted April 6, 2023 Share Posted April 6, 2023 7 hours ago, Yankton said: https://hub.docker.com/r/kyokuheki/falcon-sensor This what you are thinking of? Exactly, wouldn't this work on Unraid if you mount for example the /mnt directory to it? Quote Link to comment
Mihai Posted June 15, 2023 Author Share Posted June 15, 2023 @ich777 that container would probably run, but will be mostly useless because of the missing `CONFIG_DEBUG_INFO_BTF` kernel option. Unfortunately it's written in such a way that if it doesn't have the necessary environment, it simply refuses to work. It behaves a bit different than traditional AVs, and it won't actually scan files all the time (which can kill the CPU), but more of a behavioral checks, for example if specific files are being copied or even suspicious network traffic. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.