Jump to content

Kernel: Enable CONFIG_DEBUG_INFO_BTF (Needed for Crowdstrike agent)


Recommended Posts

Hey guys,

 

I'm looking into installing and creating a plugin eventually for Crowdstrike agent for UnRAID. Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do.

 

Currently the Crowdstrike agent does not run even in "user mode" which would bring good enough security checks. Upon investigation I noticed that only CONFIG_DEBUG_INFO_BTF=y is not enabled in /usr/src/linux-5.19.17-Unraid/.config.

All the rest are already enabled in UnRAID. From their documentation:

User mode of the sensor requires custom kernels to have a version of 5.8 or later and these kernel config options:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_DEBUG_INFO_BTF=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_JIT=y

 

Thank you!

Edited by Mihai
Link to comment
  • Mihai changed the title to Kernel: Enable CONFIG_DEBUG_INFO_BTF (Needed for Crowdstrike agent)
11 hours ago, Mihai said:

Crowdstrike is a next gen antivirus, which relies on behavioral patterns and in my experience it uses a fraction of resources the traditional antivirus types do.

Thank you for the request, can you give me a resource to the documentation? Is this the CrowdStrike Falcon Agent?

Please make sure that you check their EULA and if creating a third party plugin doesn't violate their EULA first.

 

I may be wrong about that but I remember seeing a Docker container for the Agent somewhere.

 

11 hours ago, Mihai said:

CONFIG_DEBUG_INFO_BTF=y

I'm not super on the fence for that because IIRC this can have some performance downsides but I will look into that and also how much the Kernel will grow in terms of size.

However it should not harm anything on Unraid but I will take first a look at it.

 

I hope it's enough for you that I look into it early next week.

Link to comment

Wow, thanks for the fast response!

 

Of course, I will check their EULA, but looking at the Archlinux falcon-sensor package it seems they're only prohibiting people to distribute the package themselves, so most probably it will be a plugin which requires manually downloading the package and then sharing it.

In terms of documentation, unfortunately it's behind a paywall, so for customers only :( but I assume I would be able to share some snippets via PM if you need them, just please let me know.

 

I think you're talking about the "crowdsec" container, which is a different product, and open source, but that's more as a WAF as far as i understand, but I'm also planning to try it out in the near future. 

 

In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them.

 

It's definitely no rush from my side, please take your time and I understand you have other priorities. It's just something nice to have.. in these days of increasing cyberattacks.

 

Thank you!

Link to comment
On 4/1/2023 at 6:29 PM, Mihai said:

Wow, thanks for the fast response!

Please always quote me or at least mention me because otherwise I will miss your response and I've only seen by accident that you've answered.

 

On 4/1/2023 at 6:29 PM, Mihai said:

In terms of documentation, unfortunately it's behind a paywall, so for customers only :( but I assume I would be able to share some snippets via PM if you need them, just please let me know.

This is tough... I would really recommend that you check their EULA because otherwise you are on thin ice...

 

On 4/1/2023 at 6:29 PM, Mihai said:

I think you're talking about the "crowdsec" container

Definitely not... :D

 

On 4/1/2023 at 6:29 PM, Mihai said:

In terms of performance/size issues, I can't say much, but I know that for example NixOS and Manjaro are 2 Linux distributions which have all these params on by default in their LTS kernels. I know because I run them both and just installed falcon-agent on both of them.

I know, Debian also has them enabled but the main difference is that these Distros are in most cases used for Desktop usage and not in the case like for Unraid as a Server OS. I completely get your point and what you are trying to accomplish but I'm not entirely sure if the antivirus should run on the server itself because Unraid is not a general purpose server.

Is there maybe a Docker container for this application out there?

Link to comment
  • 2 months later...

@ich777 that container would probably run, but will be mostly useless because of the missing `CONFIG_DEBUG_INFO_BTF` kernel option.

Unfortunately it's written in such a way that if it doesn't have the necessary environment, it simply refuses to work. It behaves a bit different than traditional AVs, and it won't actually scan files all the time (which can kill the CPU), but more of a behavioral checks, for example if specific files are being copied or even suspicious network traffic.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...