This project helps build the scaffolding for customers to containerize their falcon sensor.
-
Install
dockerorpodmanif not already present on the build host. The following instructions usedockercommands, butpodmancommands work just fine as well. -
Your CrowdStrike Customer ID (CID) is required to ensure the container associates itself with your account upon launch. Your CID can be found at https://falcon.crowdstrike.com/hosts/sensor-downloads.
-
Update entrypoint.sh with your CID if you wish to hard-code your CID, e.g.:
CLOUDSIM_CID="YOURCID"This could be replaced with a sed one-liner such as
sed -i 's/YOURCID/xyz/r' entrypoint.sh. Try not to commit your CID to your Git repo! Alternatively, using-e FALCONCTL_OPT_CID=<<YOUR CID>>when running the container detached (when the-dargument is used. See below) is easier rather than hard-coding your CID and creating a new container image. -
Download the RHEL/CentOS/Oracle 8 sensor from https://falcon.crowdstrike.com/hosts/sensor-downloads and place into this directory. The
Dockerfilereferences this file and copies it into the container duringdocker buildthrough the build argumentFALCON_RPM.
Build the container using the included Dockerfile through a command such as:
$ docker build --no-cache=true \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=$(git rev-parse --short HEAD) \
--build-arg FALCON_RPM=falcon-sensor-5.33.0-9808.el8.x86_64.rpm
-t falcon-sensor:latest .falcon-sensor is the default command of the container. It can be invoked
as follows:
$ docker run --rm -ti --privileged \
--net=host -v /var/log:/var/log falcon-sensorThis is like running falcon-sensor directly on the console. Standard terminal
output appears. Pressing Control-C would cause docker client to pass
SIGINT along to the sensor, which would then exit.
--net=host is required for the containerized sensor to talk to the kernel
module over netlink and to Cloudsim over localhost. Host pid, uts and
ipc namespaces are passed through to sensor container for easy access to
host resources. Following additional host files and directories need to be
provided to the sensor by mounting them within the container:
/var/run/docker.sock # for the sensor to query Docker engine
/var/log # for logs
/etc/os-release # or its equivalent based on the distroSensor container picks up falconctl configuration from its environment.
Following variables are supported. They map to the similarly named
SET_OPTIONS of falconctl. Typically, the environment variables
are set through a Kubernetes configmap. They can also be set with
-e option to docker run on the command line.
FALCONCTL_OPT_CID
FALCONCTL_OPT_AID
FALCONCTL_OPT_APD
FALCONCTL_OPT_APH
FALCONCTL_OPT_APP
FALCONCTL_OPT_TRACE
FALCONCTL_OPT_FEATURE
FALCONCTL_OPT_MESSAGE_LOG
FALCONCTL_OPT_BILLING
FALCONCTL_OPT_ASSERT
FALCONCTL_OPT_MEMFAIL_GRACE_PERIOD
FALCONCTL_OPT_MEMFAIL_EVERY_NThe sensor can be run as a background service as follows:
$ CONTAINER_ID=$(docker run -d \
-e FALCONCTL_OPT_CID=<<your CID>> \
-e FALCONCTL_OPT_TRACE=debug \
--privileged --net=host \
-v /var/log:/var/log falcon-sensor)Replace <<your CID>> with your CrowdStrike Customer ID (CID). This can be found at https://falcon.crowdstrike.com/hosts/sensor-downloads.
falconctl can be invoked inside a running sensor container with docker exec:
$ docker exec -it $CONTAINER_ID falconctl -g --tracePush the image to a registry (like ECR) if the container needs to be accessed outside of the build host.
For example, if pushing to a private DockerHub registry:
- Retrieve the
IMAGE IDof your newly created container.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
falcon-sensor latest 6fd0819e777d 4 days ago 242MB- Tag your local image, replacing
6fd0819e777dwith yourIMAGE ID, andyourDockerHubAccount/yourPrivateRepowith your DockerHub information.
$ docker tag 6fd0819e777d yourDockerHubAccount/yourPrivateRepo:latest- Push to DockerHub.
$ docker push yourDockerHubAccount/yourPrivateRepoThank you to Dinesh Subhraveti whose initial code inspired this repo!
