Skip to content

[ BUG ] Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bbivmb opened this issue Sep 5, 2024 · 12 comments
Closed

[ BUG ] Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts #421

bbivmb opened this issue Sep 5, 2024 · 12 comments
Assignees
@bk-cs
Labels
bug Something isn't working fix available Self-applied fix available in issue

Comments

@bbivmb
Copy link

bbivmb commented Sep 5, 2024
edited by bk-cs
Loading

PSFalcon: version 2.27
PSVersion: 5.1.19041.4780
OS: LNX RHEL 8.x
Host already has SensorTags configured
Enabled RTR with custom scripts and run.

When I try to REMOVE a SensorTag with Remove-FalconSensorTag it fails with below output:

PS C:\> Remove-FalconSensorTag -Id $device -Tag "SensorGroupingTags/testpsfalcon"

cid              : ***
device_id        : ***
tags             : /bin/bash: -c: line 4: syntax error near unexpected token `$'do\r''
                   /bin/bash: -c: line 4: `  do'
                   
offline_queued   : False
session_id       : ***
cloud_request_id : ***
status           :

When I try to ADD a SensorTag with Add-FalconSensorTag it fails with following output:

PS C:\> Add-FalconSensorTag -Id $device -Tag "SensorGroupingTags/testpsfalcon"

cid              : ***
device_id        : ***
tags             : /opt/CrowdStrike/falconctl: unrecognized option '--tags'
                   Run 'falconctl -h' OR 'falconctl --help' for usage help
                   Sensor grouping tags are already set, but -f was not specified
                   ERROR: failed to process the option --tags
                   Run 'falconctl -h' OR 'falconctl --help' for usage help
                   
offline_queued   : False
session_id       : ***
cloud_request_id : ***
status           :
@bbivmb bbivmb added the question Further information is requested label Sep 5, 2024
@bk-cs bk-cs self-assigned this Sep 5, 2024
@bk-cs bk-cs added bug Something isn't working and removed question Further information is requested labels Sep 5, 2024
@bk-cs bk-cs changed the title Add- and Remove-FalconSensorTag don't add/remove tags on LNX hosts Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts Sep 5, 2024
@bk-cs
Copy link
Collaborator

bk-cs commented Sep 5, 2024

Thanks for the report! I can confirm the same behavior in my test environment.

It seems like something with the command line syntax for the falconctl command is being mangled while being passed to the RTR session. I'm investigating and will respond when I'm able to figure it out.

bk-cs added a commit that referenced this issue Sep 5, 2024
@bk-cs
Issue #421
2f56246 
Updated internal function to evaluate FalconSensorTags and re-wrote scripts for FalconSensorTag manipulation through Real-time Response to fix the inability to add/remove FalconSensorTags on Linux. This also fixed the same issue that was impacting MacOS hosts.
@bk-cs
Copy link
Collaborator

bk-cs commented Sep 5, 2024

I believe I've narrowed this issue down to the transmission of the scripts used to manipulate FalconSensorTags through Real-time Response. I made some changes to those scripts, and also some optimizations to the Add-FalconSensorTag, Set-FalconSensorTag and Remove-FalconSensorTag commands.

Can you please follow the steps mentioned below and let me know if this resolves your issue? Once you update the public\psf-sensors.ps1, script\add_sensortag.sh, script\add_sensortag.zsh, script\remove_sensortag.ps1, script\remove_sensortag.sh, and script\remove_sensortag.zsh, you must restart PowerShell and re-import PSFalcon.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.zsh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.zsh)

@bbivmb
Copy link
Author

bbivmb commented Sep 6, 2024
edited
Loading

Thank you for feedback.

SensorTag is still not added/removed. Please find outputs below. I also attached commands run by RTR as found in RTR Audit (screenshots)

add-sensortag
remove-sensortag

Add-FalconSensorTag -Id $device -Tag $tag

FIRST RUN:

cid : ***
device_id : ***
tags : tag1,tag2,tag3
offline_queued : False
session_id : ***
cloud_request_id : ***
status : sed: -e expression #1, char 58: unknown option to `s'

CONSECUTIVE RUNS:

query_time powered_by trace_id
0.06867246 csam ***

Remove-FalconSensorTag -Id $device -Tag $tag

query_time powered_by trace_id
0.068985217 csam ***

@bk-cs bk-cs changed the title Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts [BUG] Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts Sep 11, 2024
@bk-cs bk-cs changed the title [BUG] Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts [ BUG ] Add-FalconSensorTag and Remove-FalconSensorTag not working on Linux hosts Sep 11, 2024
@bk-cs
Copy link
Collaborator

bk-cs commented Sep 11, 2024

Your new issue looks to be a problem specific to sed installed in your version of Linux. I'll have to investigate other version compatible ways to parse the falconctl output.

@bk-cs
Copy link
Collaborator

bk-cs commented Sep 11, 2024
edited
Loading

You can take the add_sensortag.sh script (with the sed portion removed) and save it as a custom script that you use with runscript instead of using Add-SensorTag:

/opt/CrowdStrike/falconctl -s -f --tags="$1" && /opt/CrowdStrike/falconctl -g --tags

Which you'd run like this in the console:

runscript -CloudFile="my_script" -CommandLine='"tag1,tag2,tag3"'

Or like this with PSFalcon (replace the backslashes with ``` characters):

Invoke-FalconRtr -Command runscript -Argument '-CloudFile="my_script" -CommandLine=\\\"tag1,tag2,tag3"\\\ -HostId <id>

@bbivmb
Copy link
Author

bbivmb commented Sep 12, 2024
edited
Loading

I confirm the following works:

  1. Create RTR custom script:
    /opt/CrowdStrike/falconctl -s -f --tags="$1" && /opt/CrowdStrike/falconctl -g --tags

  2. Run psfalcon command:
    Invoke-FalconRtr -Command runscript -Argument '-CloudFile="AddSensortagCustom" -CommandLine=```"psfalcontest1,psfalcontest2,psfalcontest3"```' -HostId ***

Output:
aid : ***
session_id : ***
offline_queued : False
cloud_request_id : ***
complete : True
stdout :
tags=psfalcontest1,psfalcontest2,psfalcontest3.
stderr :

RTR Audit log entry:
image

Result:
image

@59e5aaf4
Copy link

I managed to sort that one out by converting \r\n to \n in add_sensortag.sh. It's pretty tricky, as the \r are only there in the powershell-packaged version of psfalcon, they're not on github.
My error messages were exactly the same as yours and initially I thought about all sorts of shell-specific bugs like bashisms, or curious behaviors, but no, looking at telemetry data showed a lot of \000d intermixed everywhere.
Overwriting the file in (Get-Module PSFalcon).Path ( C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.7\script ) without newlines ( vim set ff=unix ) fixed this.

Before :
image
After :
image

@59e5aaf4 59e5aaf4 mentioned this issue Sep 19, 2024
Open
@59e5aaf4
Copy link

I believe I've narrowed this issue down to the transmission of the scripts used to manipulate FalconSensorTags through Real-time Response. I made some changes to those scripts, and also some optimizations to the Add-FalconSensorTag, Set-FalconSensorTag and Remove-FalconSensorTag commands.

Can you please follow the steps mentioned below and let me know if this resolves your issue? Once you update the public\psf-sensors.ps1, script\add_sensortag.sh, script\add_sensortag.zsh, script\remove_sensortag.ps1, script\remove_sensortag.sh, and script\remove_sensortag.zsh, you must restart PowerShell and re-import PSFalcon.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/add_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) add_sensortag.zsh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.sh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.sh)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/2f562468a36820cf4b5a13f41b91faba3c5413ee/script/remove_sensortag.zsh -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath script) remove_sensortag.zsh)

Ha nice one, but if powershell transparently adds CRLF line endings when parsing text you're in for a good debug time :P

@59e5aaf4
Copy link

Last comment, if falconctl had native options ( hello, "Source/Libraries/SimpleStore/Linux/simplestore.cpp" ) to just add/remove/purge the tags without having users rely on wrapper scripts that would be great.
Ideally, the sorted(unique_set(oldlist + newtags)) should happen inside falconctl and not with wrapper scripts which have to rely on some *sh from some UNIX system, plus sed plus xargs plus trplus sort plus printf :P
But heh, it is what it is dot jpeg :D

@bk-cs
Copy link
Collaborator

bk-cs commented Sep 20, 2024

I managed to sort that one out by converting \r\n to \n in add_sensortag.sh. It's pretty tricky, as the \r are only there in the powershell-packaged version of psfalcon, they're not on github. My error messages were exactly the same as yours and initially I thought about all sorts of shell-specific bugs like bashisms, or curious behaviors, but no, looking at telemetry data showed a lot of \000d intermixed everywhere. Overwriting the file in (Get-Module PSFalcon).Path ( C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.7\script ) without newlines ( vim set ff=unix ) fixed this.

Thank you! I figured it was something to do with the formatting (which is why I latched on to the single line replacement script) but wasn't able to narrow down the exact cause.

I might be able to do some RegEx replacement when loading the script from disk before sending it to Real-time Response to replace any \r characters, which should help with anything introduced by the PowerShell Gallery...

@bk-cs
Copy link
Collaborator

bk-cs commented Sep 20, 2024

Last comment, if falconctl had native options ( hello, "Source/Libraries/SimpleStore/Linux/simplestore.cpp" ) to just add/remove/purge the tags without having users rely on wrapper scripts that would be great. Ideally, the sorted(unique_set(oldlist + newtags)) should happen inside falconctl and not with wrapper scripts which have to rely on some *sh from some UNIX system, plus sed plus xargs plus trplus sort plus printf :P But heh, it is what it is dot jpeg :D

Unfortunately I don't make those calls... 😄

I can shift the text manipulation from happening in the SensorTag script to happening in the PSFalcon code to produce the output. That will remove the need to use sed. You're full of great ideas 😉

@bk-cs bk-cs mentioned this issue Dec 19, 2024
Merged
@bk-cs
Copy link
Collaborator

bk-cs commented Dec 19, 2024

This fix has been included in the 2.2.8 release which is now available on GitHub. I'm going to leave this issue open until the PowerShell Gallery release is also available.

I'm still planning on relocating the sed work into the PSFalcon code instead of the script itself, but that will be part of a future version.

@bk-cs bk-cs added the fix available Self-applied fix available in issue label Dec 19, 2024
@bk-cs bk-cs closed this as completed Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working fix available Self-applied fix available in issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@59e5aaf4 @bk-cs @bbivmb