question about Crowdstrike repo locations #522
-
|
Carlos.....it was great to meet you at Red Hat Summit a few weeks back. I have a question regarding the falcon sensor repo locations (while doing an installation). The falcon_install role seems to reach out to certain repository locations inside the EC2 instances. I have to inform our firewall team where these are located in order for rules to be changed. Is there a set list of these locations? Will these locations change, and how are people notified of this? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 3 replies
-
|
Hey Aaron! When you say "it reaches out..." - what does that mean? Maybe we can start with an example of your playbook calling the role? Outside of that, the only "connection" externally would be any API calls that are made (assuming you are using the API to query/download the sensor). |
Beta Was this translation helpful? Give feedback.
-
|
Hi,
I am using the crowdstrike.falcon.falcon_install role like this:
```yaml
- name: Install sensor on Linux machines
hosts: aws_test_linux
gather_facts: yes
become: true
become_method: sudo
vars:
ansible_ssh_user: "ec2-user"
vars_files:
- ocs_vars.yml
roles:
- role: crowdstrike.falcon.falcon_install
vars:
falcon_install_method: file
falcon_localfile_path: "/home/ec2-user/{{ true_cs_file }}"
falcon_localfile_cleanup: yes
falcon_cid: "{{ FALCON_CID }}"
client_id: "{{ FALCON_CLIENT_ID }}"
client_secret: "{{ FALCON_CLIENT_SECRET }}"
cloud: us-gov-1
ignore_errors: true
```
I am getting the error on one of my test VMs here:
```terminal
TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Install Falcon Sensor Package (Linux)] ***11:38:29
359
ok: [10.124.96.9]
360
fatal: [10.124.96.7]: FAILED! => {"changed": false, "changes": {"installed": ["/home/ec2-user/falcon-sensor-7.15.0-16803.amzn2.x86_64.rpm"]}, "msg": "\n\n One of the configured repositories failed (Unknown),\n and yum doesn't have enough cached data to continue. At this point the only\n safe thing yum can do is fail. There are a few ways to work \"fix\" this:\n\n 1. Contact the upstream for the repository and get them to fix the problem.\n\n 2. Reconfigure the baseurl/etc. for the repository, to point to a working\n upstream. This is most often useful if you are using a newer\n distribution release than is supported by the repository (and the\n packages for the previous distribution release still work).\n\n 3. Run the command with the repository temporarily disabled\n yum --disablerepo=<repoid> ...\n\n 4. Disable the repository permanently, so yum won't use it by default. Yum\n will then just ignore the repository until you permanently enable it\n…
362
ok: [10.124.96.13]
```
I had a similar error earlier on 10.124.96.13, but this was resolved by changing firewall rules. That is being handled by another team.
|
Beta Was this translation helpful? Give feedback.
-
|
Let me make sure I understand what you are trying to accomplish. You are trying to install a local file that already exists at location: |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that is correct.
From: Carlos Matos ***@***.***>
Sent: Tuesday, May 21, 2024 12:11 PM
To: CrowdStrike/ansible_collection_falcon ***@***.***>
Cc: Hodges, Aaron ***@***.***>; Author ***@***.***>
Subject: Re: [CrowdStrike/ansible_collection_falcon] question about Crowdstrike repo locations (Discussion #522)
Let me make sure I understand what you are trying to accomplish. You are trying to install a local file that already exists at location: /home/ec2-user/{{ true_cs_file }} correct?
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/CrowdStrike/ansible_collection_falcon/discussions/522*discussioncomment-9511294__;Iw!!EErPFA7f--AJOw!D1hcB2mVXpU1R3ARUtX2l4rY1-nfcAOKde_BJpjfQbunEoLtSKddFy_j8PdbSXP2b5we1iASymLHShe84JbFrydyjs-Hqg$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AV5DGZOIDZSDZJMRY6XDJTDZDN5YVAVCNFSM6AAAAABIB5HD2OVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMJRGI4TI__;!!EErPFA7f--AJOw!D1hcB2mVXpU1R3ARUtX2l4rY1-nfcAOKde_BJpjfQbunEoLtSKddFy_j8PdbSXP2b5we1iASymLHShe84JbFrycGMiMWWA$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
-
|
Okay.. well a couple of things we can try just to rule out any Ansible'ish issues. On that EC2 instance, if you log in and as the sudo yum install /home/ec2-user/falcon-sensor-7.15.0-16803.amzn2.x86_64.rpmWhat happens? |
Beta Was this translation helpful? Give feedback.
-
|
***@***.*** ~]$ sudo yum install /home/ec2-user/falcon-sensor-7.15.0-16803.amzn2.x86_64.rpm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Could not retrieve mirrorlist https://amazonlinux-2-repos-us-east-1.s3.dualstack.us-east-1.amazonaws.com/2/core/latest/x86_64/mirror.list error was
14: curl#35 - "Recv failure: Connection reset by peer"
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot find a valid baseurl for repo: amzn2-core/2/x86_64
From: Carlos Matos ***@***.***>
Sent: Tuesday, May 21, 2024 12:15 PM
To: CrowdStrike/ansible_collection_falcon ***@***.***>
Cc: Hodges, Aaron ***@***.***>; Author ***@***.***>
Subject: Re: [CrowdStrike/ansible_collection_falcon] question about Crowdstrike repo locations (Discussion #522)
Okay.. well a couple of things we can try just to rule out any Ansible'ish issues.
On that EC2 instance, if you log in and as the ec2-user run:
sudo yum install /home/ec2-user/falcon-sensor-7.15.0-16803.amzn2.x86_64.rpm
What happens?
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/CrowdStrike/ansible_collection_falcon/discussions/522*discussioncomment-9511350__;Iw!!EErPFA7f--AJOw!D9JCCHQ18aiXD-Pl9WV7QT9zuFE-pvfuSmnSHWlwjuCXWACfiiSdX4_at6t89a71Kt0PJ3bzCvOWsi9Ur4x2WhKaqJ4g_g$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AV5DGZKAOJ4JSZCJPKOX6GLZDN6HPAVCNFSM6AAAAABIB5HD2OVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMJRGM2TA__;!!EErPFA7f--AJOw!D9JCCHQ18aiXD-Pl9WV7QT9zuFE-pvfuSmnSHWlwjuCXWACfiiSdX4_at6t89a71Kt0PJ3bzCvOWsi9Ur4x2WhI8fqmyPA$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
-
|
Yeah that's what I was guessing. This is not an issue with the Ansible role, this is an issue with the fact that the system doesn't seem to have access to the YUM repositories hosted by AWS. That is something you will have to work with your networking team to allow if you plan on being able to install anything on those systems. Just as a side note, yum is a package manager and since the falcon-sensor has dependencies such as openssl, it will need your basic YUM repo's to ensure any dependency is met. Also, once you get that part worked out, you can update your playbook like such: - name: Install sensor on Linux machines
hosts: aws_test_linux
gather_facts: yes
vars:
ansible_ssh_user: "ec2-user"
vars_files:
- ocs_vars.yml
roles:
# Install the CrowdStrike Falcon sensor on Linux machines
- role: crowdstrike.falcon.falcon_install
vars:
falcon_install_method: file
falcon_localfile_path: "/home/ec2-user/{{ true_cs_file }}"
falcon_localfile_cleanup: yes
# Configure the CrowdStrike Falcon sensor on Linux machines
- role: crowdstrike.falcon.falcon_configure
vars:
falcon_cid: "{{ FALCON_CID }}"Notice that I removed things like the API variables (client_id, client_secret, cloud) since this is not needed when installing a local file. Also, you will need to run the |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your help!
From: Carlos Matos ***@***.***>
Sent: Tuesday, May 21, 2024 12:53 PM
To: CrowdStrike/ansible_collection_falcon ***@***.***>
Cc: Hodges, Aaron ***@***.***>; Author ***@***.***>
Subject: Re: [CrowdStrike/ansible_collection_falcon] question about Crowdstrike repo locations (Discussion #522)
Yeah that's what I was guessing. This is not an issue with the Ansible role, this is an issue with the fact that the system doesn't seem to have access to the YUM repositories hosted by AWS. That is something you will have to work with your networking team to allow if you plan on being able to install anything on those systems.
Just as a side note, yum is a package manager and since the falcon-sensor has dependencies such as openssl, it will need your basic YUM repo's to ensure any dependency is met.
Also, once you get that part worked out, you can update your playbook like such:
- name: Install sensor on Linux machines
hosts: aws_test_linux
gather_facts: yes
vars:
ansible_ssh_user: "ec2-user"
vars_files:
- ocs_vars.yml
roles:
# Install the CrowdStrike Falcon sensor on Linux machines
- role: crowdstrike.falcon.falcon_install
vars:
falcon_install_method: file
falcon_localfile_path: "/home/ec2-user/{{ true_cs_file }}"
falcon_localfile_cleanup: yes
# Configure the CrowdStrike Falcon sensor on Linux machines
- role: crowdstrike.falcon.falcon_configure
vars:
falcon_cid: "{{ FALCON_CID }}"
Notice that I removed things like the API variables (client_id, client_secret, cloud) since this is not needed when installing a local file. Also, you will need to run the falcon_configure role once the sensor is installed to set the CID and start the sensor.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/CrowdStrike/ansible_collection_falcon/discussions/522*discussioncomment-9511745__;Iw!!EErPFA7f--AJOw!CcTzscAVb8nKXLRtorls1q1S5IBkpKrIuKrkqzx0mIMY_Cy0nXPYruTzaN2gwRyExJH7N2FhLYSyMdJKjxl2q09dJpqlow$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AV5DGZJXIAMFQUT3E4W4QIDZDOCZTAVCNFSM6AAAAABIB5HD2OVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMJRG42DK__;!!EErPFA7f--AJOw!CcTzscAVb8nKXLRtorls1q1S5IBkpKrIuKrkqzx0mIMY_Cy0nXPYruTzaN2gwRyExJH7N2FhLYSyMdJKjxl2q0-yrVm0hA$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
Yeah that's what I was guessing. This is not an issue with the Ansible role, this is an issue with the fact that the system doesn't seem to have access to the YUM repositories hosted by AWS. That is something you will have to work with your networking team to allow if you plan on being able to install anything on those systems.
Just as a side note, yum is a package manager and since the falcon-sensor has dependencies such as openssl, it will need your basic YUM repo's to ensure any dependency is met.
Also, once you get that part worked out, you can update your playbook like such: