crowdstrike / cloud-aws Goto Github PK

Hi Team,

Below is the issue we are facing while we upload files on AWS and then the call is made to crowdStike API to scan the files.

Thanks

Hi,

On Windows, is it possible to uninstall the CrowdStrike sensor via a PowerShell script?

I have only seen documentation that involves downloading a uninstall tool via the web UI; can this uninstall tool be downloaded via API call, such that the entire uninstall process can be done via a PowerShell script?

Thanks,
Jack

Trying to execute the Powershell referred in https://github.com/CrowdStrike/Cloud-AWS/tree/master/Agent-Install-Examples/powershell

The script itself gives an example to execute it with parameters as
PS>.\sensor_install.ps1 -BaseAddress <string> -ClientId <string> -ClientSecret <string>

However the user data shows without flagging parameters:
C:\Windows\Temp\sensor.ps1 FALCON_CLIENT_ID_HERE FALCON_CLIENT_SECRET_HERE

Anyway, getting an error on execution (actual id and secret are replaced, of course):

PS C:\Users\Administrator> C:\Windows\Temp\sensor_install.ps1 -BaseAddress 'https://api.crowdstrike.com' -ClientId 'xxxxxxxxxxxxxxxxxxxxx' -ClientSecret 'xxxxxxxxxxxxxxxxxx'
Exception calling "OpenRead" with "1" argument(s): "The remote server returned an error: (403) Forbidden."
At C:\Windows\Temp\sensor_install.ps1:129 char:9
+         $Request = $Falcon.OpenRead($Path)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

New-Object : A constructor was not found. Cannot find an appropriate constructor for type System.IO.StreamReader.
At C:\Windows\Temp\sensor_install.ps1:130 char:19
+         $Stream = New-Object System.IO.StreamReader $Request
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand

You cannot call a method on a null-valued expression.
At C:\Windows\Temp\sensor_install.ps1:131 char:9
+         $Output = $Stream.ReadToEnd()
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Failed to match policy name 'platform_default'
At C:\Windows\Temp\sensor_install.ps1:214 char:9
+         throw $Message
+         ~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Failed to match...atform_default':String) [], RuntimeException
    + FullyQualifiedErrorId : Failed to match policy name 'platform_default'

PS C:\Users\Administrator>

In the EKS docs, there is mention of a falcon-node-sensor-push script but no context about where you get it.

This may relate to as it may come as part of that container image.

It has brought to my attention that this repo contains broken links. This is a tracking issue for me to programatically detect and then fix various broken links in our publicly facing docs.

I deployed the integration through terraform and followed the guide here:
https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub/terraform
But AWS securityhub cannot receive events from Crowdstrike. I checked the fig service on fig instance and found that it failed to connect to CS API:

I double checked the API we used and I'm sure that we provided the required access:
Event Streams API - READ
Hosts API - READ
Sensor Download API - READ
Any help would be appreciated!

Hi,
I've been trying to get this setup recently (https://github.com/CrowdStrike/Cloud-AWS/tree/main/state-manager) and I'm seeing the following error in the runCommand logs:

uninstall errors: sudo: /opt/CrowdStrike/falconctl: command not found
No Match for argument: falcon-sensor

install errors: Warning: RPMDB altered outside of yum.
warning: falcon-sensor.rpm: Header V4 RSA/SHA512 Signature, key ID 519b177f: NOKEY
error: Failed dependencies:
	ld-linux-aarch64.so.1()(64bit) is needed by falcon-sensor-6.41.0-13804.amzn2.aarch64
	ld-linux-aarch64.so.1(GLIBC_2.17)(64bit) is needed by falcon-sensor-6.41.0-13804.amzn2.aarch64
	libdl.so.2(GLIBC_2.17)(64bit) is needed by falcon-sensor-6.41.0-13804.amzn2.aarch64
	libm.so.6(GLIBC_2.17)(64bit) is needed by falcon-sensor-6.41.0-13804.amzn2.aarch64
	libpthread.so.0(GLIBC_2.17)(64bit) is needed by falcon-sensor-6.41.0-13804.amzn2.aarch64
install.sh: line 11: /opt/CrowdStrike/falconctl: No such file or directory
Failed to restart falcon-sensor.service: Unit not found.

I think the uninstall error is OK as it won't have been installed at that point, but the dependencies errors seem to be the cause of the issues for me. Later attempts return with a response saying the Document has already been installed so it just says that every 30 minutes due to the schedule.

Does the falcon sensor 6.41.0 need something that is not included in the amzn2-ami-kernel-5.10-hvm-2.0.20220606.1-x86_64-gp2 AMI? (I also just tested on amzn2-ami-hvm-2.0.20220719.0-x86_64-gp2 which is kernel 4.14 and saw the same output)

(This is the first time i've used AWS Systems manager etc. so apologies if some of the above is basic - let me know if i need to provide more info 🙄 )

Thanks

The Packaging-utilities/zip-files folder referenced here Step 1 - Create your AWS SSM package does not exist.

I want to scan multiple existing S3 buckets but it looks like I have to create new lambda function for each S3 bucket.

I think it would be better to have an existing buckets name array to pass multiple S3 bucket name.

In current scenerio, I have to apply terraform code for each existing S3 bucket.

https://github.com/CrowdStrike/Cloud-AWS/tree/master/Agent-Install-Examples/powershell

When downloading the installer from github I needed for force the client to TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The $Response object did not have a dispose method
$Response.Dispose()
Line 127
Disabling allowed the script to complete

PS C:\Users\Administrator> $PSVersionTable

Name Value

PSVersion 5.1.14393.4350
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.4350
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

The following links are a 404:

• Terraform templates for the log archive account creating new bucket
• Terraform templates for the log archive account using an existing bucket
• Terraform templates for additional accounts creating new CloudTrail log
• Terraform templates for additional accounts using and existing CloudTrail log

I am attempting to integrate our AWS ControlTower environment with CrowdStrike. When deploying the CFT in the log archive account the Lambda function that registers the AWS account with the CrowdStrike API is failing with 'code': 401, 'message': 'access denied, invalid bearer token'. I have used the CrowdStrike swagger page to exchange my clientID and clientSecret for a token and then successfully made the API call using the test page to successfully post an account registration.

I believe the issue to be that the register_logarchive_account.py code (hosted in a CS S3 bucket) is leveraging https://api.crowdstrike.com, which support says is also known as api.us-1.crowdstrike.com. Our CrowdStrike tenant is in api.us-2.crowdstrike.com.

Potential fix:

• Capture the customers tenant info as a CloudFormation parameter
• Store this in AWS Systems Manager Parameter Store
• Modify the python code to pull this parameter at runtime.

Workaround:

• Self host the python code in our customer S3 bucket
• Modify the URL in the python code to reference our CrowdStrike tenant/region
• Modify the CloudFormation template to reference our customer S3 bucket location instead of https://crowdstrike-sa-resources-ct-us-east-1.s3.us-east-1.amazonaws.com/register_logarchive_account.zip

Hi , I am trying to automate the deployment of Crowdstrike in our AWS infrastructure, While going through the template I see that the CrowdStrike cloud listed does not have Gov cloud. CrowdStrikeCloud: Default: us1 Description: The CrowdStrike Cloud your CID is hosted in us1, us2, eu Type: String AllowedValues: - us1 - us2 - eu Is it supported?

I think it would be great for the Gov cloud users to have these templates available for them as well.

https://github.com/CrowdStrike/Cloud-AWS/tree/main/Control-Tower/log-archive-acct

Thank you.

Regards,
Pradipna Gautam

current instructions assume EKS cluster was made during the implementation guide.

as a result the docs need to be updated to give instruction on how to pass through the kube config information

The script assumes you have one set of credentials setup.

When you have multiple accounts you use named profile to run all aws commands aws s3 ls --profile xxxxx.

Add the option to allow using profiles in the scripts

Thanks for your notes! I just want to remind that Debugging mode is on by default if we deploy it through Terraform. Thanks again!

Originally posted by @EasonJYC in #130 (comment)

Working through https://github.com/CrowdStrike/Cloud-AWS/blob/main/Container%20Security/kernel-eks-implementation-guide.md, it says to exec into one of the CS pods and run lsmod, but the current image doesn't seem to include one:

) kubectl -n falcon-system exec -i -t falcon-helm-falcon-sensor-2qkg6 -- /bin/sh
Defaulted container "falcon-node-sensor" out of: falcon-node-sensor, init-falconstore (init)
sh-4.4# lsmod
sh: lsmod: command not found

I was able to verify it by launching a debian pod, installing kmod, but the docs are incorrect.

In regards to:
https://github.com/CrowdStrike/Cloud-AWS/tree/master/Container%20Security
https://github.com/CrowdStrike/Cloud-AWS/blob/master/Container%20Security/eks-implementation-guide.md

Action:
Update the name of the containing folder, "Container Security", to something more specific or relative to the service/methodology being used in AWS. Similarly, update the guides contained in the folder.

Examples:
Instead of: "Container Security"
Use: "EKS Guides", "EKS & Fargate Guides", <-- more specific and easier to locate when searching.

Instead of: eks-implementation-guide.md
Use: aws-eks-fargate-sensor-install.md <-- more specific and easier to locate when searching.

Additionally
Update the rest of the guides in the "Container Security" folder to align with their respective service and deployment method.

When trying to use the packager to create the distribution package the cached property import fails.

Traceback (most recent call last):
File "packager.py", line 14, in
from functools import cached_property
ImportError: cannot import name 'cached_property'

Hi Team,

I was following a guide as per the documentation

The deployment completes succeessfully, however there are few issues which needs help fixing.

When trying to verify if the node sensor is fully up to verify if Falcon Sensor for Linux has insert itself to the kernel , logs on falcon node sensor looks like this

❯ k logs --tail 100 -f -n falcon-system falcon-helm-falcon-sensor-24xzr

Defaulted container "falcon-node-sensor" out of: falcon-node-sensor, init-falconstore (init)
Mon May 23 05:42:26 2022 Invalid file /opt/CrowdStrike/falconstore length: 0    (27756) [624]

Also verifying from inside the pods

❯ k exec -n falcon-system falcon-helm-falcon-sensor-24xzr --stdin --tty -- /bin/sh

Defaulted container "falcon-node-sensor" out of: falcon-node-sensor, init-falconstore (init)

sh-4.2#
sh-4.2# lsmod|grep falcon
sh-4.2# exit

Environment Information

eks -> 1.22
node type -> t3.xlarge

Further Query:
Do we also require to installl falcon-sensor if we have deployed falcon-node-sensor?

master branch is no longer the standard in git repos. We should be consistent and rename to main.

The API scopes for the demo are incorrect. Needs to add the write permission for Malquery Scope.

Hi,

Trying to run falcon-container-sensor-push based on: https://github.com/CrowdStrike/Cloud-AWS/blob/master/Container%20Security/eks-implementation-guide.md

Keep getting this:

panic: API Error : error in getting credentials

which seems to come from falcon_registry_token

Is there more I can provide for troubleshooting here?

Hey team, the guide states only the 'sensor download' permissions is needed for the CrowdStrike API but misses 'Falcon Images Download' causing an error.

AWS Security integration was successful:

Installation link used : https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub/install

Here is the flow I tried:

Once after installation is completed , I tried do start the service but it didn't start. I'm unsure of logs to look into as I don't see anything in /var/logs/...

Tried to execute the python script by looking at service file but that too failed with some HTTP error.

Please let me know if any steps missed in docs?.

Hi, I'm trying to run a CloudFormation job using Security-Hub/cloudformation/security-hub-integration.yaml - but I can't figure out what to use for the "Key" value. The text description just says "The key used to access the instance." - and the documentation states this is an SSH key.

I tried generating a public RSA key, but when I paste the key into that field while trying to run a Cloudformation stack, the process eventually bombs out and says "Value for parameter is invalid. Length exceeds maximum of 255. (Service: AmazonEC2; Status Code: 400"

Standard rsa key seems to be over 700 characters long.

What exactly am I supposed to be pasting in that field?

https://github.com/CrowdStrike/Cloud-AWS/blob/master/Discover-for-Cloud-Templates/AWS/troubleshooting/scripts/

Running the above scripts is giving me the error - 409 account already exists. I can see in CS console that accounts are not yet registered. I created the roles using terraform. Obviously cannot share accountId's here, support told me create an issue here.

Any help appreciated. Thanks.

Followed the deployment guide for Falcon Discover with Control Tower (https://github.com/CrowdStrike/Cloud-AWS/blob/master/Control-Tower/README.md). CloudFormation run in Master Account and LogArchive account, then StackSet manually pushed to existing accounts.

Accounts were registered in API...EC2, EBS, and VPC data picked up and reported after registration...but then subsequent changes (i.e. termination of a test EC2 instance) were never reflected in the CrowdStrike console (been approximately 5 days now).

Assistance would be appreciated. Please let me know what other information would help. Thank you!

The readme's should point to falcon-scripts and encourage people not to use these older scripts

Hi there 👋 , I've followed the documentation for enabling AWS Control Tower for Horizon as described here, and I run into the following error while running the CloudFormation template:

"Your access has been denied by S3, please make sure your request credentials have permission to GetObject for crowdstrike-sa-resources-ct-us-east-2/push_horizon_stackset_lambda.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: Lambda, Status Code: 403, Request ID: 29776818-1202-402a-a58e-11f677d85569)" (RequestToken: b9e84743-624c-1c79-7c24-a53c9b9a9924, HandlerErrorCode: AccessDenied)

I fulfilled all of the prerequisites, and as for the API scopes, I enabled r/w permissions toAWS accounts, CSPM registration, CSPM remediation, Detections, Device control policies, Hosts, Falcon Discover, Host groups, Incidents, Installation Tokens, IOC Manager APIs and Event streams

The AWS region of the account is us-east-2, and the crowdstrike api is us1 ( https://api.crowdstrike.com )

Is there anything I'm missing? Thanks in advance

I’ve created an SSM automation deployment successfully using option B in the README. The execution works until the last step which is the installation task. Im testing with two instance types: Amazonlinux2 and Windows 2019 server. Both deployed as EC2 instances using AWS’s AMI’s. SSM was confirmed functional on both as well. The Linux instance works flawlessly, while the windows part fails with:
Package is not supported (package is missing install action)

Things I have tried so far:
Repackaging the installer using the packager.py with the various versions I’ve found in this repo for the windows install.ps1/uninstall.ps1 scripts.

Downloaded the files I have uploaded to S3 and confirmed their checksum matched the included manifest.json.

I’m at a loss at this point as to why its failing to find the package while the Linux install in the same document works.

Hi there, I've been following instructions here:

https://www.crowdstrike.com/blog/tech-center/crowdstrike-aws-security-hub/
and
https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub

Cloudformation job seems to have ran okay. I'm able to log into the ec2 instance and confirm I have outbound connectivity, able to reach crowdstrike urls.

But fig.service is failing when I run. Looking at /var/log/messages, I see the following:

Jul 14 19:48:30 ip-10-0-0-157 python3: Failed to connect to the API on us1.  Check base_url and ssl_verify configuration settings.
Jul 14 19:48:30 ip-10-0-0-157 systemd: fig.service: main process exited, code=exited, status=1/FAILURE
Jul 14 19:48:30 ip-10-0-0-157 systemd: Unit fig.service entered failed state.
Jul 14 19:48:30 ip-10-0-0-157 systemd: fig.service failed.

The documentation confuses me a bit, because it talks about 6 parameters being needed, but the screenshot of Parameter Store values only shows 5 values (and does not include a base_url parameter. Looking directly at our AWS Parameter Store, I actually see there is no mention of any base_url parameter.

Digging around the code further here:
https://github.com/CrowdStrike/Cloud-AWS/blob/main/Security-Hub/main.py

I see that if base_url isn't specified, it defaults to "us1" - which makes sense considering the error message output.

I'm wondering if someone can explain what went wrong, and if there's supposed to be some step about manually adding a particular URL entry to the parameter store and if so, how that should be formatted (I see two types of entries, for example both FIG_FALCON_CLIENT_ID and Falcon_ClientID parameters - and I want to make sure I know the correct parameter name to use, along with the proper value for the URL... I suspect it is: https://api.laggar.gcw.crowdstrike.com/ but it would be great to have confirmation.

PDF shows track changes/comments

I successfully deployed the CloudFormation template for the CrowdStrike integration with Security Hub link. However, even after subscribing to CrowdStrike findings in the deployed region, I am not seeing any findings populate within Security Hub.

Steps to Reproduce:

• Deployed the CloudFormation template with necessary parameters.
• Successfully launched the stack.
• Subscribed to CrowdStrike findings in the deployed region ([us-east-1]).
• Verified Security Hub for findings, but none are present.

Expected Behavior:

• After deployment and subscription, Security Hub should begin receiving and displaying findings from CrowdStrike.

Actual Behavior:

• No CrowdStrike findings are populating in Security Hub.

Possible Causes:

• Issue with Lambda function processing detections and submitting findings to Security Hub.
• Misconfiguration during subscription process within CrowdStrike.

Hello Team,

The container security examples in the repo and internal documentation in the support portal are focused on self managed k8s or EKS/Fargate. AWS Sagemaker is a fully managed machine learning service and it makes extensive use of Docker containers for build and runtime tasks. Is it possible to prebuild a custom docker image with the Falcon sensor installed ?

Cheers

In its current iteration, this example provides the same error for both an invalid key and a tenant that has hit its quota max. Update this solution to check the quota and report this error separately.

https://github.com/CrowdStrike/Cloud-AWS/tree/master/Network%20Firewall%20Templates links to https://github.com/CrowdStrike/Cloud-AWS/blob/master/Network%20Firewall%20Templates/cloudformation/add_crwd_to_existing_fw.yaml, which does not exist

This step references a .zip file that we need to unzip locally before running the packager.py script (package-without-binary.zip).

where is this .zip file located? I can't locate it in the repo - do we create it manually?

https://github.com/CrowdStrike/Cloud-AWS/blob/main/systems-manager/documentation/AWS-Systems-Manager-Intro.md#option-b---creating-a-package-without-the-installer

From https://github.com/CrowdStrike/Cloud-AWS/blob/master/Control-Tower/src/function/register_new_account.py#L11:

logger.setLevel(logging.INFO)
Falcon_Discover_Url = 'https://ctstagingireland.s3-eu-west-1.amazonaws.com/crowdstrike_role_creation_ss.yaml'

Hi,
Relaying a customer-reported issue in https://github.com/CrowdStrike/Cloud-AWS/blob/master/Discover-for-Cloud-Templates/AWS/terraform-templates/additional-account-existing-trail/falcon_discover_access.tf

The resources on lines 1 & 55 have the same name. This name is also used elsewhere in the template. Can you have your team review the repo and update it to fix the bug?

A recent change within the defaults for the environments used within the S3 bucket protection demo have resulted in a breaking issue. This issue impacts the lambda function solution example as well as the EC2 environment stood up by the terraform demonstration.

Demonstration environment

The default installation of OpenSSL on the version of AWS Linux 2 used in the demonstration is 1.0.2k-fips which is not high enough to meet the new urllib3 requirements. As this only impacts the malware download performed as part of the demonstration stand up, this issue will be resolved by pinning the version of urllib3 used for the EC2 environment to 1.26.15.

Lambda Function

Depending on how the S3 bucket protection lambda is configured, you may see one of two error messages within CloudWatch logs for the lambda function. This issue will be resolved by taking the following steps:

• Updating the FalconPy layer used to no longer include urllib3.
• Adding the AWS layer, AWSLambdaPowertoolsPythonV2 to the lambda function.
• Terraforms used in the demonstration will be updated to leverage these new layers.
• The runtime for the lambda function will be moved to Python 3.10.

Users using this solution without altering the Python runtime for the lambda will see the following message.

[ERROR] Runtime.ImportModuleError: Unable to import module 'lambda_function': urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2k-fips  26 Jan 2017. See: https://github.com/urllib3/urllib3/issues/2168

This is caused by a conflict with urllib3 requirements and the current running environment for this runtime. The lambda layer is generated hourly, and uses the latest versions of the requirements. Once this layer moved to versions 2.0 or greater, this issue presented itself.

Users having already moved to Python 3.8 or greater will see this message instead

[ERROR] Runtime.ImportModuleError: Unable to import module 'lambda_function': cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_' (/opt/python/urllib3/util/ssl_.py)

This is caused by some missing package requirements for this runtime. This is resolved by attaching the AWS standard layer AWSLambdaPowertoolsPythonV2, and then attaching a modified version of the falconpy layer that does not include urillib3. The version of falconpy-layer.zip maintained within this folder has already been modified to remove urllib3 and is no longer dynamically generated.

The EKS guide here points to downloading a tooling container:

The tooling container does not have a Linux ARM64 build and therefore this command will fail on an Apple silicon Mac, giving this error:

docker: image with reference quay.io/crowdstrike/cloud-tools-image:latest was found but does not match the specified platform: wanted linux/arm64, actual: linux/amd64.

Hi - we are having issues using the Cloud-AWS/Agent-Install-Examples/bash/API-download/install.sh script. It gives us the output:

Falcon Sensor Install ... Fatal error: Invalid Access Token: <jwt>

When running the script with environment variables:

FalconCID=$FalconCID CS_API_GATEWAY_CLIENT_ID=$CS_API_GATEWAY_CLIENT_ID CS_API_GATEWAY_CLIENT_SECRET=$CS_API_GATEWAY_CLIENT_SECRET ./cs-install.sh

Thanks,
Jack

The arg to -c in the following command needs to be changed:

$ kubectl exec $(kubectl get pods | grep detection | awk '{print $1}') -c falcon-container -- falconctl -g --aid

to -c crowdstrike-falcon-container

There are also some changes to the terminal commands that need to be updated as well.

Docs have a few minor issues:

• copy and paste commands include leading $
• copy and paste commands (some) have trailing \n which causes the command to be executed, thus not allowing a user to customize the variables in time.
• I would say a general clean up in some sections just to ensure clarity

Solution: S3 Bucket Protection

Enhancement request
In some scenarios, mitigating the identified threat within the bucket by removing the file is not desired. Add functionality to allow administrators to specify if this functionality should be enabled.

Hi 👋 , I'm trying to deploy AWS Control Tower with CrowdStrike Discover for Cloud and Containers for automatically enrolling new accounts to Crowdstrike Discover, provisioned with Account Factory via Control Tower.

So far I've successfully executed both CloudFormation templates in the log-archive and master accounts (all of the expected resources were created, some with different naming that the ones described in the Implementation Guide ).

Once I proceed to create a new account, I expected the newly provisioned account to have the CrowdStrike resources created (IAM Role, Lambda Function) but they're missing. In the master account logs, the only error i'm getting is the following:

[ERROR] Unable to launch in:CrowdstrikeDiscover-IAM-ROLES, REASON: An error occurred (StackSetNotFoundException) when calling the CreateStackInstances operation: StackSet CrowdstrikeDiscover-IAM-ROLES not found

Do you have any recommendations on how to proceed? Thanks in advance