crowdstrike / ansible_collection_falcon Goto Github PK

Currently attempting to install falcon to a new host, but keep running into a 400 error. Thought it was because we were initially using the wrong API link, but it still is throwing the same error. The creds we're using should be more or less fine, we've used them before, but I could use a few pointers to potentially resolve this issue. Having a hard time figuring out where else to dig to resolve it.

Ran with logging enabled and 2x verbosity. We have an encrypted variables file for CID token and others being pulled in via 'vars_files' module, just before invoking the collection role call on the top level playbook.

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Authenticate to CrowdStrike API] **************************************************************************************************************************************************************
task path: ~/ansible_collections/crowdstrike/falcon/roles/falcon_install/tasks/api.yml:2
fatal: [host]: FAILED! => {"changed": false, "connection": "close", "content": "{\n \"meta\": {\n  \"query_time\": 0.001812609,\n  \"powered_by\": \"csam\",\n  \"trace_id\": \"--\"\n },\n \"errors\": [\n  {\n   \"code\": 400,\n   \"message\": \"Failed to generate access token for clientID=cid.\"\n  }\n ]\n}\n", "content_length": "260", "content_type": "application/json", "date": "Fri, 15 Apr 2022 22:32:29 GMT", "elapsed": 0, "json": {"errors": [{"code": 400, "message": "Failed to generate access token for clientID=cid."}], "meta": {"powered_by": "csam", "query_time": 0.001812609, "trace_id": "--"}}, "msg": "Status code was 400 and not [201]: HTTP Error 400: Bad Request", "redirected": false, "server": "nginx", "status": 400, "strict_transport_security": "max-age=31536000; includeSubDomains", "url": "https://api.laggar.gcw.crowdstrike.com/oauth2/token", "x_cs_traceid": "--", "x_ratelimit_limit": "300", "x_ratelimit_remaining": "299"}

Any suggestions for further digging, things to try, further enabling verbose logging, etc?

Need to update the falcon_install and configure roles to reflect Windows changes.

Provide a way to set grouping tags: https://answers.uillinois.edu/illinois/page.php?id=100806

Currently, there is a task for setting, and one for deleting falconctl options. This is most likely redundant and can/should be consolidated into one.

From doc:

Examples of deleting options:

• hosts: all
  roles:
  • role: crowdstrike.falcon.falcon_configure
    vars:
    falcon_option_state: no
    falcon_cid: ""
    falcon_tags: ""

Doesn't work.
I tried with an API client/token with all permission but it gives this error:

Status code was 308 and not [201]: HTTP Error 308: Permanent Redirect

If I set a cid it works correctly.

The change to equals_to in this commit causes ubuntu builds to fail due to
os_version formating in the api being more than one version.
os_version: 16/18/20

this pr introduced here in #53 at line 36 of api.yml

see diff here.

https://github.com/CrowdStrike/ansible_collection_falcon/pull/53/files#diff-92a8f4eb3b1dc2dd3ec492d56697e6c4e075a33e3cc4a7d3eebfbf2802da3dbfR36

Just updated to 3.2.0 of the collection and now I'm getting the following error when running my playbook:

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Set CID received from API] ******************************************************************************************************
fatal: [hostname]: FAILED! => {"msg": "The conditional check 'not falcon_cid' failed. The error was: error while evaluating conditional (not falcon_cid): 'falcon_cid' is undefined\n\nThe error appears to be in '/etc/ansible/projects/crowdstrike/collections/ansible_collections/crowdstrike/falcon/roles/falcon_install/tasks/win_api.yml': line 91, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CrowdStrike Falcon | Set CID received from API\n ^ here\n"}

Here's what my playbook looks like:

• hosts: all
  roles:
  • role: crowdstrike.falcon.falcon_install
    vars:
    falcon_client_id: "{{ falcon_client_id }}"
    falcon_client_secret: "{{ falcon_client_secret }}"
    falcon_cloud: "api.us-2.crowdstrike.com"

In the defaults/main.yml file, the documentation shows:

# Where should the sensor file be downloaded to? By default
# this will be the homedir of the user the ansible playbook
# is running as.

Within tasks/preinstall.yml, we have this code, which is setting it to the /tmp/ directory:

- set_fact:
    falcon_install_tmp_dir: "/tmp/"
  when:
    - not falcon_install_tmp_dir
    - ansible_system == "Linux" or ansible_system == "Darwin"

Should that be updated to the user's directory?

- set_fact:
    falcon_install_tmp_dir: "{{ ansible_user_dir }}"

Thanks

Getting the following error on the "Gather tmp install directory objects (Windows)" task:

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Gather tmp install directory objects (Windows)] *********************************************************************************
fatal: [hostname]: FAILED! => {"changed": false, "msg": "argument for paths is of type System.Collections.Hashtable and we were unable to convert to list: System.Collections.Hashtable cannot be converted to a list"}

Hello!

Was wondering if I can use this ansible collection without using ansible-galaxy collection install

Thanks in adv!

Need an OS architecture key/value pair in the API for sensor file downloads. This is to handle cases where, for example, we have an rpm for both 64-bit and ARM for Amazon Linux. A recommendation key/value pair would be:

{
    architecture: "x86_64"
}

Or for ARM:

{
    architecture: "aarch64"
}

The current invocation makes it harder to query for architecture specific downloads.

While using Centos 7 and the API default method, the role downloads the sensor for Centos 8. Thus the package has dependency issues with the host and falcon-sensor will not install.

Expected

falcon-sensor-6.14.0-11110.el7.x86_64

Issue

falcon-sensor-6.14.0-11110.el8.x86_64 is downloaded

TASK [falcon : CrowdStrike Falcon | Install Falcon Sensor .rpm Package (Linux) name={{ non_win_pkg }}, state=present] ***************************************************************************************************************************************************************************************************************************************************************************************************************************
fatal: [10.60.70.54]: FAILED! => {"changed": false, "changes": {"installed": ["/opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm"]}, "msg": "Error: Package: falcon-sensor-6.14.0-11110.el8.x86_64 (/falcon-sensor-6.14.0-11110.el8.x86_64)\n           Requires: openssl-libs >= 1:1.1\n           Installed: 1:openssl-libs-1.0.2k-19.el7.x86_64 (installed)\n               openssl-libs = 1:1.0.2k-19.el7\n           Available: 1:openssl-libs-1.0.2k-21.el7_9.i686 (updates)\n               openssl-libs = 1:1.0.2k-21.el7_9\n", "rc": 1, "results": ["Loaded plugins: fastestmirror\nExamining /opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm: falcon-sensor-6.14.0-11110.el8.x86_64\nMarking /opt/data/falcon/falcon-sensor-6.14.0-11110.el8.x86_64.rpm to be installed\nResolving Dependencies\n--> Running transaction check\n---> Package falcon-sensor.x86_64 0:6.14.0-11110.el8 will be installed\n--> Processing Dependency: openssl-libs >= 1:1.1 for package: falcon-sensor-6.14.0-11110.el8.x86_64\nDetermining fastest mirrors\n * base: mirror.vtti.vt.edu\n * extras: repos-va.psychz.net\n * updates: linux.cc.lehigh.edu\n--> Finished Dependency Resolution\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Support installation of arm sensors in addition to sensor update policy

using a very simple playbook:-

• hosts: testhost1
  roles:
  • role: crowdstrike.falcon.falcon_installation
    vars:
    falcon_api_client_id: my_oauth_token
    falcon_api_client_secret: my_oauth_id

It downloads and installs the client correctly, then fails with:-
fatal: [testhost1]: FAILED! => {"msg": "The conditional check 'falcon_cid' failed. The error was: Invalid conditional detected: invalid syntax (, line 1)\n\nThe error appears to be in '/home/ubuntu/.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/install.yml': line 73, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID)\n ^ here\n"}

If I set the falcon_cid variable, then it fails with a different error,
TASK [falcon_installation : CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID)] ***************************************************************************************
task path: /home/ubuntu/.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/install.yml:73
[DEPRECATION WARNING]: evaluating 'falcon_cid' as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future. Also see CONDITIONAL_BARE_VAR
configuration toggle. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [infduoproxy1.tcore.com]: FAILED! => {"msg": "The conditional check 'falcon_cid' failed. The error was: template error while templating string: expected token 'end of statement block'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. String: {% if xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xx %} True {% else %} False {% endif %}\n\nThe error appears to be in '/home/ubuntu/.ansible/collections/ansllections/crowdstrike/falcon/roles/falcon_installation/tasks/install.yml': line 73, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line to be:\n\n\n - name: CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID)\n ^ here\n"}

(replaced by cid with xxx).

Could the error be because my CID has a - in it?

Getting the following error on task "Gather tmp install directory objects (Windows)":

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Gather tmp install directory objects (Windows)] *********************************************************************************
[WARNING]: No python interpreters found for host hostname.mydomain.com (tried ['python3.10', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'python3.5', '/usr/bin/python3',
'/usr/libexec/platform-python', 'python2.7', 'python2.6', '/usr/bin/python', 'python'])
fatal: [hostname]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Exception calling "Create" with "1" argument(s): "At line:4 char:21\r\n+ def _ansiballz_main():\r\n+ ~\r\nAn expression was expected after '('.\r\nAt line:8 char:19\r\n+ os.getcwd()\r\n+ ~\r\nAn expression was expected after '('.\r\nAt line:20 char:27\r\n+ except (AttributeError, OSError):\r\n+ ~\r\nMissing argument in parameter list.\r\nAt line:22 char:29\r\n+ excludes = set(('', '.', scriptdir))\r\n+ ~\r\nMissing expression after ','.\r\nAt line:22 char:30\r\n+ excludes = set(('', '.', scriptdir))\r\n+ ~~~~~~~~~\r\nUnexpected token 'scriptdir' in expression or statement.\r\nAt line:22 char:29\r\n+ excludes = set(('', '.', scriptdir))\r\n+ ~\r\nMissing closing ')' in expression.\r\nAt line:22 char:39\r\n+ excludes = set(('', '.', scriptdir))\r\n+ ~\r\nUnexpected token ')' in expression or statement.\r\nAt line:22 char:40\r\n+ excludes = set(('', '.', scriptdir))\r\n+ ~\r\nUnexpected token ')' in expression or statement.\r\nAt line:29 char:7\r\n+ if sys.version_info < (3,):\r\n+ ~\r\nMissing '(' after 'if' in if statement.\r\nAt line:29 char:30\r\n+ if sys.version_info < (3,):\r\n+ ~\r\nMissing expression after ','.\r\nNot all parse errors were reported. Correct the reported errors and try again."\r\nAt line:10 char:1\r\n+ $exec_wrapper = [ScriptBlock]::Create($split_parts[0])\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:) [], MethodInvocationException\r\n + FullyQualifiedErrorId : ParseException\r\n \r\nThe expression after '&' in a pipeline element produced an object that was not valid. It must result in a command \r\nname, a script block, or a CommandInfo object.\r\nAt line:11 char:2\r\n+ &$exec_wrapper\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : InvalidOperation: (:) [], RuntimeException\r\n + FullyQualifiedErrorId : BadExpression\r\n ", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

When calling POST /oauth2/token with task ansible.builtin.uri no_log=True should be specified to hide the falcon_client_secret in syslog target machine. If the authorization header with the Bearer oauth token must be hidden too, use no_log=True on all task ansible.builtin.uri. Add a header_secret input for uri module

TASK [crowdstrike.falcon.falcon_installation : CrowdStrike Falcon | Download Falcon Sensor Installation Package] ************************************************
fatal: [10.60.98.62]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/win_api.yml': line 76, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CrowdStrike Falcon | Download Falcon Sensor Installation Package\n ^ here\n"}

Im running this

• hosts: all
  roles:
  • role: crowdstrike.falcon.falcon_installation
    vars:
    falcon_client_id: ""
    falcon_client_secret: "*"
    falcon_cloud: "api.us-2.crowdstrike.com"

Some options like the removal of aid should not cause the service to restart. Need to ensure we are handling this appropriately.

Linux installations work fine, but getting the following error during Windows installations:

TASK [crowdstrike.falcon.falcon_installation : CrowdStrike Falcon | Download Falcon Sensor Installation Package] ***********************************************************************************************************
fatal: [hostname.MYDOMAIN.COM]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/root/.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/win_api.yml': line 73, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CrowdStrike Falcon | Download Falcon Sensor Installation Package\n ^ here\n"}

I'm running Ansible version 2.12.1.

Rather than having a single repo per role, I think it makes sense to update this repo name to ansible_collection_crowdstrike at a minimum... maybe to ansible_collection_crowdstrike_falcon at most if we are only going to do falcon ansible roles.

With the api mode, I have the following message:
TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Validate Sensor version is compatible with Kernel] **************fatal: [server_name]: FAILED! => { "assertion": "falcon_sensor_version in falcon_base_package_supported_sensor_versions", "changed": false, "evaluated_to": false, "msg": "The sensor version: 6.32.12905 is not supported with kernel: 5.10.0-11-amd64" }

The origin of the problem is in file falcon_install/tasks/preinstall.yml line 57

the filter not compatible:
falcon_os_version: "9/10"

the filter compatible:
falcon_os_version: "9/10/11"

Why not use this that works with the filter?
falcon_os_version: "*{{ ansible_distribution_major_version }}*"

Thanks

Make the process of uninstall/install more generic for Linux by using package module.

`
TASK [crowdstrike.falcon.falcon_installation : CrowdStrike Falcon | Authenticate to CrowdStrike API] *******************************************************************************************************
fatal: [104.43.209.70]: FAILED! => {"changed": false, "connection": "close", "content": "", "content_length": "0", "date": "Sun, 02 Jan 2022 22:56:42 GMT", "elapsed": 0, "location": "https://api.us-2.crowdstrike.com/oauth2/token", "msg": "Status code was 308 and not [201]: HTTP Error 308: Permanent Redirect", "redirected": false, "status": 308, "strict_transport_security": "max-age=31536000; includeSubDomains", "url": "https://api.crowdstrike.com/oauth2/token", "x_cs_region": "us-2", "x_cs_traceid": "b4562a45-4f1c-41a1-801e-14195134444a", "x_ratelimit_limit": "300", "x_ratelimit_remaining": "299"}

TASK [crowdstrike.falcon.falcon_installation : include_tasks] **********************************************************************************************************************************************
included: /home/azureuser/.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/win_api.yml for 40.83.56.243

TASK [crowdstrike.falcon.falcon_installation : CrowdStrike Falcon | Authenticate to CrowdStrike API] *******************************************************************************************************
fatal: [40.83.56.243]: FAILED! => {"changed": false, "character_set": null, "content": "", "content_encoding": "", "content_length": "0", "content_type": "", "cookies": [], "date": "Sun, 02 Jan 2022 22:56:45 GMT", "elapsed": 0, "headers": ["Strict-Transport-Security", "X-Cs-Region", "X-Cs-Traceid", "X-Ratelimit-Limit", "X-Ratelimit-Remaining", "Content-Length", "Date", "Location"], "is_from_cache": false, "is_mutually_authenticated": false, "last_modified": "2022-01-02T22:56:45.7712702+00:00", "location": "https://api.us-2.crowdstrike.com/oauth2/token", "method": "POST", "msg": "Status code of request '308' is not in list of valid status codes 201 : 308'.", "protocol_version": {"Build": -1, "Major": 1, "MajorRevision": -1, "Minor": 1, "MinorRevision": -1, "Revision": -1}, "response_uri": "https://api.crowdstrike.com/oauth2/token", "server": "", "status_code": 308, "status_description": "Permanent Redirect", "strict_transport_security": "max-age=31536000; includeSubDomains", "supports_headers": true, "url": "https://api.crowdstrike.com/oauth2/token", "x_cs_region": "us-2", "x_cs_traceid": "790838bc-720b-43a2-a0ae-996d11e6729a", "x_ratelimit_limit": "300", "x_ratelimit_remaining": "299"}
`

The new API gives us the ability to now query to see if the kernel version is supported, as well as if the sensor version that is being installed is supported via the kernel version. We can add this on to verify/assert the installation will not cause RFM due to unsupported kernel/sensor combo.

fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'unicode object' has no attribute 'sha256'\n\nThe error appears to be in '/root/.ansible/collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/api.yml': line 48, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CrowdStrike Falcon | Download Latest Sensor Installation Package\n ^ here\n"}

*** Please add " | list " into api.yaml line 36
Current
falcon_api_sha_hash: "{{ falcon_api_installer_list.json.resources | selectattr('os_version', 'equalto', ansible_distribution_major_version ) }}"

Modified
falcon_api_sha_hash: "{{ falcon_api_installer_list.json.resources | selectattr('os_version', 'equalto', ansible_distribution_major_version ) | list }}"

The method self.module.get_bin_path used in the plugins falcon and falcon_info is evaluated on the ansible controller and not on the client host thus it will fail when flacon isn't installed on the controller.

This could easily happen when containerised controller nodes are used like in CI/CD Pipelines in Drone
Tested with drone:2 and ansible:2.11 container.

Hello,
PR #15 introduced the falcon_provisioning_token parameter in the defaults,

which makes the condition falcon_provisioning_token is not defined to be always false, because variables in the defaults seem to be always defined.

This introduces the problem that step CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID) is never executed while CrowdStrike Falcon | Associated Falcon Sensor with your Customer ID (CID) Using Provisioning Token is running all the time.

To debug I added the following steps before the CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID) step:

  - debug:
          var: falcon_provisioning_token

  - debug:
          msg: "{{falcon_provisioning_token is not defined}}"

This is the result:

TASK [falcon_installation : CrowdStrike Falcon | Verify Falcon Package Is Installed] ****************************************************************************************************************
ok: [127.0.0.1]

TASK [falcon_installation : debug] ******************************************************************************************************************************************************************
ok: [127.0.0.1] => {
    "falcon_provisioning_token": null
}

TASK [falcon_installation : debug] ******************************************************************************************************************************************************************
ok: [127.0.0.1] => {
    "msg": false
}

TASK [falcon_installation : CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID)] ***********************************************************************************************
skipping: [127.0.0.1]

TASK [falcon_installation : CrowdStrike Falcon | Associated Falcon Sensor with your Customer ID (CID) Using Provisioning Token] *********************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": ["/opt/CrowdStrike/falconctl", "-s", "-f", "--cid=blablablabla, "--provisioning-token="]

However, if I remove the falcon_provisioning_token from defaults - everything works as expected:

TASK [falcon_installation : debug] ******************************************************************************************************************************************************************
ok: [127.0.0.1] => {
    "falcon_provisioning_token": "VARIABLE IS NOT DEFINED!"
}

TASK [falcon_installation : debug] ******************************************************************************************************************************************************************
ok: [127.0.0.1] => {
    "msg": true
}

TASK [falcon_installation : CrowdStrike Falcon | Associate Falcon Sensor with your Customer ID (CID)] ***********************************************************************************************
changed: [127.0.0.1]

So two possible solutions here:

1. Remove the definition of falcon_provisioning_token from defaults
2. Change the condition to not falcon_provisioning_token instead of falcon_provisioning_token is not defined

when trying to uninstall in a windows machine, the role couldnt find the executable to pass the arguments, the file now is named as "WindowsSensor.MaverickGyr.x64.exe" not "WindowsSensor.exe" anymore.

What i did to fix it was searching for a pattern regex in that case works just fine.

Thanks

- name: CrowdStrike Falcon | Find Windows installer in Package Cache
    ansible.windows.win_find:
      paths: C:\ProgramData\Package Cache
      patterns: ^(WindowsSensor.*\.)(exe)$
      recurse: yes
      use_regex: yes
    register: falcon_win_sensor_cache

Need to be able to download and install the gpg key from the api. Some Linux Oses default to having gpgcheck on.

Control Node: Ansible 2.9.9
Endpoint: Ubuntu 16,18,20

When running the role, I got the following error:

TASK [falcon_installation : CrowdStrike Falcon | Verify Temporary Install Directory Exists] ********************************************************************************
task path: /Users/nate/Projects/falcon/roles/falcon_installation/tasks/preinstall.yml:64
[DEPRECATION WARNING]: evaluating 'falcon_install_tmp_dir' as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future.
 Also see CONDITIONAL_BARE_VARS configuration toggle. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
fatal: [test.local]: FAILED! => {
    "msg": "The conditional check 'falcon_install_tmp_dir' failed. The error was: template error while templating string: unexpected '/'. String: {% if /tmp/ %} True {% else %} False {% endif %}\n\nThe error appears to be in '/Users/nate/Projects/falcon/roles/falcon_installation/tasks/preinstall.yml': line 64, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CrowdStrike Falcon | Verify Temporary Install Directory Exists\n  ^ here\n"
}

At the warning's suggestion, I added when: falcon_install_tmp_dir| bool to continue, but this actually evaluates to False, which causes problems on other variables that are evaluated "bare" as well.

TASK [falcon_installation : CrowdStrike Falcon | Verify Temporary Install Directory Exists] ********************************************************************************
task path: /Users/nate/Projects/falcon/roles/falcon_installation/tasks/preinstall.yml:64
skipping: [test.local] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}

Later on, in tasks/install.yml, we get the same issue with the falcon_provisioning_token and falcon_cid variables. Since | bool is evalutaing to false, it totally botches up the linking of that agent.

TASK [falcon_installation : CrowdStrike Falcon | Associated Falcon Sensor with your Customer ID (CID) Using Provisioning Token] *************
[DEPRECATION WARNING]: evaluating 'falcon_provisioning_token' as a bare variable
fatal: [test.local]: FAILED! => {
    "msg": "The conditional check 'falcon_provisioning_token' failed. The error was: template error while templating string: expected token 'end of statement block', got 'XXXXXX'. String: {% if 88XXXXXX %} True {% else %} False {% endif %}..<snip>
}

Same issue with the falcon_cid variable

[DEPRECATION WARNING]: evaluating 'falcon_cid' as a bare variable
...
fatal: [test.local]: FAILED! => {
    "msg": "The conditional check 'falcon_cid' failed. The error was: template error while templating string: expected token 'end of statement block'...<snip>

The solution I've found to have worked is to use is defined on those conditionals when starting/linking the agent. My agents are installing and linking up fine, now.

I made some changes to the files in question and will submit a PR.

Falcon cloud should be able to be auto-discovered. We should investigate how possible this is, and implement it if it is possible with ansible.

Hi shawndwell,

Need some help, I am trying to download falcon sensor using api but I getting this error with get_url module with headers
I tired several options to get add accept but nothing is working for me

fatal: [localhost]: FAILED! => {"changed": false, "dest": "/tmp/falcon/", "gid": 0, "group": "root", "mode": "0755", "msg": "Request failed", "owner": "root", "response": "HTTP Error 400: Bad Request: invalid header name", "size": 6, "state": "directory", "status_code": 400, "uid": 0, "url": "https://api.crowdstrike.com/sensors/entities/download-installer/v1?id="}

Could you please help me out

Look into installing the sensor version based on what the sensor update policy is configured.

I run a playbook on not-so-old Amazon Linux 2 AMI and got this. Nonetheless I can confirm that I have running falcon agent with manual installation.

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Validate Kernel is Supported] ************************************************************************************************
fatal: [localhost]: FAILED! => {
"assertion": "falcon_sensor_update_kernels_list.json.resources",
"changed": false,
"evaluated_to": false,
"msg": "The kernel version: 5.10.82-83.359.amzn2.x86_64 is not supported by the Falcon Sensor!"
}

PLAY RECAP **********************************************************************************************************************************************************************************

Hey,

I am installing falcon on an amazon-linux2 machine which does not have python2 installed on it.
The installation completes successfully but the rest of my playbook fails because of a change in the python interpreter in

The when statement should take into considerations both ansible_distribution and ansible_distribution_major_version as amazon-linux2 does not need to use python2.

• Change apd reference - as apd needs to be set to False|no for proxy to be configured
  

  ansible_collection_falcon/plugins/modules/falconctl.py

  Line 114 in 6f69b48

  apd: yes

• Update README to remove default boiler-template

"fatal: [...]: FAILED! => {"changed": false, "character_set": null, "content": "", "content_encoding": "", "content_length": "0", "content_type": "", "cookies": [], "date": "Thu, 09 Dec 2021 15:52:02 GMT", "elapsed": 0, "headers": ["Strict-Transport-Security", "X-Cs-Region", "X-Cs-Traceid", "X-Ratelimit-Limit", "X-Ratelimit-Remaining", "Content-Length", "Date", "Location"], "is_from_cache": false, "is_mutually_authenticated": false, "last_modified": "2021-12-09T15:52:02.9575943+00:00", "location": "https://api.us-2.crowdstrike.com/oauth2/token", "method": "POST", "msg": "Status code of request '308' is not in list of valid status codes 201 : 308'.", "protocol_version": {"Build": -1, "Major": 1, "MajorRevision": -1, "Minor": 1, "MinorRevision": -1, "Revision": -1}, "response_uri": "https://api.crowdstrike.com/oauth2/token", "server": "", "status_code": 308, "status_description": "Permanent Redirect", "strict_transport_security": "max-age=31536000; includeSubDomains", "supports_headers": true, "url": "https://api.crowdstrike.com/oauth2/token", "x_cs_region": "us-2", "x_cs_traceid": "******************", "x_ratelimit_limit": "300", "x_ratelimit_remaining": "299""

Per @musayev-io, Add the following GET options for better visibility usage:

• --rfm-state
• --rfm-reason

Firstly, great collection this is absolutely the best way to deploy falcon (via ansible collection)

Having an issue with windows when using:

    - role: crowdstrike.falcon.falcon
      vars:
        falcon_uninstall: true

TASK [crowdstrike.falcon.falcon : CrowdStrike Falcon | Stopping Falcon Service] ***
Sunday 31 January 2021 22:04:21 +0000 (0:00:01.051) 0:03:37.052 ********
fatal: [i-********************]: FAILED! => {"msg": "The powershell shell family is incompatible with the sudo become plugin"}

I think a guard is needed to only use become when system is 'Linux':
when: ansible_system == 'Linux'

There seems to be a number of glitches in the role, have you considered setting up molecule testing?
https://molecule.readthedocs.io/en/latest/

Collection always installs the latest version. Look into supporting N-2 deployments.

Using the latest crowdstrike.falcon collection version 3.2.7

upon executing Get list of Supported Kernels which translates to this call:

https://api.crowdstrike.com/policy/combined/sensor-update-kernels/v1?filter=vendor%3A%22redhat%22%2Brelease%3A%224.18.0-240.10.1.el8_3.x86_64%22

throws 403

{
  "meta": {
    "query_time": 9.4e-8,
    "powered_by": "crowdstrike-api-gateway",
    "trace_id": "0c39bdc5-8e52-4d8a-9c6c-4b8854e8a8aa"
  },
  "errors": [
    {
      "code": 403,
      "message": "access denied, authorization failed"
    }
  ]
}

Tested with the swagger page to replicate the error and my OAuth2 token works with other API calls.

Hello, Falcon sensor install works just fine on Linux, but did require the ansible.windows collection along with it.

Running the example playbook against a Windows Server 2019 machine returns the following error.

TASK [crowdstrike.falcon.falcon_installation : ansible.builtin.include_tasks] ***17:22:28
included: /runner/requirements_collections/ansible_collections/crowdstrike/falcon/roles/falcon_installation/tasks/win_api.yml for Win2019Test

TASK [crowdstrike.falcon.falcon_installation : CrowdStrike Falcon | Authenticate to CrowdStrike API] ***17:22:28

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 50

fatal: [Win2019Test]: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: The term 'Get-AnsibleWindowsWebRequestSpec' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."}

Since we had this previously in the falcon_install role, we just need to re-add the functionality to allow those that have API creds to auto-detect/get the CID.