[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Jonathan Billings jsbillin@umich.edu
Fri, 5 Mar 2021 09:07:43 -0500 

--00000000000047a00905bcca9c57
Content-Type: text/plain; charset="UTF-8"

Hello,

Our university uses the Crowdstrike endpoint security tool, and we use
OpenAFS for both our user's home directory as well as serving software to
our students, faculty and researchers.  Is anyone else using Crowdstrike
and OpenAFS on Linux (specifically, RHEL7)?

I've discovered that the Crowdstrike service (falcon-sensor) installs a
linux security module which seems to interact with the OpenAFS kernel
module in a bad way, causing the kernel to panic and reboot.  After
installing the kdump service, I'm able to capture a kernel dump and
backtrace, and it is definitely something to do with how OpenAFS and the
falcon lsm interact.  I wasn't able to trigger it with just command-line
ssh but a graphical login seems to be a reliable trigger.  Specifically, it
seems to be in the cache handling when it panics.

Has anyone else experienced this?

-- 
Jonathan Billings <jsbillin@umich.edu> (he/his)
College of Engineering - CAEN - Linux Support

--00000000000047a00905bcca9c57
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello,</div><div><br></div><div>Our university uses t=
he Crowdstrike endpoint security tool, and we use OpenAFS for both our user=
&#39;s home directory as well as serving software to our students, faculty =
and researchers.=C2=A0 Is anyone else using Crowdstrike and OpenAFS on Linu=
x (specifically, RHEL7)?<br></div><div><br></div><div>I&#39;ve discovered t=
hat the Crowdstrike service (falcon-sensor) installs a linux security modul=
e which seems to interact with the OpenAFS kernel module in a bad way, caus=
ing the kernel to panic and reboot.=C2=A0 After installing the kdump servic=
e, I&#39;m able to capture a kernel dump and backtrace, and it is definitel=
y something to do with how OpenAFS and the falcon lsm interact.=C2=A0 I was=
n&#39;t able to trigger it with just command-line ssh but a graphical login=
 seems to be a reliable trigger.=C2=A0 Specifically, it seems to be in the =
cache handling when it panics.<br></div><div><br></div><div>Has anyone else=
 experienced this?<br></div><br><div>-- <br><div dir=3D"ltr" class=3D"gmail=
_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">Jonathan Bi=
llings &lt;<a href=3D"mailto:jsbillin@umich.edu" target=3D"_blank">jsbillin=
@umich.edu</a>&gt; (he/his)<br>College of Engineering - CAEN - Linux Suppor=
t<br></div></div></div></div>

--00000000000047a00905bcca9c57--