[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike
falcon-sensor
Benjamin Kaduk
kaduk@mit.edu
Sun, 7 Mar 2021 13:34:45 -0800
On Fri, Mar 05, 2021 at 09:07:43AM -0500, Jonathan Billings wrote:
> Hello,
>
> Our university uses the Crowdstrike endpoint security tool, and we use
> OpenAFS for both our user's home directory as well as serving software to
> our students, faculty and researchers. Is anyone else using Crowdstrike
> and OpenAFS on Linux (specifically, RHEL7)?
>
> I've discovered that the Crowdstrike service (falcon-sensor) installs a
> linux security module which seems to interact with the OpenAFS kernel
> module in a bad way, causing the kernel to panic and reboot. After
> installing the kdump service, I'm able to capture a kernel dump and
> backtrace, and it is definitely something to do with how OpenAFS and the
> falcon lsm interact. I wasn't able to trigger it with just command-line
> ssh but a graphical login seems to be a reliable trigger. Specifically, it
> seems to be in the cache handling when it panics.
>
> Has anyone else experienced this?
I don't use Crowdstrike so haven't seen it, but can you post the backtrace?
Thanks,
Ben