[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Jonathan D. Proulx jon@csail.mit.edu
Mon, 8 Mar 2021 09:56:02 -0500

We at MIT CSAIL stoped using crowdstrike partly becuase they refused
to fix this despite us providing a patch to falcon-sensor (whcih is
just a tarred pile of shell scripts).

The need to excluse /afs from their scans there's several ways to do
this (they use "find" internally).

We found them unhelpful and very good at talkign to magnagement types
and very bad at anyting actually technical.

I can't say enough against them...they'll probably call our Office of
General Council on me for saying anything against them they've done
that before (and put more effort into "unmasking" the pseudonymous jr
admin's reddit user account than the actual security issues we were
paying them to look at).



Jonathan Proulx
Sr. Technical Architect

On Fri, Mar 05, 2021 at 09:07:43AM -0500, Jonathan Billings wrote:
:Our university uses the Crowdstrike endpoint security tool, and we use
:OpenAFS for both our user's home directory as well as serving software to
:our students, faculty and researchers.  Is anyone else using Crowdstrike
:and OpenAFS on Linux (specifically, RHEL7)?
:I've discovered that the Crowdstrike service (falcon-sensor) installs a
:linux security module which seems to interact with the OpenAFS kernel
:module in a bad way, causing the kernel to panic and reboot.  After
:installing the kdump service, I'm able to capture a kernel dump and
:backtrace, and it is definitely something to do with how OpenAFS and the
:falcon lsm interact.  I wasn't able to trigger it with just command-line
:ssh but a graphical login seems to be a reliable trigger.  Specifically, it
:seems to be in the cache handling when it panics.
:Has anyone else experienced this?
:Jonathan Billings <jsbillin@umich.edu> (he/his)
:College of Engineering - CAEN - Linux Support