[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Jonathan Proulx jon@csail.mit.edu
Mon, 8 Mar 2021 10:33:22 -0500

On Mon, Mar 08, 2021 at 10:06:44AM -0500, Ken Hornstein wrote:
:>We at MIT CSAIL stoped using crowdstrike partly becuase they refused
:>to fix this despite us providing a patch to falcon-sensor (whcih is
:>just a tarred pile of shell scripts).
:>The need to excluse /afs from their scans there's several ways to do
:>this (they use "find" internally).
:>We found them unhelpful and very good at talkign to magnagement types
:>and very bad at anyting actually technical.
:For what it's worth ... we ran into this EXACT issue not with crowdstrike,
:but some other similar product (which I want to say was McAfee something
:or other, maybe).  The situation was even more comical, because, AGAIN,
:all they had to do was exclude /afs, but ...

The find line in the crowdstrike "tool" already has multiple excludes
for other filesystems types, btw.

Obviously I can't distribute the "patch" which was one extra flag to
an existing find line if I recall.

If you have the Falconsensor it's not hard to unpack and sort out,
when we were using it (spring 2019) it wasn't signed in any
meaningful way (maybe a sha sum to replace but not crypto I forget)
so it would happily run modified code as root.  This was another
reason we rejected it, but if you're in a position where you don't
have that control and to have licensing to get the to tool it's easily

but none of that is good.