Protect ProxMox & TrueNAS Scale w/ CrowdStrike

Protect ProxMox & TrueNAS Scale w/ CrowdStrike
Photo by Towfiqu barbhuiya / Unsplash

In the state of Oregon, education institutions with PACE insurance (and many others) are beginning to require not just antivirus, but antivirus with Endpoint Detection and Response (EDR). We chose to go with Crowdstrike, which, despite having the world's cringiest product names, actually provides a cheap, well-functioning base product in their Falcon antivirus. It also comes with an agent for nearly every OS you'd want it on, and the agent runs flawlessly on Proxmox (the excellent open-source hypervisor) and TrueNAS Scale (the excellent open-source NAS OS). Since both are based on Debian (the excellent stable linux distro), the install process for both is nearly identical. Since TrueNAS is pseudo-immutable (You can't install packages by default, and the rootfs is overwritten after updates) there are a few additional hoops there, but I will highlight them, don't worry!

Once you have an account, the agents can be downloaded via the Hamburger menu in the top left > Host setup and management > Sensor Downloads
At the top of the page, copy your Customer ID. You will need it for the install later.
There are separate downloads for Ubuntu and Debian based distros. Though they are both .deb files (and in all honesty they will both likely work on most platforms) for Truenas Scale & Proxmox, you're going to want the Debian version.

As I've said, despite being based on Debian, TrueNAS is a pseudo-immutable system. It isn't technically designed for you to be able to install whatever packages you want. Out of the box, running apt-get will get you an error, but there is a command to enable modifications. Go ahead and run this first:

sudo /usr/local/libexec/disable-rootfs-protection

For the rest of this guide, I am going to assume you are running as the root user. To change to root, run the following:

sudo su

You now need to get that file over to your TrueNAS/ProxMox host. The easiest way to do that, especially on headless machines, is probably SCP. SCP uses SSH to transfer files securely. I didn't have to install it manually on any of our debian machines, but if need be it's as simple as:

apt update && sudo apt install scp

Open a terminal and use scp like so:

scp /[Path-To]/falcon-sensor.deb [username]@[Server-IP]:/[Destination-Path]

Which might look something like

scp /home/user/Download/falcon-sensor.deb root@10.0.10.10:/root/

Assuming SSH is set up correctly you'll be asked for a password, then your file will be dropped in /root/falcon-sensor.deb

Now pop over to the server you transferred the file to, and run the following:

First, update your package repositories:

apt update

Now install the random dependency before it screams at you:

apt install libnl-genl-3-200

Now install the actual Sensor itself:

dpkg -i /[Path-To]/falcon-sensor.deb

Now configure the Falcon Sensor to attach to your account:

/opt/CrowdStrike/falconctl -s --cid=YOUR-CUSTOMER-ID-GOES-HERE

Now enable and start the service:

systemctl start falcon-sensor
systemctl enable falcon-sensor

Done! Now head back to the Host Management section of the Crowdstrike Dashboard, and after a few minutes you should see Debian appear under the list of OS to filter by:

Our hosts, present, and pulling default policy.

By default there are no firewall rules, as we can manage those with Proxmox's fabulous built-in firewall, but the Antivirus is set pretty aggressively.

I may dig in to optimal settings for Proxmox in another post, but for now you can tweak the policies to your hearts content! Just try not to break anything.

Additional notes on TrueNAS:

Having the Crowdstrike falcon-sensor service running prevented me from successfully upgrading TrueNAS Scale. It's a simple command to shut it off, after which you can upgrade, reboot, and it will happily start itself up again.

systemctl stop falcon-sensor

After the update, you'll need to run the command to disable rootfs protection again,

sudo /usr/local/libexec/disable-rootfs-protection    

and you'll need to reinstall Crowdstrike. Luckily you'll (probably) still have the .deb file wherever you transferred it to, so you can run the command to reinstall relatively easily.

    dpkg -i /[Path-To]/falcon-sensor.deb
    /opt/CrowdStrike/falconctl -s --cid=YOUR-CUSTOMER-ID-GOES-HERE
    systemctl start falcon-sensor
    systemctl enable falcon-sensor