Skull giver
Giver of skulls
rsyslog and many other frameworks only work for programs that also output to rsyslog. For programs that do log to rsyslog, structured logging support is rarely available. There’s a reason tools like LogBeat exist; rsyslog is but one log aggregation tool.
SELinux is easy for trivial setups, but its tooling is clunky (and who the hell uses a binary format to store permissions anyway?). I much prefer AppArmor myself.
I don’t think CrowdStrike’s target audience is Linux shops. I get the feeling they have Linux support because some of their customers asked about it, and maybe it’ll work on some loosely configured end user systems, but enterprise Linux doesn’t seem to be their focus.
What do you use for live threat protection on Linux? If there’s a way to avoid these closed source trash fires I’ll gladly take it, but the best I’ve come across has been ClamAV and that’s not that great.
They are, but many if them don’t provide the same abilities or functionality that the kernel level interfaces did. For example, their network filtering/firewall API had (has?) a design flaw that allowed Apple’s software to bypass any attempts to block traffic.
Windows does the same, and Linux is slowly moving towards running more stuff in user space as well, but there’s no way to run something like CrowdStrike without low level access, at least not without crippling its capabilities.
How so? System Restore already automatically reverts to OS to a previous state after blue screens during boot since at least Windows 8, and you could do it manually since at least Windows Vista.
The problem isn’t working around the problem (just rename or delete a single .sys file), it’s that this happened almost exclusively to massive companies with hundreds or thousands of computers. The fix itself takes maybe a minute, the problem is the massive amounts of work this requires to do across tens of thousands of computers.
Luckily, the quick solution seems to be “reboot the computer about 15 times so the automatic update that fixes the bug probably gets applied before the next crash”, but for systems where that doesn’t work, manual intervention is necessary.
The QR code Windows displays usually brings up a documentation page containing more information. Windows also displays a stop code next to the QR code (something like BOOT_DEVICE_NOT_FOUND, MEMORY_MANAGEMENT, CRITICAL_ACCESS_DENIED) and the failing driver’s name (if available).
If you want to dig into the details, you can run a program like WhoCrashed, or dig into the crash using windbg to analyse the crashdump file on the hard drive.
I hate the “something went wrong” popups individual applications show (though I admit I’ve written those myself to deal with errors that should never ever happen), but bluescreens are usually quite informative if you read beyond the indicator for regular people.
Windows used to dump memory locations of the failing driver and even opcodes, the same way Linux does, but that scared a lot of people because they had no hope of understanding any of it. With KASLR the memory addresses are useless anyway, and it’s not like modern drivers come with debug symbols to show the crashing method name, so Windows started hiding unnecessary details, which I think is a good thing.
The problem with SELinux/nftables/cgroups is that they don’t come with a centralised log aggregator, and they don’t do much blocking beyond the defaults for 99% of deployments. Also, SELinux is a massive pain to set up (even compared to AppArmor), and setting it up correctly is even worse.
CrowdStrike does a lot of what SELinux does but it’s easier to configure, works on every operating system, and comes with tools to roll out configuration across an organisation. There’s nothing close to that in the open source world. Even if you set up something yourself, you’ll need to continuously tweak your setup not to get in the way of employees and to prevent alert fatigue from all of the false positives.
I think a preconfigured solution like Security Onion combined with tons of group policy and Ansible can form an open source alternative, but that only monitors, whereas CrowdStrike also blocks. To block behaviour, you’ll need to write code for most platforms, and that’s just as likely to take down your org as an auto update from CrowdStrike.
I think this is part of the reason Apple is trying real hard to prevent people from loading third party drivers. While that means a lot of hardware simply won’t work on their machines, at least a bug can’t cause a kernel panic.
As long as third party software is allowed to be loaded into the kernel (drivers, HALs, filters) we’ll have bluescreens created by applications. You can go without third party drivers, you just won’t be able to game on your computer, or run any antivirus software that wasn’t made by your OS vendor, or use any USB peripheral more complicated than a keyboard, or use WiFi.
Operating systems are moving as much software out of the low level kernel space as they can. On Windows, the entire GPU driver can crash and the OS will just flash a black screen and recover. Your games and browser probably go down with the driver, but that important Word document you had open in the background will survive.
In this case, there’s no way to implement the features at hand anywhere but deep down at the kernel level. It’s like anticheat but except for intercepting cheating software it’s intercepting all software that looks a bit suspicious. There are ways to protect against this (running applications in a virtual machine with a microkernel of their own for instance) but in practice this won’t work for the type of user Windows mostly serves.
As long as software like CrowdStrike is necessary, we run the risk of this stuff crashing. However, the impact doesn’t need to be this high; the reason everything went to shit is that every company installed this one piece of software onto their critical machines, rather than diversifying and having two different vendors. They probably don’t want twice the management overhead and twice the price, but they could’ve gone with a competitor on half their systems and only have half their services crash.
I got Amazon Prime to work in HD for a short while by running Chrome in Wine. Didn’t get more than 480p on my phone. At some point it broke and I went back to pirating, because that allowed me to get the episodes earlier, at a higher quality, on all of my devices. Setting up a VM will inevitably kill smooth playback, I’m not even going to bother with that.
If their DRM worked and shows would take weeks to leak, I wouldn’t be too bothered by their restrictions, but with every show releasing on torrent sites before they make it to Europe, I’m kind of pissed off at the whole ordeal.
The SkyShowTime people have a subscription with generic ads and a more expensive subscription with ads for their own shows. I can’t even select an ad-free option. I swear to god, it’s like they want people to pirate their shows.
Going in through SSH should be pretty reliable.
I would’ve looked into something like HACS to write a custom integration (even if that integration is just a Python script calling bash), but then again that has tons of moving parts and probably requires publishing your stuff online somewhere.
Or, I suppose, you could put your shell script somewhere in the volume where config is stored, and use the shell integration to launch it. I don’t think that’ll have the permissions you need, though.