We at MIT CSAIL stoped using crowdstrike partly becuase they refused to fix this despite us providing a patch to falcon-sensor (whcih is just a tarred pile of shell scripts).
The need to excluse /afs from their scans there's several ways to do this (they use "find" internally). We found them unhelpful and very good at talkign to magnagement types and very bad at anyting actually technical. I can't say enough against them...they'll probably call our Office of General Council on me for saying anything against them they've done that before (and put more effort into "unmasking" the pseudonymous jr admin's reddit user account than the actual security issues we were paying them to look at). -Jon --- Jonathan Proulx Sr. Technical Architect MIT CSAIL On Fri, Mar 05, 2021 at 09:07:43AM -0500, Jonathan Billings wrote: :Hello, : :Our university uses the Crowdstrike endpoint security tool, and we use :OpenAFS for both our user's home directory as well as serving software to :our students, faculty and researchers. Is anyone else using Crowdstrike :and OpenAFS on Linux (specifically, RHEL7)? : :I've discovered that the Crowdstrike service (falcon-sensor) installs a :linux security module which seems to interact with the OpenAFS kernel :module in a bad way, causing the kernel to panic and reboot. After :installing the kdump service, I'm able to capture a kernel dump and :backtrace, and it is definitely something to do with how OpenAFS and the :falcon lsm interact. I wasn't able to trigger it with just command-line :ssh but a graphical login seems to be a reliable trigger. Specifically, it :seems to be in the cache handling when it panics. : :Has anyone else experienced this? : :-- :Jonathan Billings <jsbil...@umich.edu> (he/his) :College of Engineering - CAEN - Linux Support -- _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info