On Mon, Mar 08, 2021 at 10:06:44AM -0500, Ken Hornstein wrote: :>We at MIT CSAIL stoped using crowdstrike partly becuase they refused :>to fix this despite us providing a patch to falcon-sensor (whcih is :>just a tarred pile of shell scripts). :> :>The need to excluse /afs from their scans there's several ways to do :>this (they use "find" internally). :> :>We found them unhelpful and very good at talkign to magnagement types :>and very bad at anyting actually technical. : :For what it's worth ... we ran into this EXACT issue not with crowdstrike, :but some other similar product (which I want to say was McAfee something :or other, maybe). The situation was even more comical, because, AGAIN, :all they had to do was exclude /afs, but ...
The find line in the crowdstrike "tool" already has multiple excludes for other filesystems types, btw. Obviously I can't distribute the "patch" which was one extra flag to an existing find line if I recall. If you have the Falconsensor it's not hard to unpack and sort out, when we were using it (spring 2019) it wasn't signed in any meaningful way (maybe a sha sum to replace but not crypto I forget) so it would happily run modified code as root. This was another reason we rejected it, but if you're in a position where you don't have that control and to have licensing to get the to tool it's easily hackable. but none of that is good. -Jon _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info