告诉 HN:CrowdStrike Falcon 用户,请检查是否存在多余的 KernelModuleArchiveExt 文件
2 分•作者: CaliforniaKarl•8 个月前
您好!
这是给在 Linux 服务器上运行 CrowdStrike Falcon 的朋友们提个醒,特别是那些很久以前就配置了 Linux 服务器的朋友们。这是一个 CrowdStrike 计划不修复的问题,所以我希望在它导致您的机器卡死之前,让其他人知道。
您应该在 /opt/CrowdStrike/ 路径下安装了 CrowdStrike Falcon。在该目录下,您可能有一个文件名以 "KernelModuleArchive" 开头的文件,以及许多文件名以 "KernelModuleArchiveExt" 开头的文件。这就是问题所在。
CrowdStrike 会在每个可执行文件和库文件后附加一个版本号。它在清理旧版本的几乎所有文件方面做得很好。除了 KernelModuleArchiveExt。
我第一次注意到这个问题是在一台虚拟机(带有小的 /opt 分区)填满了 /opt,导致系统停止响应。事实证明,/opt/CrowdStrike 已经堆满了 18 个不同的 KernelModuleArchiveExt 文件。
解决方案是什么?嗯,我们的 CrowdStrike 管理员向 CrowdStrike 提交了一个工单,我们被告知:
* 是的,KernelModuleArchiveExt 文件没有被自动清理。其他文件会被自动清理,但 KernelModuleArchiveExt 文件不会。
* CrowdStrike 会发布一个清理 KernelModuleArchiveExt 文件的更新吗?不会。
* 您会将其纳入您未来的实施路线图中吗?不会。
* 那么,我们应该怎么做?如果您想清理它们,请自己动手。
如果您的站点使用 CrowdStrike 卸载保护,您 无法 在没有首先从您的 CrowdStrike 管理员处获得“维护令牌”的情况下自行清理它们。否则,删除所有 KernelModuleArchiveExt 文件并重启 CrowdStrike Falcon 传感器即可(它会去下载它需要的 KernelModuleArchiveExt)。但就我个人而言,我认为我们不应该这样做。
由于 CrowdStrike 拒绝修复这个问题,我想让大家知道,这样您就可以检查您的系统。如果您发现这个问题也影响了您,我鼓励您向 CrowdStrike 提交您自己的支持工单。
查看原文
Hello!<p>This is a heads-up for folks who run CrowdStrike Falcon on Linux servers, and particularly on Linux servers that were provisioned some time ago. It's a problem that CrowdStrike does not plan on fixing, and so I wanted to let others know before it causes your machines to hang.<p>You should have CrowdStrike Falcon installed at path /opt/CrowdStrike/. In that directory, you probably have one file whose name begins with "KernelModuleArchive", and many files whose name begins with "KernelModuleArchiveExt". That's the problem.<p>CrowdStrike appends a version number to every executable & library file. It does a good job of cleaning up old versions of <i>almost all</i> of its files. Except for KernelModuleArchiveExt.<p>I first noticed this happening when a virtual machine (with a small /opt partition) filled up /opt, and the system stopped responding. Turns out, /opt/CrowdStrike had filled up with 18 different KernelModuleArchiveExt files.<p>What is the fix? Well, our CrowdStrike admins opened a ticket with CrowdStrike, and we were told:<p>* Yes, the KernelModuleArchiveExt files are not being cleaned up automatically. Other files are being cleaned up automatically, but not the KernelModuleArchiveExt files.<p>* Will CrowdStrike release an update that cleans up the KernelModuleArchiveExt files? No.<p>* Will you put it on your roadmap to implement in the future? No.<p>* So, what should we do? If you want to clean them up, do it yourself.<p>If your site uses CrowdStrike uninstall protection, you <i>cannot</i> clean them up yourself without first getting a "maintenance token" from your CrowdStrike admins. Otherwise, deleting all KernelModuleArchiveExt files and restarting the CrowdStrike Falcon sensor works (it goes out and downloads the KernelModuleArchiveExt that it needs). Personally, though, I don't think we should have to do this.<p>Since CrowdStrike refuses to fix this, I wanted to let folks know, so you can check your systems. If you discover that this problem also affects you, I encourage you to open your own support ticket with CrowdStrike.