From a9ef8f4999841a035de28645e42ba45e08fba06c Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 18 Dec 2025 08:57:47 -0500 Subject: [PATCH 1/3] feat(container-pull): add unified sensor support for falcon-container image --- .gitignore | 18 +++++++++ .../falcon-container-sensor-pull/README.md | 27 ++++++++++++- .../falcon-container-sensor-pull.sh | 40 ++++++++++++++----- 3 files changed, 75 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 1c25368..e6f7c86 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,21 @@ Vagrantfile # local testing tests/ +.env +# AI Assistants +# Various AI coding assistants create local cache, settings, and conversation history +# These contain user-specific data and should not be committed to version control +.cursorignore +.cursorindexingignore +.claude/ +CLAUDE.md +.anthropic/ +.openai/ +.codeium/ +.tabnine/ +.github-copilot/ +.roo/ +.aider/ +.aider* +.clinerules/ +memory-bank/ diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md index d155287..913b5e7 100644 --- a/bash/containers/falcon-container-sensor-pull/README.md +++ b/bash/containers/falcon-container-sensor-pull/README.md @@ -45,6 +45,31 @@ For additional context and information, please see the [Tech Alert](https://supp > [!IMPORTANT] > **Backward Compatibility**: Existing users of the `falcon-sensor` type will now automatically receive the new unified sensor. If you need to maintain the traditional regional sensor for any reason, simply change `-t falcon-sensor` to `-t falcon-sensor-regional` in your commands. No other changes to your scripts or workflows are required. +## Unified Falcon Container Image Support + +Starting with Falcon Container sensor for Linux version 7.33 and above, CrowdStrike has introduced a new unified Falcon container image that eliminates the need to specify region information when deploying the Falcon container sensor for Linux. + +### Key Changes + +- **Image name**: Changed from `falcon-sensor` to `falcon-container` +- **Registry path**: Removes region-specific directory (e.g., `/us-1/`, `/eu-1/`) +- **Tag format**: Simplified by removing `.container.Release.` suffix + +### Image Format Comparison + +**Unified Format** (Version 7.33+): +``` +registry.crowdstrike.com/falcon-container/release/falcon-container:7.33.0-7201-1 +``` + +**Regional Format** (Version 7.32 and earlier): +``` +registry.crowdstrike.com/falcon-container/us-1/release/falcon-sensor:7.29.0-6801.container.Release.US-1 +``` + +> [!IMPORTANT] +> **Backward Compatibility**: Existing users of the `falcon-container` type will now automatically receive the new unified container image. If you need to maintain the traditional regional container format for any reason, simply change `-t falcon-container` to `-t falcon-container-regional` in your commands. No other changes to your scripts or workflows are required. + ## Security recommendations ### Use cURL version 7.55.0 or later @@ -65,7 +90,7 @@ To check your version of cURL, run the following command: `curl --version` > [!IMPORTANT] > The following API scopes are the minimum required to retrieve the images. If you need to perform other operations post-retrieval, please refer to the CrowdStrike documentation to identify any additional scopes that may be required. -- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** +- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** - `Sensor Download (read)` - `Falcon Images Download (read)` - **kpagent** diff --git a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh index 29c4b2d..8826a84 100755 --- a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh +++ b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh @@ -29,6 +29,7 @@ Optional Flags: Available sensor types: ----------------------- falcon-container + falcon-container-regional falcon-sensor falcon-sensor-regional falcon-kac @@ -444,7 +445,7 @@ detect_container_tool() { display_api_scopes() { local sensor_type=$1 case "${sensor_type}" in - falcon-sensor | falcon-sensor-regional | falcon-container | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) + falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) echo "Sensor Download [read], Falcon Images Download [read]" ;; kpagent) @@ -552,11 +553,12 @@ fi # Check if SENSOR_TYPE is set to a valid value case "${SENSOR_TYPE}" in - falcon-container | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; + falcon-container | falcon-container-regional | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; *) die """ Unrecognized sensor type: ${SENSOR_TYPE} Valid values are: falcon-container + falcon-container-regional falcon-sensor falcon-sensor-regional falcon-kac @@ -573,6 +575,11 @@ if [ "${SENSOR_TYPE}" = "falcon-sensor-regional" ]; then echo "WARNING: Use 'falcon-sensor' for the new unified sensor image as the regional sensor images will eventually be EOL." fi +# Add deprecation warning for falcon-container-regional +if [ "${SENSOR_TYPE}" = "falcon-container-regional" ]; then + echo "WARNING: Use 'falcon-container' for the new unified container image as the regional container images will eventually be EOL." +fi + #Check all mandatory variables set VARIABLES="FALCON_CLIENT_ID FALCON_CLIENT_SECRET" { @@ -625,18 +632,25 @@ registry_opts=$( else echo "falcon-sensor/$FALCON_CLOUD" fi + # Handle unified falcon-container format (no region) + elif [ "${SENSOR_TYPE}" = "falcon-container" ]; then + echo "falcon-container" + # Handle falcon-container-regional with traditional regional paths + elif [ "${SENSOR_TYPE}" = "falcon-container-regional" ]; then + if [ "${FALCON_CLOUD}" = "us-gov-1" ]; then + echo "falcon-container/gov1" + elif [ "${FALCON_CLOUD}" = "us-gov-2" ]; then + echo "falcon-container/gov2" + else + echo "falcon-container/$FALCON_CLOUD" + fi # Account for govcloud api mismatch for other sensor types elif [ "${FALCON_CLOUD}" = "us-gov-1" ]; then echo "$SENSOR_TYPE/gov1" elif [ "${FALCON_CLOUD}" = "us-gov-2" ]; then echo "$SENSOR_TYPE/gov2" else - if [ "${SENSOR_TYPE}" = "falcon-container" ] && [ "${BUILD_STAGE}" = "stage" ]; then - falcon_stage_cloud=$(echo "$FALCON_CLOUD" | tr -d '-') - echo "$SENSOR_TYPE/$falcon_stage_cloud" - else - echo "$SENSOR_TYPE/$FALCON_CLOUD" - fi + echo "$SENSOR_TYPE/$FALCON_CLOUD" fi ) @@ -686,7 +700,15 @@ IMAGE_NAME="falcon-sensor" repository_name="$BUILD_STAGE/falcon-sensor" registry_type="container-security" -if [ "${SENSOR_TYPE}" = "falcon-kac" ]; then +if [ "${SENSOR_TYPE}" = "falcon-container" ]; then + # Unified format: use falcon-container image name + IMAGE_NAME="falcon-container" + repository_name="$BUILD_STAGE/falcon-container" +elif [ "${SENSOR_TYPE}" = "falcon-container-regional" ]; then + # Regional format: use falcon-sensor image name (current behavior) + IMAGE_NAME="falcon-sensor" + repository_name="$BUILD_STAGE/falcon-sensor" +elif [ "${SENSOR_TYPE}" = "falcon-kac" ]; then # overrides for KAC IMAGE_NAME="falcon-kac" repository_name="$BUILD_STAGE/falcon-kac" From bce7049f7bb92547b0010827e947201d1321e6ca Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 18 Dec 2025 09:11:43 -0500 Subject: [PATCH 2/3] docs: clean up unified section --- .../falcon-container-sensor-pull/README.md | 34 +++---------------- 1 file changed, 5 insertions(+), 29 deletions(-) diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md index 913b5e7..8c01b94 100644 --- a/bash/containers/falcon-container-sensor-pull/README.md +++ b/bash/containers/falcon-container-sensor-pull/README.md @@ -36,39 +36,15 @@ Refer to the [examples](#examples) section for more information on how to use th > [!NOTE] > While we do support copying the multi-arch image to a different registry using Podman, Docker, or Skopeo, we recommend using Skopeo for this purpose. Skopeo is a tool specifically designed for copying container images between registries and supports multi-arch images. -## Unified Falcon Sensor Image Support +## Unified Image Support -Starting with Falcon sensor for Linux version 7.31 and above, CrowdStrike has introduced a new unified Falcon sensor that utilizes a single container image as opposed to the regional based sensors. +CrowdStrike now provides unified images that work across all regions: -For additional context and information, please see the [Tech Alert](https://supportportal.crowdstrike.com/s/article/Tech-Alert-60-day-notice-Unified-installer-image-for-Falcon-sensor-for-Linux). +- **`falcon-sensor`** (unified) - Single sensor image for version 7.31+ +- **`falcon-container`** (unified) - Single container image for version 7.33+ > [!IMPORTANT] -> **Backward Compatibility**: Existing users of the `falcon-sensor` type will now automatically receive the new unified sensor. If you need to maintain the traditional regional sensor for any reason, simply change `-t falcon-sensor` to `-t falcon-sensor-regional` in your commands. No other changes to your scripts or workflows are required. - -## Unified Falcon Container Image Support - -Starting with Falcon Container sensor for Linux version 7.33 and above, CrowdStrike has introduced a new unified Falcon container image that eliminates the need to specify region information when deploying the Falcon container sensor for Linux. - -### Key Changes - -- **Image name**: Changed from `falcon-sensor` to `falcon-container` -- **Registry path**: Removes region-specific directory (e.g., `/us-1/`, `/eu-1/`) -- **Tag format**: Simplified by removing `.container.Release.` suffix - -### Image Format Comparison - -**Unified Format** (Version 7.33+): -``` -registry.crowdstrike.com/falcon-container/release/falcon-container:7.33.0-7201-1 -``` - -**Regional Format** (Version 7.32 and earlier): -``` -registry.crowdstrike.com/falcon-container/us-1/release/falcon-sensor:7.29.0-6801.container.Release.US-1 -``` - -> [!IMPORTANT] -> **Backward Compatibility**: Existing users of the `falcon-container` type will now automatically receive the new unified container image. If you need to maintain the traditional regional container format for any reason, simply change `-t falcon-container` to `-t falcon-container-regional` in your commands. No other changes to your scripts or workflows are required. +> **Backward Compatibility**: Existing users automatically receive unified images. For regional images, use `-t falcon-sensor-regional` or `-t falcon-container-regional`. ## Security recommendations From 7cdc43be978d56ce2a8c8d83f57bda476d80b715 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 18 Dec 2025 12:28:14 -0500 Subject: [PATCH 3/3] feat(container-pull): adds support for unified KAC image --- .../falcon-container-sensor-pull/README.md | 5 ++-- .../falcon-container-sensor-pull.sh | 29 +++++++++++++++++-- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md index 8c01b94..af85190 100644 --- a/bash/containers/falcon-container-sensor-pull/README.md +++ b/bash/containers/falcon-container-sensor-pull/README.md @@ -42,9 +42,10 @@ CrowdStrike now provides unified images that work across all regions: - **`falcon-sensor`** (unified) - Single sensor image for version 7.31+ - **`falcon-container`** (unified) - Single container image for version 7.33+ +- **`falcon-kac`** (unified) - Single KAC image for version 7.33+ > [!IMPORTANT] -> **Backward Compatibility**: Existing users automatically receive unified images. For regional images, use `-t falcon-sensor-regional` or `-t falcon-container-regional`. +> **Backward Compatibility**: Existing users automatically receive unified images. For regional images, use `-t falcon-sensor-regional`, `-t falcon-container-regional`, or `-t falcon-kac-regional`. ## Security recommendations @@ -66,7 +67,7 @@ To check your version of cURL, run the following command: `curl --version` > [!IMPORTANT] > The following API scopes are the minimum required to retrieve the images. If you need to perform other operations post-retrieval, please refer to the CrowdStrike documentation to identify any additional scopes that may be required. -- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** +- **falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** - `Sensor Download (read)` - `Falcon Images Download (read)` - **kpagent** diff --git a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh index 8826a84..ba05023 100755 --- a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh +++ b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh @@ -33,6 +33,7 @@ Optional Flags: falcon-sensor falcon-sensor-regional falcon-kac + falcon-kac-regional falcon-snapshot falcon-imageanalyzer kpagent @@ -445,7 +446,7 @@ detect_container_tool() { display_api_scopes() { local sensor_type=$1 case "${sensor_type}" in - falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) + falcon-sensor | falcon-sensor-regional | falcon-container | falcon-container-regional | falcon-kac | falcon-kac-regional | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) echo "Sensor Download [read], Falcon Images Download [read]" ;; kpagent) @@ -553,7 +554,7 @@ fi # Check if SENSOR_TYPE is set to a valid value case "${SENSOR_TYPE}" in - falcon-container | falcon-container-regional | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; + falcon-container | falcon-container-regional | falcon-sensor | falcon-sensor-regional | falcon-kac | falcon-kac-regional | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; *) die """ Unrecognized sensor type: ${SENSOR_TYPE} Valid values are: @@ -562,6 +563,7 @@ case "${SENSOR_TYPE}" in falcon-sensor falcon-sensor-regional falcon-kac + falcon-kac-regional falcon-snapshot falcon-imageanalyzer kpagent @@ -580,6 +582,11 @@ if [ "${SENSOR_TYPE}" = "falcon-container-regional" ]; then echo "WARNING: Use 'falcon-container' for the new unified container image as the regional container images will eventually be EOL." fi +# Add deprecation warning for falcon-kac-regional +if [ "${SENSOR_TYPE}" = "falcon-kac-regional" ]; then + echo "WARNING: Use 'falcon-kac' for the new unified KAC image as the regional KAC images will eventually be EOL." +fi + #Check all mandatory variables set VARIABLES="FALCON_CLIENT_ID FALCON_CLIENT_SECRET" { @@ -644,6 +651,18 @@ registry_opts=$( else echo "falcon-container/$FALCON_CLOUD" fi + # Handle unified falcon-kac format (no region) + elif [ "${SENSOR_TYPE}" = "falcon-kac" ]; then + echo "falcon-kac" + # Handle falcon-kac-regional with traditional regional paths + elif [ "${SENSOR_TYPE}" = "falcon-kac-regional" ]; then + if [ "${FALCON_CLOUD}" = "us-gov-1" ]; then + echo "falcon-kac/gov1" + elif [ "${FALCON_CLOUD}" = "us-gov-2" ]; then + echo "falcon-kac/gov2" + else + echo "falcon-kac/$FALCON_CLOUD" + fi # Account for govcloud api mismatch for other sensor types elif [ "${FALCON_CLOUD}" = "us-gov-1" ]; then echo "$SENSOR_TYPE/gov1" @@ -709,7 +728,11 @@ elif [ "${SENSOR_TYPE}" = "falcon-container-regional" ]; then IMAGE_NAME="falcon-sensor" repository_name="$BUILD_STAGE/falcon-sensor" elif [ "${SENSOR_TYPE}" = "falcon-kac" ]; then - # overrides for KAC + # Unified format: use falcon-kac image name + IMAGE_NAME="falcon-kac" + repository_name="$BUILD_STAGE/falcon-kac" +elif [ "${SENSOR_TYPE}" = "falcon-kac-regional" ]; then + # Regional format: use falcon-kac image name (same as unified) IMAGE_NAME="falcon-kac" repository_name="$BUILD_STAGE/falcon-kac" elif [ "${SENSOR_TYPE}" = "falcon-snapshot" ]; then