crowdstrike.falcon.kernel_support_info module – Get information about kernels supported by the Falcon Sensor for Linux

Note

This module is part of the crowdstrike.falcon collection (version 4.7.0).

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.kernel_support_info.

New in crowdstrike.falcon 4.1.0

Synopsis

  • Retrieve details about the kernels supported by the Falcon sensor for Linux (kernel mode), matching the specified filter criteria.

  • See the CrowdStrike documentation for more information about available filters.

Requirements

The below requirements are needed on the host that executes this module.

  • Sensor update policies [READ] API scope

  • crowdstrike-falconpy >= 1.3.0

  • python >= 3.6

Parameters

Parameter

Comments

auth

dictionary

The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys.

If provided, the client_id, client_secret, member_cid, and cloud options are ignored.

Useful when needing to make multiple API calls to avoid rate limiting issues.

access_token

string

The OAuth2 access token to use for authentication.

cloud

string

The CrowdStrike cloud region to use.

This can differ from the module’s cloud argument due to autodiscovery.

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

Choices:

  • "us-1" ← (default)

  • "us-2"

  • "us-gov-1"

  • "eu-1"

ext_headers

dictionary

Extended headers that are prepended to the default headers dictionary.

filter

string

The filter expression that should be used to limit the results using FQL (Falcon Query Language) syntax.

See the return values or CrowdStrike docs for more information about the available filters that can be used.

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

user_agent

string

Custom User-Agent string to use for requests to the API.

The user agent string is prepended to the default user agent string (crowdstrike-ansible/<version>).

See RFC 7231 for more information.

The FALCON_USER_AGENT environment variable can also be used.

Notes

Note

  • This module will return a list of supported kernel information for kernel mode only of the Falcon sensor for Linux. This is not for user mode.

  • To help with your filters, you can use the kernel and sensor support distinct values API to retrieve a list of distinct values, with proper syntax, for any field. For more info, see Retrieving field values for kernel support filters.

Examples

- name: Show support info for all Ubuntu 20 kernels that have a release starting with 5.8
  crowdstrike.falcon.kernel_support_info:
    filter: "vendor:'ubuntu'+distro:'ubuntu20'+release:*'5.8.*'"

- name: Show support info for kernels with a release of 5.4.0-1040-gcp and an architecture of x86_64
  crowdstrike.falcon.kernel_support_info:
    filter: "release:'5.4.0-1040-gcp'+architecture:'x86_64'"

- name: Show support info using kernel and architecture from ansible_facts
  crowdstrike.falcon.kernel_support_info:
    filter: "release:'{{ ansible_facts['kernel'] }}'+architecture:'{{ ansible_facts['architecture'] }}'"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

info

list / elements=dictionary

A list of support information for the kernels that match the filter criteria

Returned: success

architecture

string

The Linux kernel architecture.

Returned: success

Sample: "x86_64"

base_package_supported_sensor_versions

list / elements=string

Sensor versions that support the specified kernel in the base sensor package.

These sensor versions support the kernel when they are installed.

Returned: success

Sample: ["X.YY.Z-1101", "X.YY.Z-1102"]

created_timestamp

string

The timestamp when the kernel support information was created.

Returned: success

Sample: "2021-01-01 00:00:00"

distro

string

The Linux distribution associated with the kernel.

Returned: success

Sample: "ubuntu20"

distro_version

string

The Linux distribution version associated with the kernel.

Returned: success

Sample: "18.x"

flavor

string

The Linux kernel flavor.

Returned: success

Sample: "generic"

id

string

The unique identifier of the kernel support information.

Returned: success

Sample: "8s0t9k3zr2o7h5x1d4g6nqjfywlbepmau"

modified_timestamp

string

The timestamp when the kernel support information was last modified.

Returned: success

Sample: "2021-01-01 00:00:00"

release

string

The Linux kernel release version.

Returned: success

Sample: "5.4.0-1040-gcp"

vendor

string

The Linux vendor associated with the kernel.

Returned: success

Sample: "ubuntu"

version

string

Full Linux OS version identifier.

Returned: success

Sample: "#95-Ubuntu SMP Wed Sep 9 15:51:28 UTC 2020"

ztl_module_supported_sensor_versions

list / elements=string

Sensor versions that added support using the ZTL module support method.

These updates are generated without source modifications to the deployed sensor and enable the sensor to support the new kernel via offset mapping without having to upgrade to a newer sensor version.

Returned: success

Sample: ["X.YY.Z-1101", "X.YY.Z-1102"]

ztl_supported_sensor_versions

list / elements=string

Sensor versions that added support using the Zero Touch Linux (ZTL) support method.

This method adds support for kernels through channel files without requiring a sensor update.

Returned: success

Sample: ["X.YY.Z-1101", "X.YY.Z-1102"]

Authors

  • Carlos Matos (@carlosmmatos)