Conversation
Notices
-
Yea and two years ago, the Linux Falcon-Sesnor was a full on kernel module (and only worked with very selection versions of Debian/RHEL/SLES because CrowdStrike doesn't know how the fuck DKMS works). A similar Linux issue could have been way worse. I really pushed back on Falcon Sensor at one company and the security team was filled with fucking morons.
The newer Falcon-Sensor for Linux uses eBPS, but it still runs as root and is a massive attack vector waiting for a disaster. The only way things get better is if company stop using it entirely.